TMT 2026 Comparisons

Laws Regulating the Digital Economy in Uganda

The digital economy in Uganda combines various aspects of technology, including telecommunications, financial technology, artificial intelligence, data, the internet of things (IoT), digital trade and e-commerce, amongst others. The governing legal framework comprises general and sector specific laws and regulations, including the following.

• A constitutional framework that covers various aspects with collateral impact on technology governance, and that guarantees the right to practise one’s profession or lawful trade or vocation, and to express and communicate freely.
• The Uganda Communications Act, Cap 106 establishes the regulatory framework for telecommunications, broadcasting, and internet infrastructure. This Act creates foundational enabling conditions for the digital economy. It also establishes the Uganda Communications Commission (UCC) as the regulatory authority with broad powers over licensing, standard-setting, consumer protection and market competition in the communications sector.

• The National Payment Systems Act, Cap 59 creates the regulatory framework for digital financial services. It establishes regulatory and operational standards, licensing requirements and consumer protection measures for payment service providers, including mobile money operators, payment gateways and other fintech. The Act designates the central bank as the regulatory authority responsible for licensing, supervision and enforcement functions across the digital payments landscape. It has the following effects:
1. provides for the safety and efficiency of payment systems;
2. sets out the functions of the central bank in relation to payment systems;
3. prescribes the rules governing the oversight and protection of payment systems;
4. provides for financial collateral arrangements;
5. regulates payment service providers;
6. regulates issuance of electronic money; and
7. provides for the oversight of payment instruments. 

• The Electronic Transactions Act, Cap 99 regulates electronic transactions and contracts and consumer protection in e-commerce and digital trade. The Act provides for the use, security, facilitation and regulation of electronic transactions; and encourages the use of e-Government services. It has extraterritorial jurisdictional effect over any person, whether Ugandan citizen or not, and whether resident in or outside Uganda.
• The Electronic Signatures Act, Cap 98 regulates the use of electronic signatures and establishes public key infrastructure (PKI) for secure digital authentication.
• The Data Protection and Privacy Act, Cap 97 sets out Uganda’s comprehensive data protection framework, modelled loosely on GDPR principles but with distinct local adaptations. It establishes legal safeguards for personal data collection, storage and processing, creating essential trust infrastructure for the data-driven digital economy. The Act creates obligations for data controllers and processors operating in Uganda and mandates the National Information Technology Authority-Uganda (NITA-U) to ensure adherence to the data protection principles, through the Personal Data Protection Office (PDPO) over which it exercises oversight.
• The National Information Technology Authority (NITA-U) Act, Cap 200 establishes NITA-U with various functions and powers relating to registration of data processors, compliance monitoring, complaint investigation, and enforcement of the Data Protection and Privacy Act.
• The Computer Misuse Act, Cap 96 creates a framework for ensuring the safety and security of electronic transactions by penalising unauthorised access and disclosure of electronic records, and electronic fraud, amongst several offences. It criminalises various forms of cybercrime, including unauthorised access to computer systems, cyber harassment, identity theft and electronic fraud.
• Uganda also has several intellectual property laws including the Trademarks Act, Cap 225, Copyright and Neighbouring Rights Act, Cap 222, and Industrial Property Act, Cap 224, whose provisions govern the protection of trade marks, copyright, patents and other intellectual property existing in products of the digital economy.

The above laws have given rise to a substantial body of subsidiary legislation and guidelines, including the following:

• Uganda Communications National Payment Systems Regulations, 2021;
• National Payment Systems (Consumer Protection) Regulations, 2022;
• Uganda Communications (Content) Regulations, 2019;
• Data Protection and Privacy Regulations, 2021;
• Electronic Transactions Regulations, 2013;
• Mobile Money Guidelines, 2013;
• E-Government Regulations;
• Digital Lending Guidelines for Tier 4 Microfinance and Money Lending Institutions, 2024;
• Uganda ICT IP Guidelines, 2025;
• National Payment Systems Oversight Frameworks; and;
• National Public Key Infrastructure Licensing and Regulatory Framework.

This statutory framework gives effect to the provisions and principles underlying the above primary legislation.

Uganda’s strategies and policies include:

• Uganda Vision (2040);
• NDP IV;
• National E-commerce Strategy;
• Digital Transformation Roadmap;
• National Fourth Industrial Revolution Strategy;
• National Cyber Security Strategy;
• National Broadband Strategy; and
• Strategy for Electronic Waste Management.

These strategic documents provide guidance for the integration of digital technology, primarily focusing on digital services, security and infrastructure.

Industry Codes of Conduct

Financial Technologies Service Providers Association (FITSPA) launched Uganda’s Digital Lenders Code of Conduct in November 2025 as a self-regulatory framework to promote responsible lending, strengthen consumer protection and unlock capital for the digital credit industry.

Absence of Consolidated Legislation

The absence of a singular legislation comprehensively governing the digital economy in Uganda comparable to digital services legislation enacted elsewhere is the first major challenge in Uganda. The absence of consolidated digital economy legislation means relevant provisions scatter across telecommunications law, consumer protection principles, data privacy rules, intellectual property statutes, and general commercial law. Businesses struggle to identify which obligations apply to their specific digital activities. Other challenges include the following.

Outdated Legal and Regulatory Framework

These laws were enacted before cloud computing and platform economies became ubiquitous. The entire legal regime remains unprepared for the paradigm shift that artificial intelligence is having on the digital economy locally and globally.

Thus, Uganda’s laws do not comprehensively address the need for adequate platform regulation, or contemplate many contemporary digital business models or components of the digital economy. The laws do not cater for the emerging AI adoption, platform-based business activity.

This temporal mismatch creates interpretive challenges when applying old statutory language to new technologies. Courts and regulators must stretch legislative provisions beyond their original context, leading to legal uncertainty that discourages investment and innovation.

Platform Regulation and Intermediary Liability

Uganda lacks clear legal frameworks for regulating digital platforms that connect service providers with consumers, such as ride-hailing apps, food delivery platforms, e-commerce marketplaces, and freelance work platforms. Questions about platform liability, worker classification, taxation, and consumer protection remain largely unaddressed.

The Content Regulations attempt to impose registration requirements on online platforms but fail to distinguish between platforms hosting user-generated content and those creating original content. This one-size-fits-all approach creates compliance burdens inappropriate for different platform types.

Intermediary liability rules remain underdeveloped. When defamatory content appears on a platform, or when counterfeit goods sell through a marketplace, the law provides insufficient guidance on when platforms bear responsibility versus when liability rests solely with individual users or sellers. This uncertainty exposes platforms to potentially unlimited legal risk while simultaneously limiting accountability for harmful content.

Content Regulation and Freedom of Expression Tensions

The Uganda Communications (Content) Regulations represent the most controversial aspect of digital economy regulation. These rules require online content creators to obtain authorisation from the UCC before providing “online data communication or broadcasting services” in Uganda. The regulations define “online data communication service” so broadly that virtually any online activity involving communication could require licensing. The requirement for platforms to register and pay fees has been criticised as censorship by taxation, particularly affecting smaller content creators and citizen journalists.

The Computer Misuse Act criminalises “offensive communication” without defining the term with sufficient precision. This vagueness has led to arbitrary enforcement, with prosecutions initiated against journalists, opposition politicians, and ordinary citizens for social media posts critical of government. The chilling effect on digital expression is substantial.

The UCC possesses broad powers to issue content standards and takedown directives, but these powers lack procedural safeguards against abuse. the only available appeals process is vague and cumbersome, and the standards for determining prohibited content remain opaque.

Data Localisation and Cross-Border Data Flows

The Data Protection and Privacy Act requires data controllers to implement “adequate safeguards” for cross-border data transfers but does not provide sufficient guidance on what constitutes adequate protection. Unlike the GDPR’s detailed adequacy decision framework or standard contractual clauses, Uganda’s law leaves critical implementation details unspecified.

There have been periodic suggestions from government officials about data localisation requirements that would mandate storing certain data within Uganda’s borders. While not yet codified in law, this uncertainty affects long-term infrastructure planning for digital businesses that rely on cloud services and global data centres.

The Personal Data Protection Office lacks the resources and technical capacity to effectively supervise complex cross-border data processing arrangements. This creates a compliance gap where sophisticated multinational corporations can navigate requirements easily while domestic enterprises struggle with uncertainty.

