The week of 24 May 2026, South Africa's web backbone wobbled. A coordinated wave of distributed denial-of-service (DDoS) attacks battered six of the country's largest hosting and connectivity providers — 1-grid, Xneelo, Network Platforms, Host Africa, Domains.co.za and the Seacom undersea cable — knocking tens of thousands of downstream businesses offline. Inbound attack traffic on one host peaked near 700Gbit/s, a volume TechCentral reported as close to what local infrastructure can absorb. Attackers, identifying themselves as "Black Matter," demanded a ransom of just 2.5 monero — roughly R16,000 — per target to stop the barrage.
The striking thing is how ordinary the attack was. The ransom was trivially small. Security researchers quoted by ITWeb attributed the campaign to the booming market in DDoS-for-hire "booter" services, which let unsophisticated actors rent botnet firepower for pocket change. The providers themselves mitigated the assault, with Network Platforms routing traffic through a London-based scrubbing service before returning clean packets home. By global standards this was a commodity attack handled largely by the private sector. What it exposed was not a hole in South Africa's threat landscape but a hole in its state response.
Five years of unbuilt capacity
South Africa is not short of cyber law. The Cybercrimes Act 19 of 2020 was signed in May 2021 and largely commenced on 1 December 2021. Section 55 of that Act is explicit: the cabinet member responsible for policing must "establish and maintain sufficient human and operational capacity to detect, prevent and investigate cybercrimes," ensure officials are trained, and develop accredited training programmes for SAPS members in cooperation with universities. That wording, set out in a peer-reviewed analysis of the Act in the journal Obiter, makes clear the capacity was never assumed — it had to be built.
It largely has not been. As legal specialist Samantha Moloi told TechCentral during the attacks, "to date, we do not have a dedicated cyber division in SAPS, but fragmentation." The 24/7 point of contact for cybercrime reporting that Chapter 6 of the Act envisages has not become the operational nerve centre it was meant to be. None of this is new: the Institute for Security Studies warned back in June 2021 that the police service's "knowledge, experience and staffing are in short supply," and that plugging the gap would likely require outside support. Five years on, an attack a mid-sized firm could have launched found the state without a clear front door.
The bill that lost its cybersecurity half
The coordination vacuum is partly a drafting artefact. The legislation began life as the Cybercrimes and Cybersecurity Bill. During parliamentary deliberations the cybersecurity provisions were stripped out and the measure was renamed simply the Cybercrimes Bill, on the promise that a dedicated cybersecurity law would follow. It never did. South Africa was left with a sharp criminal statute and no coherent operational framework for defending networks and coordinating incident response.
The result is exactly the fragmentation Moloi describes. A single attack can simultaneously implicate SAPS for the offence, the Cybersecurity Hub — the national Computer Security Incident Response Team established under the Department of Communications and Digital Technologies — for technical coordination, the Information Regulator for any personal-data breach under POPIA, and ICASA for electronic-communications disruption. Communications Minister Solly Malatsi's response captured the problem even as he tried to solve it: "I am engaging with the minister in the presidency to ensure a coordinated whole-of-government approach to monitoring these attacks." Coordination that has to be improvised mid-crisis, minister-to-minister, is the symptom, not the cure.
The case for a new framework — and its limits
There is a serious argument for legislating the missing half. Proponents say a statutory cybersecurity framework with a single national command — a clear incident authority, mandatory reporting for critical-infrastructure operators, and defined roles — would end the silo problem and give businesses one number to call when 700Gbit/s lands on their doorstep. When essential services are at stake, ambiguity about who is in charge is genuinely dangerous, and that case deserves to be taken seriously rather than waved away.
But the evidence from this incident points elsewhere. The providers had the legal authority and the technical means to defend themselves; they did. What they lacked was a resourced state partner to coordinate intelligence, attribution and a unified response. Adding another broad cybersecurity statute risks loading compliance mandates and reporting penalties onto the very ISPs and hosts that were the victims here — punishing the defenders while doing nothing to staff a cyber division that Section 55 already requires. South Africa's tech-governance machinery is already strained: the government's own national AI policy was just delayed to January 2027 after an earlier draft was withdrawn over fabricated academic citations, a vivid reminder that the binding constraint is institutional capacity, not a shortage of documents.
What proportionate looks like
The proportionate fix is to build what the law on the books already promises. Fund and staff the Section 55 capacity inside SAPS. Properly resource the Cybersecurity Hub so the national CSIRT can actually coordinate during an incident rather than after it. Stand up a lightweight national incident-command function — Moloi herself points to the UK's National Cyber Security Centre as a model — that convenes the existing players instead of replacing them. Favour voluntary, fast information-sharing with industry over heavy mandatory-reporting regimes that chill cooperation. The DDoS wave of late May 2026 was not a sign that South Africa needs more cyber law. It was a sign that the state has not yet done the unglamorous work of resourcing the law it already has.