A padlock on a chicken coop means nothing if the fox has the keys.

In a recent cybersecurity audit, we discovered that sensitive data; employee emails, client info, and even board minutes were being stored on unencrypted USB drives carried in handbags. One manager proudly said, “But we have complied with the Data Protection Act.”

My colleague asked him, Have you complied with common sense?

Here is the hard truth: Uganda has cyber laws. What we lack is cyber muscle.

a) Laws on paper, chaos in practice

Uganda has made strides. The Computer Misuse Act (2011), the Data Protection and Privacy Act (2019), and the Electronic Transactions Act, among others. But here is the challenge: laws do not enforce themselves. In 9 out of 10 cases I have handled, organizations did not even know they were in breach.

b) Enforcement agencies lack teeth

CERT. NITA-U. Police Cybercrime Unit. Now the ACF. Government forensics lab. They exist. But do they have the capacity? Budget? Independence? In a world of anonymous VPNs, AI-generated scams, and cross-border fraud, enforcement must be smarter than the criminal.

c) The judiciary is overwhelmed and undertrained
Cybercrime cases are delayed, misclassified, or thrown out due to technicalities. Some judges still do not know the difference between a DDoS and a USB stick. That’s not justice. That is a circus.

Think about this

Would you fight a drone with a panga?

That is what Uganda is doing. We are fighting 21st-century crime with 1990s capacity. The hackers are not in Uganda. They are on Telegram, on dark forums, in North Korea, or next door in Nairobi. Your systems are exposed 24/7. But your legal protection clocks out at 5 pm.

At one of our trainings, a CEO asked: “Can a hacker be sued under Ugandan law?”

Yes, I said. But only if you can catch them, prove it, and hope the court understands how malware works.

Good luck with that.

So, are Uganda’s cyber laws strong enough?

No. They are well-written, but practically toothless.

This is not just about legislation. It is about the entire cybersecurity ecosystem; legal, technical, institutional, and cultural.

Here is what needs to change:

1. Make breach reporting mandatory. Right now, companies quietly pay ransoms and cover up leaks. That is how systemic vulnerabilities grow. Bring sunlight into the room.
2. Fund the cybercrime units with tech, not tea. Give them digital forensics labs, AI threat detectors, and 24/7 monitoring centres, not just Toyota Prados for PR.
3. Train judges and prosecutors. They must understand digital evidence, chain of custody, and cross-jurisdiction cyber threats. Otherwise, justice will always lag behind innovation.
4. Make company directors legally liable. If you sit on a board and allow cyber negligence, you should face personal consequences. That is how we wake up boards.
5. Create a real-time cyber task force with private sector linkages.

Not a talk shop. A real unit with engineers, analysts, and incident responders that work with banks, telcos, ISPs, and major corporates.

In the village, they say: “A hyena does not ask permission to enter.”

Cybercriminals are not waiting for our laws to catch up. They are exploiting our delays.

Uganda needs not just cyber laws. We need cyber deterrence. Action against cybercrime. We need to strike back hard, fast, and legally. Create cyber weaponry and cyber warfare for both offensive and defensive capabilities.

Because the next war will not be fought with guns.

It will be fought with code.

IFIS Team.