Taxation of the Digital Economy

Uganda imposes a digital tax levied as increased mobile data excise duty, reflecting broad challenges in taxing digital services where value creation, service provision and consumption occur across multiple jurisdictions.

The government struggles to tax foreign digital service providers with no physical presence in Uganda. Companies like Netflix, Spotify and Amazon Web Services operate in the Ugandan market but pay minimal taxes locally. Traditional tax concepts based on physical presence and permanent establishment fail in platform economies.

VAT collection from digital services remains problematic. While Ugandan consumers purchase digital goods and services from foreign providers, mechanisms for collecting VAT at the point of consumption are rudimentary. Some jurisdictions have adopted digital services taxes or modified VAT rules for e-commerce, but Uganda has yet to implement comprehensive solutions.

Uganda is yet to operationalise the dual mechanism required under OECD’s BEPS Pillar 2. This disincentivises multinational players or in the least makes their services more expensive. The country also has an inadequate legal framework for taxing the gig economy. The current framework levies withholding tax and VAT on digital services in a manner that leaves the taxable base narrow and compels some players to absorb the tax incidence.

Cybersecurity and Critical Infrastructure Protection

Uganda lacks comprehensive cybersecurity legislation despite increasing digitalisation of essential services including banking, healthcare and government systems.

The Computer Misuse Act criminalises cybercrimes but fails to establish mandatory cybersecurity standards, audit requirements or incident reporting obligations for private sector entities. Even critical sectors like banking and telecommunications operate without legally mandated cybersecurity baselines.

The National Information Security Framework provides policy guidance but lacks statutory force, creating a regulatory gap that leaves Uganda vulnerable to cyber threats capable of disrupting essential services or compromising national security.

E-Commerce Consumer Protection Gaps

Uganda lacks specific e-commerce consumer protection legislation, leaving online transactions governed by general contract law principles that pre-date digital commerce.

Common protections in other jurisdictions – such as cooling-off periods for distance selling, clear rules for cross-border dispute resolution, and remedies for non-delivery or counterfeit goods – have no equivalent in Ugandan law.

The pending Consumer Protection Bill would address some gaps but currently lacks digital-specific provisions on algorithm transparency, dark patterns or platform liability for third-party sellers, leaving consumer rights in digital marketplaces inadequately protected.

Digital Financial Services Regulation

Despite mobile money’s remarkable penetration in Uganda, regulatory frameworks struggle to keep pace with fintech innovation, creating uncertainty about licensing requirements for services that blend banking, telecommunications and technology characteristics.

Fintech start-ups face unclear regulatory perimeters and disproportionate compliance costs due to absent guidance on which licences apply to novel business models. Deployment of a regulatory sandbox framework – which should allow controlled experimentation under regulatory supervision – remains fragmented and has not had transformative impact, risking Uganda’s competitiveness in regional fintech innovation.

Jurisdictional and Enforcement Challenges

Enforcing Ugandan law against foreign digital service providers with no physical presence in Uganda presents profound challenges, as authorities lack practical mechanisms to compel compliance with court orders or regulatory directives.

Even voluntary compliance requires diplomatic co-ordination and international co-operation mechanisms, which remain underdeveloped in Uganda. Conversely, Ugandan digital businesses serving regional markets must navigate overlapping and sometimes conflicting regulatory requirements across multiple East African jurisdictions simultaneously.

Weak and Fragmented Enforcement Mechanisms

Uganda’s institutional capacity to enforce cybersecurity and data protection is inadequate. While the Data Protection and Privacy Act attempts to cast a wide reach to companies outside Uganda that collect and process the personal data of Ugandan citizens, the law fails to achieve its desired legal effect due to issues like foreign choice of law clauses.

Victims of data breaches and cybercrime seldom obtain relief due to the excessive compliance procedures and bureaucracy involved in the legal processes. Consequently, data abuse often goes unchecked due to the lack of strong deterrent measures. This undermines confidence in digital services and the government’s ability to protect users’ data.

Digital Rights Infringement

There exists tension between national security and freedom of expression. The government invokes national security to restrict digital access and enforce increased social media monitoring and internet shutdown, for example in the recently concluded 2026 general elections. This hampers digital business, e-commerce and civic participation.

Digital Skills and Capacity Constraints

Judges, regulators, law enforcement officers and legal practitioners often lack sufficient technical understanding of digital technologies to effectively apply legal principles to digital economy disputes.

Due to a lack of adequate skilling, the courts will struggle with contemporary questions on digital evidence, blockchain technology and algorithmic decision-making, while legislative drafting bodies lack adequate technical capacity to anticipate implementation challenges.

This capacity gap means even well-designed legislation may fail in implementation, while poorly designed rules create unintended consequences that only become apparent after enactment.

Lastly, while some work is ongoing to review and update some of these legislative instruments to ensure that they accommodate emerging trends and developments in the digital economy, the pace remains slow and fragmented across different government institutions.

Taxation of Digital Services and Goods

The Ugandan tax regime caters for digital goods and services, applying various taxes based on the nature of business and presence in Uganda under the Income Tax Act, the Value Added Tax (VAT) Act, and the Excise Duty Act.

Electronically supplied services and goods fall under the taxable supplies of goods and services and attract 18% VAT under the Value Added Tax Act, Cap 344. Imported digital services provided by non-resident business in Uganda also attract VAT at 18%.

The Income Tax Act, Cap 338 imposes withholding tax at a rate of 15% on payments from digital and technical services. Although Uganda’s corporate income tax should apply to digital businesses, it raises complex questions about permanent establishment and source of income. Uganda’s Income Tax Act bases taxation on income sourced in Uganda or derived by Uganda-resident companies. This definitive scope includes income from all services carried out in Uganda. However, determining “source” for digital services proves difficult.

The traditional permanent establishment concept – requiring physical presence through an office, branch or dependent agent – fails to capture value creation in digital platform economies. A streaming service can have millions of Ugandan subscribers generating substantial revenue without any physical infrastructure in the country beyond users’ devices and internet connections.

The Excise Duty Act, Cap 336 imposes liability on telecommunication service providers providing data for accessing over-the-top services to account for and pay excise duty on the access of the services based on the fees charged for internet data at 12%, money transfer or withdrawal services, save for those provided by banks, at 15%, value added services at 12% and mobile money transactions of withdrawals of cash at 0.5% of the value of the transaction.

Challenges Companies Face in Managing Tax Compliance

Digital economy taxation uncertainty

Businesses operating in the digital economy face compliance uncertainties as traditional tax concepts struggle to address digital business models, leaving companies unsure whether and how their activities trigger Ugandan tax obligations.

Companies providing digital services to Ugandan customers without physical presence must determine taxable presence, VAT registration requirements and compliance mechanisms, yet practical systems for foreign digital service providers to register, file and remit taxes from abroad remain underdeveloped.

The Content Regulations requiring online content providers to register with UCC create additional compliance layers whose interaction with tax obligations remains unclear.

Excise duties on mobile data and mobile money transactions create obligations for telecommunications and mobile money operators while affecting costs for all digital participants, with rates and applications changing periodically.

Other Taxation-Related Challenges Impairing Players in the Digital Economy

Infrastructure and administrative capacity constraints

The Uganda Revenue Authority faces resource constraints that affect service delivery. With tax offices concentrated in urban centres, rural businesses are left with limited access. These constraints include infrastructure limitations, which create fundamental compliance difficulties beyond taxpayers’ control.

Complexity and ambiguity in tax legislation

Uganda’s tax laws contain complex provisions requiring specialised knowledge, with frequent amendments through annual finance and tax amendment Acts creating a constantly moving compliance target. Legislation often lacks detailed implementation guidance, leaving taxpayers uncertain about how specific provisions apply to their circumstances and forcing compliance decisions based on incomplete information. The absence of adequate transition periods between announcement and implementation of new provisions compounds these difficulties.

Multiple tax obligations and filing requirements

Ugandan businesses must manage numerous simultaneous tax obligations including corporate income tax, VAT, PAYE, multiple withholding taxes, local service tax, and potentially excise or customs duties, each with different filing frequencies and compliance requirements.

