When Acting Police Minister Firoz Cachalia tabled the 2026/27 Police Budget Vote in Parliament on 19 May 2026, the headline was money: R127.072 billion for the South African Police Service this year, climbing to R135.8 billion by 2028/29, wrapped in a "police reset agenda" promising a modern, professional and trusted force (SA Government; SAnews). Buried beneath the reform language was a quieter and more consequential admission. The minister acknowledged severe pressure on forensic services — "DNA analysis, ballistics, digital forensics and cybercrime investigations" — and the Independent Police Investigative Directorate (IPID) announced it would build in-house forensic capacity by recruiting cyber forensic experts, crime analysts and financial-data specialists (IOL).
That sentence quietly contradicts a law on the books for five years.
The statute already assigned the job
South Africa's Cybercrimes Act 19 of 2020 is unambiguous about who leads. Section 55 requires the Cabinet member responsible for policing to "establish and maintain sufficient human and operational capacity" to detect, prevent and investigate cybercrimes, to ensure officers are trained, and to develop accredited training programmes with universities (Cybercrimes Act, SAFLII). SAPS, not a sectoral cyber-agency, is the designated coordinating body for domestic investigations and international assistance requests. The 2020 Act was Parliament's deliberate choice to make policing — not a standalone cybersecurity authority — the spine of the country's response.
The gap between that mandate and reality is now official. If SAPS were adequately capacitated under Section 55, IPID — a police watchdog, not an investigative arm of the force — would not need to stand up its own cyber-forensic unit to do corruption and misconduct casework. The budget vote is, in effect, the state conceding that the lead agency cannot yet carry the load the legislature handed it.
A law switched on by halves
The shortfall was foreseeable from the start. When the Act commenced on 1 December 2021, the Department of Justice brought it into force only in part. Sizeable pieces were held back pending regulations — including Chapter 6, which establishes the designated 24/7 point of contact, and section 54, the duty on electronic communications service providers and financial institutions to report offences to SAPS (Justice Department). The very provisions designed to feed SAPS a reliable stream of incident data — and to give it an always-on reporting channel — were deferred precisely because the capacity and rules to absorb them did not exist. Five years on, the budget confirms the foundation those provisions assumed is still being poured.
The stakes are not abstract. INTERPOL's 2025 Africa Cyberthreat Assessment recorded South Africa with the highest number of ransomware detections on the continent — 17,849 in 2024 — and found cybercrime now accounts for more than 30% of reported crime in parts of the region (INTERPOL). A statutory lead agency that cannot reliably turn around digital-forensic evidence is not a paperwork problem; it is the difference between prosecutions that hold and trials that collapse.
The case for the reset — and where it falls short
In fairness, the reset agenda is not empty. Cachalia is right that turning a forensic service around is a multi-year project, not a single budget cycle, and the plan has concrete edges: a continued Detective Critical Skills Allowance to retain investigators, procurement reform with National Treasury's technical-advisory centre, and an IPID commitment to cut its case backlog by 13,500 over three years while hiring 25 experienced investigators (Parliament). Building real capacity beats passing another bill, and the candour about forensic strain is healthier than the usual silence.
But three structural problems remain, and they are the ones that should worry a country that wants both security and a thriving digital economy.
- Fragmentation over coherence. Spreading cyber-forensic capacity across SAPS, the Directorate for Priority Crime Investigation and now IPID risks duplicating scarce skills rather than concentrating them where Section 55 placed accountability. Investigators and digital-forensic analysts are the binding constraint; splitting them thins everyone.
- Mandate without machinery. Reporting duties that never commenced mean SAPS still lacks the structured intake — from banks and telcos — that would let it triage at scale. Capacity without the data pipeline section 54 promised is a half-built bridge.
- Proportionality risk. When enforcement capacity lags a broad statute, the temptation is to compensate with blunt new powers rather than competent execution of existing ones. South Africa's better path is the opposite: finish operationalising the Act it has, fund the people who run it, and resist layering on fresh surveillance or reporting mandates that the system cannot yet absorb.
What proportionate looks like here
The pro-innovation answer is not less cyber-policing — it is competent, predictable cyber-policing. Businesses and citizens need a SAPS that can take a ransomware report, preserve evidence, and produce a forensic result a court will accept. That requires three things the budget gestures at but does not guarantee: a single, accountable home for digital forensics consistent with Section 55; commencement of the dormant reporting and point-of-contact provisions, with the regulations to make them workable; and ring-fenced, multi-year funding for forensic analysts rather than allowances that lapse.
The 2026/27 budget deserves credit for naming the problem out loud. The test is whether the next two cycles close the gap between what the Cybercrimes Act promised in 2020 and what South Africa's police can actually do — or whether the statute remains an unfunded mandate that looks tough on paper and thin in the evidence room.