South Africa’s artificial intelligence (AI) policy integrates with and has picked various elements from the AI legislation of the European Union (EU), China and the US.
This is according to Dr Rejoice Malisa-van der Walt, CEO and co-founder of AI Nexus Research, Training & Consultancy, who was part of a panel discussion this week at ITWeb Security Summit 2025 at the Sandton Convention Centre, in Johannesburg.
Malisa-van der Walt was joined by Wits University professor and chief AI advisor Bruce Bassett, CSIR principal research leader and natural language processing and principal AI specialist Avi Moodley, as well as the Cyber Security Institute’s Samantha Hanreck, with AI and automation consultant Johan Steyn chairing.
The discussion examined global, regional and local trends in AI regulation and public policy, including the implications for managing AI risk.
Responding to a question about which region SA should look to for guidance as it crafts its AI policy and regulation, Malisa-van der Walt said: “When I was reading our AI policy framework, I was very excited to see there is the ‘Futures Triangle’. When you look at it, you find that we’ve picked from the different regions [EU, China and the US] the things that are relevant to our environment, which was my concern for a long time.
“I know South Africa…so I was encouraged when I saw the Futures Triangle, because it means [the policy] is addressing our current needs and how we are going to achieve our goals, while not forgetting where we come from (the weight of the past). We want to make sure that our policies serve everyone and not forget the past, and still address the things that we are battling with – AI should bring some of those solutions.”
South Africa’s policy for AI regulation is still in the development phase, with neighbouring African nations Nigeria, Mauritius and Rwanda also on their way to developing their own AI strategies and policies.
The Department of Communications and Digital Technologies (DCDT) has been at the forefront of AI regulation in SA. Following the release of a draft national AI plan document in April 2024, the DCDT published the national policy framework for AI in August, and requested feedback from the ICT industry and other stakeholders.
According to law firm Michalsons, the national AI policy will be the foundation for creating AI regulations and potentially an AI Act in SA. Once implemented, it aims to leverage AI to drive economic transformation, foster social equity and enhance SA's global competitiveness in AI innovation.
The EU AI Act, the first legal framework on AI, came into force on 1 August 2024, with some provisions applying later, such as prohibitions on certain AI systems starting on 2 February 2025. Full application of the Act is expected by 2 August 2026.
Compelling potential
Steyn premised the conversation by stating there are regulations for driving, so why not have AI regulation? “It’s not about fear-mongering, but this stuff is getting so powerful that we must look at regulating it. The balancing act will then be between regulation and innovation.”
Asked to explain the approach to AI policy across different regions, Malisa-van der Walt said the US takes AI regulation from a principles and market-driven base, emphasising innovation. However, when it comes to sensitive areas like defence and cyber security, the country has stringent rules.
“Overall, they’ve left most of the regulation guidelines to sectors – it is sector-specific – and they are coming up with different guidelines to make sure they have some control over AI.”
She noted that China is more state-controlled. “There’s lots of regulations and laws around different sectors, like cyber security, to support their main regulations. The most important regulation was for generative AI, which was the first after the 2022 launch of ChatGPT. They make sure they protect socialistic values and state security.”
In Europe, there is a stringent regulatory framework. “There are Acts that have accumulated and built towards the EU AI Act, with the most popular being the GDPR [General Data Protection Regulation].
“South Africa has POPIA [Protection of Personal Information Act], which is similar to GDPR. GDPR has been successful and influenced most of the regions, in terms of data governance and how we protect our data.
“However, you will find there has been push-back on their [the EU’s] stringent regulations and we pray they’re not going to drop the ball. As South Africa, we can learn; especially from the GDPR, and we are on track.”
The CSIR’s Moodley added there are many efforts to build an AI regulatory framework in SA, but the policy development process takes time.
“One of the interim steps that a lot of organisations, including the CSIR, are taking is putting in place guidelines that are linked to ethical and data practices that we want for the country, linking AI usage and behaviour towards that.
“In terms of how that rolls up to government, there are a few policy meet-ups that happen quarterly where the national AI strategy − which is done by the NACI [National Advisory Council on Innovation] working group − is developed and expanded on.
“Policy is never fast enough for technology; it’s always playing catch-up…and there’s unfortunately no silver bullet that you can put in place with policy and we also need to be careful that we don’t stifle innovation with too much regulation.”
Share