Each tax type carries distinct rules for calculation, documentation, filing and payment:

• VAT requires monthly returns with detailed transaction listings;
• PAYE involves monthly remittance with quarterly and annual reconciliations; and
• withholding taxes must be deducted for multiple payment categories at different rates.

The administrative burden of tracking multiple deadlines, maintaining separate records for different tax types, and ensuring accurate calculations across all obligations strains resources. This complexity disproportionately affects small and medium enterprises lacking dedicated tax departments.

The legal regime imposes several tax registration, reporting and documentation requirements that digital economy players struggle to keep up with. This in turn exposes them to compliance risks.

Withholding tax compliance complexity

Uganda’s withholding tax regime requires businesses to:

• determine whether obligations apply for numerous transaction types;
• identify correct rates (which differ for residents versus non-residents);
• deduct appropriate amounts;
• remit within specified timeframes; and
• issue compliance certificates.

Different exemptions exist that require careful verification, with businesses bearing responsibility for verifying exemption validity and maintaining supporting documentation.

Penalties for failure to withhold, late remittance or incorrect calculations can be substantial, while maintaining detailed records of all payments, amounts withheld and certificates issued demands robust accounting systems.

Companies also face challenges relating to the inadequate management of WHT obligations for cross-border transactions in the digital economy.

Transfer pricing documentation and compliance

Multinational companies and businesses with related party transactions face extensive transfer pricing requirements to maintain contemporaneous documentation demonstrating arm’s length compliance. Preparing compliant documentation requires sophisticated economic analysis, industry benchmarking, functional analysis, and extensive documentation of group structures and transaction terms that many businesses lack the internal capacity to prepare.

Uganda’s transfer pricing regulations have remained static since 2012. Uganda Revenue Authority (URA) has not issued any guidance on the determination of key components of transfer pricing considerations, despite the complexity of the subject that necessitates extensive contemporaneous documentation demonstrating arm’s length pricing, with limited guidance on acceptable methodologies and documentation standards.

URA has become increasingly aggressive in transfer pricing audits, often proposing significant adjustments, with the burden of proof resting on taxpayers to defend positions with comprehensive documentation. The global nature of these rules means businesses must navigate both Ugandan requirements and obligations in other jurisdictions, ensuring consistency while complying with potentially differing local rules.

VAT compliance challenges

Players in the digital economy in Uganda face major challenges in computing and applying VAT to digital services. VAT compliance requires businesses to:

• distinguish between taxable, exempt and zero-rated supplies;
• apply correct rates;
• account for input tax credits;
• manage timing differences; and
• maintain detailed records supporting every transaction.

The requirement to issue tax invoices containing prescribed particulars for every taxable supply creates administrative burdens, particularly for high-volume businesses, while input tax credit claims require valid tax invoices from VAT-registered suppliers who often fail to register or issue compliant invoices.

Electronic Fiscal Devices and e-invoicing requirements aim to improve compliance but create implementation challenges and costs for purchasing, installing, maintaining devices and integrating them with accounting systems.

VAT refund processes remain cumbersome and slow, with verification procedures often extending for months, effectively converting VAT into a cost rather than neutral tax for exporters and businesses with high input tax positions.

Tax audits and disputes

Tax audits in Uganda can be extensive and disruptive, with desk audits based on filed returns and comprehensive field audits requiring detailed examination of books, records and operations that can extend for months or years. Auditors often request voluminous documentation, sometimes beyond statutory retention requirements, forcing businesses to divert staff to respond to information requests while maintaining normal operations.

Audit assessments frequently propose adjustments leading to lengthy objection and appeals processes, with objections requiring detailed written submissions within 45 days and appeals potentially extending for years. The requirement to pay disputed taxes before appealing creates significant cashflow burdens and effectively limits appeal rights for businesses unable to fund disputed amounts.

Corporate Income Tax on Advertising Revenue

Uganda’s Income Tax Act specifically includes online advertising within the definition of taxable digital services. These services are taxable at Uganda’s standard corporate tax rate of 30% for companies.

Foreign digital advertising platforms like Google, Meta, Spotify and other social media companies generating advertising revenues from Ugandan advertisers or targeting Ugandan audiences face corporate income tax obligations if they meet the permanent establishment threshold. However, the traditional permanent establishment concept requiring physical presence creates significant challenges, as these platforms operate entirely digitally without offices, employees or tangible assets in Uganda, potentially escaping Ugandan corporate income tax despite substantial local revenue generation.

Digital advertising revenue derived in Uganda is subject to VAT, withholding tax and excise duty of 12% on internet data, as set out in 1.3 Digital Economy Taxation.

Telecommunications service providers have the obligation to collect withholding tax on behalf of the government.

Ugandan tax law does not yet provide comprehensive rules for determination of permanent establishment with respect to the digital economy. The country is yet to adopt significant economic presence rules or similar provisions explicitly addressing digital business models. The case of Target Well Control (U) Ltd v URA provides some guidance on permanent establishment, establishing that a subsidiary constitutes permanent establishment for its parent when the parent “trades through” rather than “trades with” the subsidiary. Whether this principle extends to digital platforms operating through local users, advertisers or content creators without formal subsidiary structures remains untested.

Taxation of Influencer and Content Creator Advertising Revenue

Individual content creators, influencers and social media personalities earning advertising revenue face income tax obligations on their earnings. Revenue from YouTube advertising, Instagram sponsored posts, TikTok creator funds and similar sources constitutes taxable business or employment income depending on the arrangement structure. While enforcement remains challenging in this regard, it is not inconceivable.

Ensuring Company Compliance With Tax Obligations

Companies can ensure compliance with the tax laws related to digital advertising by doing the following.

• Establish comprehensive understanding of applicable tax obligations– Companies must first identify all tax obligations applicable to their digital advertising activities, which vary depending on whether the company provides advertising services, purchases advertising or operates as a platform facilitating advertising transactions.
• Implement robust tax registration and licensing – Companies providing digital advertising services must register for income tax with URA, obtaining a Tax Identification Number (TIN) that should appear on all invoices, contracts and tax correspondence. VAT registration becomes mandatory once turnover exceeds the statutory annual threshold, though voluntary registration is available for businesses below this threshold who wish to claim input tax credits. Companies should also register on URA’s digital compliance platform, the Electronic Fiscal Receipting and Invoicing System (EFRIS).
• Implement withholding tax compliance systems – Companies purchasing digital advertising services from non-resident providers must establish systems ensuring consistent withholding tax compliance. This requires identifying which payments trigger withholding obligations at 15% under Section 118B of the Income Tax Act, implementing approval workflows that require tax team review before processing payments to non-residents, and calculating withholding amounts accurately on gross payments before any deductions. Payment systems should automatically compute withholding tax when processing payments to identified non-resident suppliers, generate withholding certificates immediately after remitting tax to URA, and maintain comprehensive registers tracking all payments subject to withholding with dates, amounts, tax withheld and certificate numbers. For digital advertising payments processed through international credit card systems or online platforms, companies should establish alternative compliance mechanisms such as calculating withholding obligations quarterly, making lump-sum payments to URA with supporting schedules, and attempting to obtain acknowledgment from URA even when traditional withholding certificates cannot be issued to foreign platforms.
• Manage VAT compliance for cross-border advertising services – Companies purchasing advertising services from foreign platforms not registered for VAT in Uganda must understand and implement reverse charge VAT obligations. When importing advertising services consumed in Uganda, businesses should self-assess VAT at 18% on the service value, include this output tax in VAT returns, and simultaneously claim it as input tax if entitled to input tax credits.
• Establish transfer pricing documentation protocols – Multinational companies with related party advertising arrangements must maintain contemporaneous transfer pricing documentation demonstrating arm’s length compliance. This requires preparing functional analysis documents describing advertising activities performed by each related entity, roles and responsibilities, and value contributed.
• Implement comprehensive record-keeping systems – Proper record-keeping is fundamental to tax compliance and audit defence. Companies must maintain complete books of account recording all advertising revenue and expenses, supporting documentation for every transaction, including contracts, invoices, payment evidence and correspondence, and detailed records of all tax computations, filings and payments.
• Conduct regular internal tax compliance reviews – Proactive internal reviews help identify and correct compliance issues before URA audits. Companies would do well to conduct these reviews across well-defined parameters on a periodic basis.
• Establish relationships with URA and seek advance guidance – Proactive engagement with URA can prevent compliance issues and disputes. For novel transactions or uncertain tax treatments, and given the interpretive uncertainties arising around digital advertising taxation, companies may consider requesting the URA to provide advance private tax rulings before executing the transaction. These rulings provide binding guidance on how the Authority will treat specific transactions. These approaches demonstrate good faith compliance efforts and create documented positions defendable in future disputes.
• Engage qualified tax advisers – The complexity of digital advertising taxation makes professional tax advice valuable, particularly for structuring significant transactions, navigating cross-border arrangements or addressing interpretive uncertainties.
• Monitor legislative and regulatory changes – Digital economy taxation evolves rapidly as governments worldwide develop approaches to tax digital business models. Uganda’s tax law generally changes on an annual basis. Companies must establish systems to monitor Ugandan tax law changes including regular review of the Finance Act and tax legislative amendments, URA practice notes and public notices, and Tax Appeals Tribunal and court decisions affecting digital advertising.
• Establish clear contracts with tax provisions – Advertising contracts should explicitly address tax responsibilities and obligations. Agreements with advertisers should specify whether quoted prices include or exclude VAT, identify which party bears responsibility for any withholding taxes, and require advertisers to provide valid tax exemption certificates if claiming exemptions.
• Consider tax-efficient structuring – While ensuring compliance, companies should also consider legitimate tax planning opportunities. Companies should assess the tax treatment of digital advertising before penetrating the Ugandan market.

