South Africa has, on paper, one of the more coherent cybercrime legal frameworks in sub-Saharan Africa. The Cybercrimes Act No. 19 of 2020 — which commenced on 1 December 2021 — gives SAPS broad warrant powers to seize and forensically examine digital devices, mandates that the National Police Commissioner establish a 24/7 cybercrime Point of Contact, and explicitly requires the policing minister to ensure officers receive accredited digital forensics training. The National Cybersecurity Policy Framework, published in Government Gazette No. 39475 in December 2015, laid the governance architecture nearly a decade ago. The law is not the problem.
The enforcement is.
The Training Gap
On 8 June 2026, Democratic Alliance Spokesperson on Police Lisa Schickerling MP revealed — via parliamentary written response — that between 1 April 2025 and 27 February 2026, not a single detective at South Africa's 35 highest-crime police stations received digital forensics training. In the same period, only 15 detectives across those stations received any financial investigation training at all. At stations including Nyanga, Inanda, and Delft — the country's most active crime environments — investigators are encountering digital evidence daily and, by SAPS's own account, are unequipped to handle it.
The staffing picture compounds the training problem. Against an approved detective requirement of 4,607 posts across those 35 stations, only 3,496 posts are funded, and just 2,480 are actually filled. That is a net shortfall of more than 2,100 investigators — before the skills question is even asked.
The DA has characterised this as deliberate underfunding rather than resource scarcity, a charge worth taking seriously given the gap's duration. An 11-month window of zero specialist training is not an accident; it reflects a budget and prioritisation decision.
What Mishandling Costs
The operational stakes are concrete. Detectives who activate seized smartphones without Faraday bags destroy call metadata that would otherwise be admissible. Those unfamiliar with current encryption standards can inadvertently trigger factory resets on devices, permanently erasing WhatsApp communications, financial app records, and location history that prosecutors need. Digital evidence mishandled at collection rarely recovers downstream.
This matters because South Africa's cyber-threat environment is no longer a background risk. According to SABRIC's 2024 Crime Statistics Report, digital banking incidents surged 86% year-on-year — from roughly 52,000 in 2023 to approximately 98,000 in 2024 — with losses reaching R1.888 billion. Attack vectors include AI-generated scams, deepfake impersonation, SIM-swap fraud, and malware disguised as legitimate banking apps.
Against that volume, SAPS recorded 544 cybercrime-related fraud cases on its national register, a figure the DA's Adv. Glynnis Breytenbach MP surfaced in September 2025. The arithmetic is stark: a detection and registration rate of roughly half a percent. The overwhelming majority of victims had no functional law enforcement response.
The Fairness of a Harder Question
Before arguing for restructuring, it is worth acknowledging the legitimate case for patience. Building specialist digital forensics capacity inside a national police service is expensive, requires accredited curricula, and competes against vacancy rates that reflect South Africa's broader public-sector fiscal constraints. One could argue that the Cybercrimes Act's Chapter 6 provisions — which mandate the cybercrime Point of Contact — simply need more time and dedicated budget lines to implement. Critics of the DA's framing might note that 35 stations were never going to absorb advanced digital forensics skills overnight.
That argument was plausible in 2022. After four years of Act commencement, and with Chapter 6's Point of Contact mandate still dormant, the patience case has run out. The Act's requirement for basic training is not optional, and zero progress in an 11-month period is not a pipeline delay.
The Cyber Commissioner Proposal
The DA has renewed its call for a dedicated Cyber Commissioner, framed as a Chapter 9 constitutional institution — independent, like the Public Protector or the Auditor-General — with a mandate spanning both public and private sector cybersecurity, minimum-standard advisory powers, and national incident coordination. Breytenbach's Private Member's Bill was tabled in Parliament on 11 July 2023.
The concept has merit. An independent Cyber Commissioner would resolve one of the Cybercrimes Act's core structural ambiguities: accountability sits nowhere specific. SAPS, the State Security Agency, the Information Regulator, and the Department of Communications all have partial mandates that overlap without a coordinating authority. A Chapter 9 institution with investigative independence could close that gap.
The risk is that South Africa has a well-documented pattern of creating statutory institutions that are themselves under-resourced from launch. A Cyber Commissioner without a dedicated budget appropriation, ring-fenced from general police cuts, would become another well-named office with no staff, no tools, and a growing backlog. The constitutional amendment by itself solves the accountability question; it does not solve the funding question.
What Proportionate Reform Looks Like
The evidence points to three near-term interventions that do not require a constitutional amendment:
- Mandatory digital forensics training quotas built into SAPS performance agreements for divisional commanders at the top 35 stations, with parliamentary reporting on completion rates
- Commencement of Chapter 6 of the Cybercrimes Act, which has sat dormant since the Act's 2021 launch, to formalise the Point of Contact structure
- SABRIC-SAPS data integration, closing the gap between the 100,000 attacks recorded by the banking sector and the 544 cases on the SAPS register through a formalised incident-reporting pipeline
The DA's Cyber Commissioner Bill is a reasonable long-term structural proposal and should advance in Parliament. But the more urgent task is enforcing the law that already exists. South Africa has the statute. It needs the detectives.