Applicable Laws

Although Uganda does not have a single piece of legislation that consolidates the legal rights and obligations in this regard, the laws regulating the digital economy set out at 1.1 Legal Framework contain various provisions that regulate consumer protection, specifically the following.

• The Uganda Communications Commission Act, Cap 106 provides the most direct consumer protections for telecommunications and digital services, granting the Uganda Communications Commission regulatory authority over service quality, investigating consumer complaints and fair-trading practices, and taking enforcement action against service providers breaching consumer rights in the communications sector.
• In addition, Uganda has several sets of regulations enacted under the Uganda Communications Act. These include:
1. Uganda Communications (Content Regulation) Regulations, 2019, which contain general consumer protection provision and specific provisions with wide-ranging implications for consumers of digital information and media;
2. Uganda Communications (Consumer Protection) Regulations, 2022, which provide for consumer protection in digital communication services through service level agreements, laid out procedure for UCC’s handling of consumer complaints, and prohibition of various practices such as false, misleading, bait and switch advertising and discriminatory treatment of consumers; and
3. Uganda Communications (Quality of Service) Regulations, 2019, which prescribe minimum standards for telecommunications and internet services, including network availability requirements, call set-up success rates, dropped call limits, and data transmission speeds.
• The Data Protection and Privacy Act, Cap 97 establishes important provisions for protection of personal data in digital services. Data subjects – including consumers using digital goods and services – have the following rights:
1. to be informed about data collection and processing purposes;
2. to provide explicit consent before processing of personal data;
3. to access their personal data held by service providers; and
4. to request correction of inaccurate or incomplete data.
• The Electronic Transactions Act, Cap 99 requires suppliers of goods and services in electronic transactions to disclose to the consumer information relating to the goods and services, and renders any provision excluding consumer rights in an agreement for such goods void. However, the Act lacks specific consumer protections common in other jurisdictions, including cooling-off periods for distance selling, requirements for clear pre-contractual information, mandatory disclosures about seller identity and contact details, or special protections for vulnerable consumers in digital transactions.
• The National Payment Systems (Consumer Protection) Regulations, 2022:
1. establish principles for fair and equitable treatment of consumers;
2. impose an obligation of mandatory disclosure of information on products and services to consumers; and
3. create consumer complaints handling and redress mechanisms with clear timelines.
• Large corporations will also need to pay attention to Uganda’s Competition Act, Cap 66, which has collateral application to the digital economy.

Ensuring the Upholding of Consumer Rights

Companies intending to uphold consumer rights need to take several practical steps. A non-exhaustive list of measures such companies can take includes:

• endeavouring to execute robust service level agreements and terms of service with consumers to ensure compliance with specific statutory and regulatory requirements to that effect;
• maintaining the mandatory service standards to avoid compromising quality;
• representing product features, capabilities and limitations accurately and without misleading claims or omissions; and
• establishing, operating and maintaining robust, functional, accessible and comprehensive customer support systems and consumer complaint filing and handling mechanisms with multiple channels and clear procedures to address consumer grievances.

Legal Frameworks to Guide the Resolution of Consumer Complaints

The legal framework for complaint handling in the digital economy is fragmented and scattered across different statutory frameworks.

The consumer protection laws highlighted above often require consumers to raise complaints with digital goods suppliers and service providers within the digital economy before escalating them to regulatory bodies under the statutes.

Several statutes provide quasi-judicial bodies from which consumers may seek relief. These include the UCC Disputes Tribunal, the Media Council, the Personal Data Protection Office, the Competition Tribunal and, in the event of listed companies, the Capital Markets Tribunal. While most of these organs are functional, some remain inoperative.

For digital financial services including mobile money, Bank of Uganda provides regulatory oversight and complaint mechanisms. The National Payment Systems Act grants Bank of Uganda authority to:

• receive complaints about payment service providers;
• investigate misconduct or service failures; and
• impose corrective actions or penalties.

In the event of the regulatory body’s failure to resolve consumer complaints to the consumers’ satisfaction, consumers may seek redress from the courts of law through judicial review of decisions of the bodies or commencing suits against digital service providers and suppliers to enforce contractual and statutory rights. However, Ugandan courts will require that a complainant exhausts the statutory dispute resolution process before seeking court redress.

Suppliers and consumers may agree to alternative dispute resolution mechanisms, including arbitration and mediation, amongst others. The Electronic Transactions Act, Cap 99 requires suppliers and sellers to disclose to consumers any alternative dispute resolution code and how the consumer can access it electronically.

Best practices for TMT companies to handle consumer disputes effectively

TMT companies can put in place a series of best practices to anticipate and handle consumer disputes effectively. These measures include:

• ensuring regulatory compliance with set consumer protection standards;
• enforcing robust, internal multi-channel complaint systems to resolve consumer disputes;
• implementing clear, transparent complaint procedures and investigating complaints thoroughly and objectively;
• documenting all complaints and resolutions comprehensively, and creating comprehensive complaint tracking systems;
• training staff comprehensively on complaint handling procedures, empowering frontline staff to resolve issues and creating escalation pathways for complex disputes;
• communicating proactively through the dispute resolution process;
• disclosing to consumers alternative dispute resolution codes to which the companies subscribe to encourage amicable settlement of disputes;
• offering fair and appropriate remedies; and
• analysing complaint data for service improvement, and implementing quality assurance programmes.

Regulation of Blockchain and Cryptocurrency and the Impact of Cryptocurrency on the Legal Landscape

Uganda does not yet have a comprehensive virtual assets regulatory framework. A bill intending to amend the Capital Markets Authority Act to introduce virtual assets under the capital markets legal framework remains in draft form and is yet to receive detailed parliamentary consideration.

Although the National 4IR Strategy of 2021 recommended the enactment of a robust legal regime, this recommendation remains unrealised. Consequently, blockchain applications are assessed under existing data protection and financial services laws.

Uganda law does not expressly recognise cryptocurrency as legal tender. The High Court of Uganda cemented this position in Silver Kayondo v Bank of Uganda, Miscellaneous Cause No 109 of 2022. The court went so far as to stipulate that cryptocurrency is illegal in Uganda. The court’s position is inaccurate, given the absence of express statutory stipulations to this effect.

However, although several laws anticipate its use in e-commerce, statutory and lexical ambiguities remain that diminish the necessary clarity. The National Payment Systems Act, Cap 59 expressly defines “electronic money” and “electronic money issuer”. However, this law and all financial sector-related laws do not define money.

The Foreign Exchange Act (Chapter 167) defines “foreign currency” to mean a currency other than the legal tender of Uganda. It further defines “foreign exchange” to include banknotes, coins or electronic units of payment in any currency other than the currency of Uganda which are or have been legal tender outside Uganda. Consequently, absent an amendment, if cryptocurrency became legal tender anywhere else in the world, it would, by inference, become recognisable as foreign currency in Uganda.

Other laws governing electronic commerce have similarly implicating provisions. The Electronic Transactions Act defines an “advanced electronic signature” and the Electronic Signatures Act defines an “automated transaction” in ways that essentially describe the intrinsic elements underlying cryptocurrency architecture. However, these statutes fall short of drawing the nexus to cryptocurrency application.

As a result of the above statutory ambiguity, the policy position remains vague, with the Central Bank and Ministry of Finance taking a cautionary approach, discouraging investment in cryptocurrency by unsophisticated investors. On the other hand, parliament has since amended the Anti-Money Laundering Act, Cap 118 to designate virtual assets service providers (VASPs) as accountable persons subject to the Financial Intelligence Authority (FIA) supervision and monitoring. This amendment essentially designated cryptocurrency as a recognised virtual asset.

Legal Challenges and Opportunities Presented by These Technologies

Challenges

Regulatory ambiguity remains the single most critical challenge in Uganda’s blockchain sector. Siloed and unco-ordinated policy pursuits across different government ministries and departments compound the confusion and worsen the uncertainty. The Ministry responsible for ICT, the Ministry responsible for Science, Technology and Innovation and the Uganda Communications Commission are all pursuing initiatives to propose policy and regulatory interventions to govern 4IR adoption in Uganda. On the other hand, the Prime Minister’s office, which the National 4IR Strategy recommended as the designated co-ordination office for all these initiatives, is not involved in any of these efforts.

Opportunities

Uganda’s National 4IR Strategy sets out several opportunities and use cases for blockchain adoption. It also sets out the opportunities and challenges, and highlights the various regulatory gaps that remain unattended. This document remains the single most comprehensive reference point on 4IR adoption in Uganda. Other initiatives towards policy and regulatory reform remain incomplete and siloed in the Ministries responsible for ICTs and Science, Technology and Innovation.

Despite the lack of specific regulation, Uganda Communications Commission adopted the use of blockchain in SIM card registration to combat SIM swapping and other inappropriate SIM card-related practices. This use case signals the potential for the use of blockchain in digital identity solutions, which could help solve certain identity-related crises by replacement of physical IDs.

Other opportunities include supply chain management, which facilitates elimination of counterfeits from the market and improves transparency in trade and logistics; and financial inclusion from faster and cheaper cross-border payments.

Laws

Uganda does not have a specific law on cloud and edge computing, or related issues such as cybersecurity and network security issues. However, some existing laws have lateral application to these elements.

The Data Protection and Privacy Act, Cap 97 regulates the holding of personal data within Uganda and outside Uganda provided it relates to Ugandan citizens. Thus, the principles for collecting, processing and holding personal data, requirements for data localisation, consent and adequate personal data protection measures in place for storage of personal data outside Uganda, apply to cloud-stored personal data. This law also triggers critical consideration of data localisation and data residency considerations.

The other laws discussed above – including the Uganda Communications Act, which governs telecommunications and infrastructure regulation, and the Computer Misuse Act – also govern critical aspects relevant to cloud and edge computing.

The National Guidelines on Cloud Computing for Ministries Departments and Agencies, 2018 support government ministries, departments and agencies’ (MDAs) use of the National Data Center “government cloud” as a centralised hosting service for government data to enable efficient service delivery.

NITA-U’s National Information Security Policy provides mandatory minimum-security controls that all public and private sector organisations that use, own and/or operate protected computers, handle official communications and personal data must apply to reduce their vulnerability to cyber threats.

Industry Codes of Conduct

Providers of online data services must attain authorisation from UCC according to the Guidelines on Online Data Services. Cloud service providers in Uganda use the ISO 27017 certification to manage cloud-specific risks.

Regulated Industries Subject to Greater Restrictions

Payment service providers and banks are subject to higher standards for customer due diligence through Know Your Customer (KYC) requirements and Anti-Money Laundering obligations.

Regulated sectors such as insurance, banking and telecommunications are subject to additional requirements for data localisation and outsourcing. The Insurance (Licensing and Governance) Regulations 2020 establish several requirements for insurers to meet in outsourcing arrangements, including the assessment of the reasonableness of the charges, and associated risks, amongst others. The outsourcing arrangement is subject to approval of the Insurance Regulatory Authority.

Insurance companies under the Insurance Regulatory Authority have more data protection and book-keeping requirements than the average sector laws.

Telecommunications players under UCC stewardship must comply with service quality, lawful interception, data preservation and other requirements.

Specific Issues Regarding the Processing of Personal Data

These include the following:

• access and security risks;
• consent by data subjects;
• transfer of data across borders; and
• legal accountability of data controllers.

Laws and Regulations

In the absence of a specific regulation governing artificial intelligence (AI), Uganda continues to leverage data protection, intellectual property and cybersecurity laws to govern AI usage.

• The Data Protection and Privacy Act (DPPA) is the primary legislation for AI regulation, given its provisions on automated decision-making and the collection, processing and storage of personal data. The Data Protection and Privacy Regulations, 2021 enforce the DDPA and require data processors to enforce technical measures for securing data.
• The Computer Misuse Act provides a legal framework to guard against the misuse of computer systems and addresses unlawful access to data and cybersecurity.

Protection of Individuals in Relation to Deepfake Technologies

Deepfake technologies are a direct affront to an individual’s right to privacy under the Constitution of the Republic of Uganda, 1995 (as amended). Ugandan law grants persons the right to seek redress from the courts of law for human rights enforcement against deepfake to protect their likeness.

The Data Protection and Privacy Act (DPPA) provides for mandatory consent requirements regarding the processing of personal data. In the absence of such consent, as in the use of technologies to make deepfakes, the DPPA grants an individual the right to require that a developer or user of a deepfake technology stop processing their personal data, amongst other measures. NITA-U maintains its oversight role to ensure compliance with any such request.

Being a form of generative AI, deepfake technologies often infringe on copyrighted works. An individual may seek redress from the courts of law through legal action for infringement of copyright, comprising their moral and economic rights.

The Computer Misuse Act criminalises unauthorised access or interception of a program or data, and recording or sharing a video or photograph of a person without their consent. The Act also prohibits unauthorised modification of data and cyber harassment intended to create fear, harm and discomfort. Thus, an individual may pursue criminal proceedings in relation to the effects of deepfake technologies.

Regulation of AI in Transport

Commercial drones and drone delivery services

The Civil Aviation (Unmanned Aircraft Systems) Regulations, 2022 govern the ownership and operation of unmanned aircraft systems within the Ugandan airspace, requiring their registration, certification of their operators, establishment of operating rules and enforcement of security requirements.

The Uganda Civil Aviation Authority also often issues advisory circulars, such as the AC-UCAA-AC-UAS001 detailing the procedures for importation and operation of unmanned aircraft, including drones.

Relevant elements

• The burden of liability should fall appropriately on the service provider, operator and AI developer with sector-specific liability obligations. Insurance coverage should be a licensing requirement for drone operators, as is the case with third-party risks for motor vehicle insurance.
• The law should provide for stronger enforcement of data security measures, consent and respect for data subjects through existing legal frameworks.
• AI works and inventions should be copyrighted and patented for their protection and the incentivisation of new entrants into the sector.

Legal Framework

Uganda goes not have a specific law comprehensively governing the internet of things (IoT) infrastructure or machine-to-machine communications. Compliance is akin to provisions in related legal frameworks on communications, cybersecurity and data protection.

The Uganda Communications Commission oversees various aspects. For example, the Guidelines on 2.4GHz Band (2021) address rules on devices operating on this frequency as used in smart home sensors and Wi-Fi cameras. The devices must meet expected standards before use in Uganda.

Relevant elements

The following rules apply in this context.

• IoT service providers must adhere to communication secrecy obligations while dealing with data. The Regulation of Interception of Communications Act (Chapter 101) criminalises disclosure of information obtained by anyone in the exercise of their duties.
• IoT devices generate a lot of personal and usage data. This necessitates compliance with data protection requirements.

Challenges Faced by Companies Deploying IoT Solutions

The challenges are as follows.

• The absence of a comprehensive or specific law on IoT creates challenges in licensing, supply chain management and data protection, among others. Multiple regulators could lead to duplication of compliance requirements.
• The Data Protection and Privacy Act (DDPA) requires registration of companies under NITA, compulsory consent requirements from data subjects and the managing of restrictions in cross-border data transactions, which is difficult given reliance on foreign-cloud services.
• Statutory approval requirements by UCC can become time-consuming, unclear and costly for devices using low power.

Governance Framework for Companies Managing Their IoT Deployments

The following framework is recommended.

• A company should establish compliant data protection frameworks consistent with the DDPA.
• Cybersecurity strategies and security policies consistent with the Computer Misuse Act, Cap 96 should be implemented. Article 27 of the Constitution of Uganda guarantees a right of privacy which must be respected.
• Internal compliance checks should be created to manage approvals from relevant sector regulators such as Uganda National Bureau of Standards and UCC.
• Companies should also carry out risk assessments to identify threats like device tampering and data breaches.
• A company should establish liability and insurance management together with proper accountability structures.

Legal Requirements

The legal requirements for IoT companies regarding data sharing are as follows.

• Registration of IoT companies with the Personal Data Protection Office (PDPO); subject to annual renewal.
• The DDPA allows IoT companies to collect and share personal data subject to observation of mandatory requirements, hence providing a lawful basis.
• Informed consent must be sought from data subjects before using their data, especially with third parties or public platforms. The data must be used for the exact purpose for which it was obtained.
• Sensitive personal data and cross-border data sharing require higher standards of care and statutory compliance. Section 19 of the DPPA provides for limited circumstances under which personal data should be shared outside Uganda.
• Security and confidentiality measures must be complied with to prevent unauthorised disclosure, access and protected shared data.

Companies Subject to Data Sharing Requirements

• The DPPA and the Data Protection and Privacy Regulations 2021 govern data collection, sharing and regulation.
• Private, public and listed companies, foreign companies operating in or handling data collected from Ugandan citizens, non-government and non-profit organisations collecting beneficiary or donor data, and entities which handle specialised data.

Thresholds for Data Sharing

The Personal Data Protection Office (PDPO) under the DPPA has set the following thresholds for data sharing:

• mandatory registration with the PDPO;
• companies whose activities include systematic and regular monitoring of data subjects must have a designated data protection officer; and
• annual data protection and privacy compliance reports must be filed within 90 days after the end of the financial year.

Main Requirements

The Uganda Communications Act, Cap 103 regulates the provision of audiovisual media services such as television and radio under the oversight of the Uganda Communications Commission (UCC).

Providers must obtain a broadcasting licence and comply with content standards, local content requirements, advertising rules, public interest obligations, and technical transmission standards. These requirements apply to traditional broadcasters operating within Uganda.

The UCC has published a number of regulations, guidelines and standards to lay out necessary requirements. Examples of these publications include:

• Uganda Communications Content Regulations;
• Advertising Standards;
• Standards for Religious Broadcast Programming in Uganda; and
• Standards for General Broadcast Programming.

All these publications lay out the minimum requirements for the provision of audiovisual media services.

Regulation of video-sharing platforms and streaming services (such as YouTube, Netflix, Spotify and similar platforms) is generally not subject to the full broadcasting licensing regime, since the class does not fit the traditional definition of broadcasters. It is worth noting that aspects of their features fall within the definition of “broadcasting” under the Uganda Communications Act.

It is through this limited definition of broadcasting that the commission has moved to enforce regulatory oversight over video-sharing platforms and streaming services by advancing content control, public order and data governance concerns as opposed to traditional broadcast regulation.

Procedure for Approval/Authorisation and Fees

Part 4 of the Uganda Communications Act and the Uganda Communications (Fees and Fines) (Amendment) Regulations 2020 provide for the approval process and fees for providing audiovisual media services.

TV and radio services operators must apply to the Uganda Communications Commission (UCC) for a broadcasting licence. The process involves:

• submission of an application form;
• demonstrating the existence of adequate technical facilities;
• Environmental Impact Assessment; and
• payment of application and licence fees (which vary by service type and coverage).

UCC conducts technical and content suitability assessments that consider moral and data privacy concerns and the extent of compliance with the minimum broadcast standards before granting approval. Subsequently, the licensee must comply with ongoing obligations, including annual licence fees, content standards and reporting requirements.

Technologies and Services Within the Scope of Local Telecommunication Rules

The Uganda Communications Act, Cap. 103 is the principal law in Uganda governing technologies and services. The Act defines and makes provision for various technologies and services, including:

• radio communications apparatus (Wi-Fi routers, smartphones, two-way radios, radar, satellite uplinks using radio waves to transmit information);
• satellite receiver equipment (examples include outdoor dish/antenna, set-top boxes, specialised antennas);
• radio broadcasting and communications apparatus for spectrum use (these include enabling technologies used in relaying Wi-Fi, cellular, TV and radio broadcasts through the air);
• interference-causing apparatus (examples include signal jammers, phone repeaters);
• frequency spectrums;
• postal services; and
• cinematograph theatres and video libraries.

Requirements for Product or Service Approval

• The Uganda Communications Act provides for a licensing framework for the management and use of spectrum. The Uganda Communications Commission (UCC) exclusively issues licences for radio broadcasting or communications apparatus and spectrum use, possession and operation of such technologies.
• A broadcaster is required to obtain a broadcasting licence.  Any person seeking to install a television or radio station is also required to obtain a separate installation licence.
• A person intending to carry out postal services such as conveying, delivering or distributing postal articles is also required to obtain a licence, with the exception of persons delivering postal articles to another person to whom they are directed on a no-cost basis and articles concerning goods or other property to which the letters relate at no cost.

Security Requirements

The Uganda Communications Commission (UCC) Minimum Cybersecurity Guidelines for Licensed Operators (2025) and the Ugandan National Cybersecurity Strategy set the pace for relevant security requirements.

Under the guidelines, telecommunications service providers are required to implement comprehensive cybersecurity frameworks that ensure confidentiality, integrity, and availability of networks and services. Key requirements include:

• the establishment of robust governance and risk management structures;
• appointment of responsible security officers;
• regular risk assessments and audits; and
• implementation of technical safeguards such as access controls, encryption, network monitoring, incident detection, and secure system configuration.

Operators are required to:

• maintain incident response and reporting mechanisms;
• co-operate with national cybersecurity authorities;
• ensure business continuity and disaster recovery; and
• conduct ongoing staff training and awareness.

These obligations align telecom operations with national objectives on critical infrastructure protection, resilience against cyber threats, and co-ordinated national cyber incident response, reflecting the sector’s designation as critical to Uganda’s security and economic stability.

Part 9 of the Uganda Communications Act makes limited room for the regulation of net neutrality by protecting service providers from conduct that would violate principles of net neutrality.

These protections are limited and only relate to activities by providers that are likely to unfairly prevent, restrict or distort competition in relation to any business activities connected to communication service. The provisions protect ISPs and other providers from denial of access or service by operators, and guarantees and mandates equality in terms of opportunity for access to the same type and quality of service to all customers.

The Uganda Communications Commission collaborates with security agencies such as the Inter-Agency Security Committee to ensure that any disruption likely to result in a violation of net neutrality principles is balanced with the security needs of a free, fair and democratic society.

Emerging technologies have accelerated the development of the legal landscape on three major fronts:

• data privacy and protection;
• cybersecurity and infrastructure; and
• the move to design AI-specific legislation.

Legal considerations for companies in the TMT space are as follows:

• licensing requirements and applicable fees;
• offences and penalties for violation of relevant and applicable provisions of the legal regime governing telecommunication and copyright; and
• potential intellectual property infringement claims.

Challenges encountered by organisations entering into a technology agreement in Uganda include the following.

• Over-regulation – This is occasioned by the existence of numerous and fragmented legislative, statutory and policy frameworks relating to technology in Uganda. Over-regulation is compounded by the existence of several government entities charged with an array of clearance and licensing obligations based on distinct criteria. Some operators may be required to obtain additional clearance from Bank of Uganda and the Capital Markets Authority in addition to clearance from the Uganda Communications Commission and the Personal Data Protection Office, depending on the scope of services proposed in a given agreement.
• Strict data laws – The Data Protection and Privacy Act remains a significant hurdle for global tech firms. Under this law, organisations must prove that any personal data transferred outside Uganda is going to a jurisdiction with equivalent or better protection.
• Technology-neutral but high-threshold licensing – While Uganda has adopted technology-neutral licensing, the entry barriers remain steep. The UCC requires providers, even those using satellite or cross-border tech, to meet the same rigorous local standards as terrestrial operators.

The following restrictions, exclusions and mandatory rules apply.

• Restrictions on data storage and cross-border transfer of data under the Data Protection and Privacy Act, Cap 97 and the Data Protection and Privacy Regulations 2021.
• Price revisions and tariff restrictions/anti-competitive pricing – Clauses in agreements that allow for predatory pricing or “price squeezes” are legally void. The UCC has the mandate to regulate rates to protect consumers from “excessive tariffs”.
• Lawful interception  and “backdoor” access – Under the Regulation of Interception of Communications Act, Cap 101, providers are legally obligated to provide the government with the technical capability to intercept communications upon presentation of a valid warrant.

Key elements for telecommunications service agreements are as follows:

• dispute/conflict resolution clauses;
• scope of services, whether voice calls, data usage or both;
• service level agreements;
• fees and billing to guarantee certainty, transparency and accountability;
• infrastructure sharing and “open access” obligation clauses;
• risk allocation;
• adjustment and price review mechanisms; and
• term and termination to ascertain duration of the agreement.

Companies can negotiate favourable terms in these agreements by doing the following:

• presenting good faith arguments based on provisions of the law such as anti-competitive behaviour rules to ensure fairness;
• identifying and suggesting suitable dispute resolution mechanisms such as arbitration as an alternative to court room litigation; and
• challenging “minimum annual revenue commitments” through negotiating for “step-down” clauses to accommodate losses resulting from challenges such as infrastructure gaps – this ensures a proportionate decrease in commitment based on circumstances beyond the control of the provider.

Applicable Laws and Regulations

The following laws are applicable to electronic signatures and digital identity schemes.

• Electronic Transactions Act, Cap 99 and Electronic Signatures Act, Cap 98, which establish a framework for the use of e-signatures, govern the delivery of trust services and electronic signatures in Uganda.
• Electronic Transactions Regulations, 2013 and the UCC Minimum Cybersecurity Guidelines (2025) operationalise the above primary legislation, the latter of which mandates that telecom and digital service providers maintain “trustworthy systems” and real-time identity verification protocols.
• Data Protection and Privacy Act and the regulations thereunder operationalise a framework for the regulation of digital identity schemes.

Relevant Elements in Relation to Use and Delivery

The following elements are relevant.

• Fundamental rights and constitutional protections – The provision and use of all technology services must align with the 1995 Constitution, specifically Article26 (right to property), Article 27 (right to privacy) and Article 29 (freedom of expression). However, these are legally balanced against “public interest”, allowing the state to mandate internet service restrictions under the Computer Misuse Act, and the use of personal data without consent from data subjects within the limited exceptions under the DPPA.
• The protections enshrined under Article 27 of the Constitution are consolidated by the Data Protection and Privacy Act, which requires companies to register as data collectors/processors with the PDPO. Other mandatory requirements include “privacy by design”, local data residency (where feasible), and strict “adequacy tests” for any cross-border data transfers.
• Liability and insurance – Contracts typically move beyond standard indemnity to include mandatory Cyber Liability Insurance and Professional Indemnity. Given the risk of high-value data breaches, Ugandan courts increasingly look at whether a provider has “adequate financial coverage” to satisfy potential claims under the DPPA.
• Intellectual property (IP) – Software and code are protected as literary works under the Copyright and Neighbouring Rights Act. The Ministry of ICT and National Guidance published the Uganda IP Guidelines in 2025. These guidelines complement existing Intellectual Property laws and provide a basic framework for the protection and commercialisation of Intellectual Property rights in the context of software development.
• Jurisdiction and governing law – While parties can choose foreign law for commercial terms, Ugandan Mandatory Law (Data Privacy, National Security, and Licensing) always applies to operations within the country. The UCC often acts as a mandatory first-tier arbiter for industry-specific disputes before they can escalate to the High Court (Commercial Division).
• National security  and lawful interception – Under the Regulation of Interception of Communications Act, all TMT providers must ensure their systems are “interception-ready”. This is a non-negotiable element that overrides any private “end-to-end encryption” service level agreement.

The industry is governed by set of laws that were originally designed for gambling but are increasingly applied to digital “gaming:

• Lotteries and Gaming Act;
• Responsible Gaming Directives;
• Computer Misuse Act;
• the Income Tax Act; and
• NITA-U Certification.

Key Challenges

The key challenges are as follows.

• Defining “skill vs chance” – A major challenge for developers is the legal ambiguity of whether a game is “entertainment” (regulated by the Media Council) or “gambling” (regulated by the NLGRB). If a game is classified as gambling, it faces a 30% gaming tax and much stricter licensing fees.
• Financial compliance (AML/CFT) – Gaming operators are “accountable persons” under the Anti-Money Laundering Act. This requires smaller independent developers to implement complex Anti-Money Laundering (AML) reporting if their games allow for significant peer-to-peer asset trading.
• Infrastructure and data residency – The requirement to store Ugandan user data locally (under the DPPA) creates a cost barrier for developers who rely on global cloud infrastructure.

Issues Addressed Domestically

The following issues are addressed.

• Loot boxes as gambling – The National Lotteries and Gaming Regulatory Board has moved towards a “substance over form” approach. If a loot box can be purchased with real money and its contents have a “money’s worth” (ie, they can be traded or sold), it is increasingly treated as an unlicensed lottery.
• Virtual currency regulation – The National Payment Systems Act requires developers who issue virtual tokens that can be cashed out or used as a medium of exchange to obtain a licence from the Bank of Uganda. Legislative processes leading to the enactment of a virtual assets legal regime are ongoing

Legal Requirements

The following requirements apply.

• Age ratings and content restrictions – Content governance is split between two primary bodies.
• The Media Council of Uganda – All “video works”, including video games, must be submitted for classification. The Council applies age ratings (eg, U, 12, 15, 18) based on violence, sexual content and language.
• The Lotteries and Gaming Act imposes a mandatory minimum age of 25 for gambling – Any game that includes “simulated gambling” or “loot boxes” risks being restricted to adults over 25 rather than the standard 18+ for general entertainment.
• Cultural morality – Under the Anti-Pornography Act, Cap 119 and various public interest guidelines, the government can ban or restrict games that depict deviant behaviour or content deemed offensive to Ugandan cultural values.

Primary Regulatory Bodies

The primary regulatory bodies are as follows:

• National Lotteries and Gaming Regulatory Board (NLGRB) – the lead regulator established under the Lotteries and Gaming Act, Cap 334;
• National Information Technology Authority (NITA-U) under the Data Protection and Privacy Act, Cap 97;
• Financial Intelligence Authority (FIA), established by the Anti-Money Laundering Act, Cap 118; and
• Uganda Communications Commission (UCC), under the Uganda Communications Act, Cap 103.

Enforcement Powers

The regulatory bodies exercise the following enforcement powers.

• Search and seizure – Under Section 5 of the Lotteries and Gaming Act, the NLGRB can enter any premises suspected of hosting illegal gaming to confiscate equipment.
• Licence revocation/suspension – The Board can instantly suspend an operator’s licence for breaches of the Responsible Gaming Directives 2025, such as allowing minors (under 25 years of age) to participate.
• Financial penalties – The Board can impose express fines (administrative fines) for non-compliance with the Act.
• Mandatory monitoring – All operators must link their systems to the National Central Electronic Monitoring System (NCEMS). This allows the regulator to track every transaction in real-time for tax and AML purposes.

Example of Recent Enforcement

Mass machine destruction (September 2025)

The NLGRB, in partnership with the National Enterprise Corporation (NEC), publicly destroyed over 500 illegal gaming machines seized from unauthorised street-side betting shops in Kampala and Entebbe.

Challenges Faced by Game Developers

Game developers face the following challenges:

• clone apps and reskinning;
• weak online enforcement; and
• algorithm detection gaps.

Creators’ Rights

Creators have the following rights to protect their IP in a virtual environment.

• Marks, signs and sounds creators use in virtual environment are eligible for trade mark protection.
• Original creative copyrightable works existing in virtual environments enjoy copyright. Creators enjoy exclusive rights not only to be recognised as authors but also to exploit their works for economic gain.
• Software algorithms and technological inventions in virtual environments that pass the test of novelty qualify for patent protection.

Key Considerations for Copyright

Key considerations for copyright in digital and virtual assets are as follows:

• the nature of digital and virtual assets as intangible assets lacking permanent material may not comply with the fixation requirement under the Copyright and Neighbouring Rights Act;
• definition and scope of copyrightable works;
• originality and human authorship – primarily because the Copyright and Neighbouring Rights Act requires human authorship of copyrightable works;
• the ownership of the rights copyright confers, whether the creator owns both the moral and economic rights;
• digital and technological protection measures (TPMs);
• fair use versus digital distribution;
• virtual assets and legal recognition; and
• associated rights and privacy.

Application of Trade Mark Laws to Virtual Goods and Services

In Uganda, trade mark law under the Trademarks Act, Cap 225, extends to virtual goods and services by protecting registered marks used in digital and online commerce, even though the Act does not expressly refer to virtual assets.

Use of a trade mark in virtual environments such as websites, apps, online platforms or virtual marketplaces may constitute trade mark use and infringement if it causes consumer confusion or implies an unauthorised commercial connection.

Protection depends on registration, the relevant trade mark classes, and the scope of any licences, meaning that virtual use of a brand (including in NFTs or digital goods) does not confer trade mark rights unless supported by the trade mark owner’s legal authority.

Implications of User-Generated Content on IP Rights

The Uganda ICT IP Guidelines issued by the Ministry of ICT and National Guidance provide for guidelines for the management of Intellectual Property rights of locally developed IT systems, applications and innovations. These guidelines provide insights on the implications of user-generated content on IP rights.

According to the guidelines, user-generated content (UGC) raises significant intellectual property implications because copyright under the Copyright and Neighbouring Rights Act vests automatically in the original human creator of the content, even when created or shared on digital platforms.

Therefore, users generally retain copyright in their posts, videos, images or other content, unless they have assigned or licensed those rights, often through platform terms and conditions. The digital platforms merely play the role of an intermediary.

At the same time, UGC can infringe third-party IP rights where users incorporate copyrighted works, trade marks or protected images without authorisation, exposing both users and, in some cases, platform operators to liability. In order to mitigate copyright infringement risks posed by UGC, the guidelines encourage digital platforms to design systems that discourage IP infringement and promote lawful content creation.

The absence of detailed statutory rules on intermediary liability and digital fair use places greater reliance on contractual terms between the UGC creator and digital platform and the existing guidelines.

The following laws and regulations are relevant to social media activities in Uganda:

• Data Protection and Privacy Act, Cap 97;
• Computer Misuse Act;
• Uganda Communications Act; Cap 103; and
• Uganda Communications Commission’s (UCC) various regulations.

These laws address data protection, online offences, content regulation, licensing of online communication services, and cybersecurity obligations. While there is no standalone social media code of conduct, UCC guidelines and platform-specific community standards operate alongside general consumer protection and advertising rules.

Key Challenges

Major challenges include:

• enforcement of intellectual property rights over user-generated content;
• compliance with data protection and cybersecurity obligations;
• lawful data monetisation and targeted advertising;
• heavy and opaque censorship under the UCC related regulation; and
• limited clarity on age verification and child data protection.

Additional concerns arise from platform liability for harmful or unlawful content, cross-border data transfers, and balancing freedom of expression with regulatory oversight in Uganda’s evolving digital regulatory environment.

Primary Regulatory Bodies

The main regulators are the Uganda Communications Commission (UCC), which oversees online communication services and digital content regulation and NITA-U, which enforces data protection and cybersecurity compliance.

Other law enforcement agencies include the Uganda Police Force under the Computer Misuse Act.

Enforcement Powers

Recent enforcement has included UCC directives requiring registration or suspension of online platforms, investigations and prosecutions for offensive communication and misuse of social media, and regulatory action against entities failing to comply with data protection and cybersecurity requirements, particularly in relation to unlawful content and personal data handling.

Key Data Privacy Laws and Regulations

The key laws and regulations are as follows.       

• To the extent that telecommunications providers collect personal data, including identity data, from consumers, the Data Protection and Privacy Act, Cap 97 governs the lawful collection, processing and holding or use of the personal data in accordance with the established principles.
• The Data Protection and Privacy Regulations, 2021 require telecommunications providers as data collectors to register with the Personal Data Protection Office (PDPO) and comply with strict requirements before processing personal data outside Uganda.
• The Regulation of Interception of Communications Act, prohibits and criminalises telecommunications providers’ disclosure of any information they obtain in compliance with the lawful interception and monitoring of certain communications.
• Sector-specific requirements arise under the Uganda Communications Act, 2013, the attendant Regulations and the Uganda Communications Commission’s (UCC) directives and guidelines on several aspects, including licensing conditions, subscriber registration rules, and cybersecurity directives.

Key Challenges

The main challenges telecom companies face include the following:

• obtaining valid and informed consent in mass-market services;
• implementing data minimisation in data-intensive networks;
• responding effectively to data subject access and deletion requests;
• securing large volumes of sensitive metadata;
• enforcing state mandated tax and censorship obligations which have a direct impact on consumer use of technology; and
• aligning legacy systems with modern privacy requirements.

Cross-Border Data Transfers and Data Localisation

Telecom operators may transfer data outside Uganda only where adequate safeguards exist, such as recipient country adequacy, contractual clauses or NITA-U authorisation. Certain categories of data, including SIM registration and national security-related data are subject to local storage or regulatory access requirements, limiting unrestricted offshore processing.

Balancing Lawful Interception With Data Privacy

The Regulation of Interception of Communications Act governs telecom providers’ compliance with lawful interception and surveillance orders issued under national security and law enforcement frameworks. This obligates telecom providers to ensure that such interception is lawful. Providers are expected to maintain strict access controls, audit trails and confidentiality measures to prevent abuse and over-collection of personal data.

Third-Party Vendors and Cloud Service Providers

Third-party vendors and cloud service providers act as data processors, placing them squarely under the operation of the Data Privacy and Protection Act. This necessitates their strict compliance with the data processing principles and obligations under the Act. Telecom operators remain primarily accountable, requiring due diligence, processor agreements, security assessments, and oversight of offshore cloud services.

Impact on Telecom Network Infrastructure and Service Innovation

Stricter data protection requirements increase compliance costs and influence network architecture, data storage choices, and service design. While this may slow rapid deployment of data-driven services, it also promotes trust, secure digital services, and responsible innovation in Uganda’s telecom sector.

Primary Legal and Operational Challenges

Digital media providers face challenges in the following:

• ensuring lawful consent;
• managing large volumes of user-generated and behavioural data;
• preventing data breaches; and
• aligning fast-evolving platforms with the DPPA.

Operationally, difficulties arise from:

• weak user awareness;
• fragmented data systems; and
• the cost of implementing robust security and compliance frameworks.

Implementation of Privacy-by-Design and Security-by-Design Principles

Digital media providers implement privacy-by-design elements through requiring explicit user consent, embedding data minimisation, default privacy settings, access controls and encryption into platform architecture from the outset.

Digital media providers implement security-by-design through adoption of access control mechanisms, secure coding practices, regular vulnerability testing, authentication controls, and incident-response planning, in line with guidance from NITA-U and cybersecurity best practices.

Challenges Arising From Third-Party Data Sharing

Sharing data with advertisers, analytics firms and partners heightens the risk of data breaches and breach of the Data Privacy and Protection Act’s specific requirements for cross-border processing of personal data, especially for those outside Uganda.

These challenges are mitigated by enforcing data processing agreements, consent management tools, anonymisation or aggregation of data, and ongoing vendor audits, with the platform remaining accountable for compliance.

Further, the Personal Data Protection Office retains the power to handle complaints relating to data breaches and non-compliance with the Data Protection and Privacy Act in respect of the rights of a data subject.

Impact of Emerging Cybersecurity Regulations on Digital Platforms

Emerging cybersecurity and digital governance regulations increase compliance obligations affecting platform architecture, hosting decisions and technology contracts. Digital media providers must incorporate stricter security standards, breach notification clauses and regulatory co-operation obligations into vendor agreements, influencing both operational costs and the pace of service innovation.