Tralac, 2025
Summary of the Annexes to the AfCFTA Protocol on Digital Trade
The AfCFTA Protocol on Digital Trade (Protocol), adopted by the AU assembly in February 2024, is accompanied by eight (8) annexes. The annexes elaborate specific regulatory and technical areas of the Protocol, including rules of origin, digital idenFFes, cross-border digital payments, cross-border data transfers, online safety and security, legitimate and legal public interest reasons for source code disclosure, emerging and advanced technologies, and financial technology. The annexes to the Protocol were adopted by the AU assembly in February 2025, and they form an integral part of the Protocol.
The Annex on Rules of Origin derives from Article 5 of the protocol and establishes the criteria for determining the origin of digital goods and services or content, digital platforms, and African-owned enterprises.
Contrary to the rules of origin in trade in goods, the rules of origin under the protocol on digital trade focus on what constitutes an African digital product or content, an African digital platform and an African-owned enterprise for the purposes of determining preferential treatment under the protocol. An African-owned enterprise must be registered under the laws of a State Party whose majority (i.e., over 50%) equity interest is owned or controlled by natural or legal persons of a State Party/Parties and maintains substantial business operations in the territory of a State Party. An African Digital Platform is a digital platform registered or otherwise incorporated and operated under the applicable laws and regulations of a state party, and owned and controlled by a natural or juridical person/s of a state party or state parties.
The Annex on Digital Identities establishes a legal framework for governing digital identities under the AfCFTA. The Annex requires state parties to adopt digital identities for natural and legal persons to enable secure and interoperable digital identification, electronic
Know Your Customer (e-KYC), and trust, facilitating the movement of businesspersons across state parties. The main objective of the Annex is to promote interoperability and mutual recognition of digital identity systems to facilitate cross-border transactions and
trust. The Annex establishes an AfCFTA Digital Identity, a verifiable credential, to facilitate the mobility of businesspersons and e-KYC across
borders.
The Annex on Cross-Border Digital Payments seeks to enhance the efficiency, affordability, security, and inclusivity of cross-border digital payments. The annex focuses on the facilitation of interoperability between continental, regional and national digital payment systems, including mobile money, digital wallets and financial technology. In addition, the Annex includes provisions to address online consumer protection, cybersecurity, fraud prevention measures, as well as cooperation on anti-money laundering (AML) and counter-terrorism financing.
The Annex on Cross-Border Data Transfers seeks to facilitate the secure and safe crossborder transfers of data for trade purposes. The Annex eliminates regulatory and administrative barriers to cross-border data transfers within the AfCFTA digital market.
Essentially, the Annex further facilitates crossborder data transfers while protecting personal
data in order to boost digital trade, innovation and inclusive socio-economic growth within the AfCFTA digital market.
The Annex on Legitimate and Legal Public Interest Reasons for the Disclosure of Source Code stipulates conditions under which judicial authorities or regulatory bodies of State Parties may request access to proprietary source code. The Protocol generally prohibits access to source code but provides exceptions for accessing the source code including to maintain public order and safety; protect public morals, human, animal or plant life or health; protect essential security interests; protect and access critical infrastructure; prevent deception and fraudulent practices; or prevent arbitrary or unjustifiable discrimination. The body or authority given access to the source code is required to protect the source code against unlawful access, acquisition, or appropriation by a third party, and against cybercrimes or threats. The body or authority is further required to inform the affected person of the decision concerning the request within three (3) months from the date of submission of the source code. The affected person shall be entitled to transparent, fair and reasonable procedures, including prompt and imperfect review, appeal and appropriate remedies.
The Annex on Financial Technology aims to foster innovation while ensuring regulatory clarity in financial technologies such as digital banking, blockchain, and AI-driven finance.
The Annex, among other things, provides for the establishment of regulatory sandboxes to test new technologies, license passports of financial technology, and harmonization of licensing and registration of financial technologies across State Parties.
The Annex on Emerging and Advanced Technologies promotes responsible
development and use of emerging digital technologies like Artificial Intelligence, Internet of Things, Quantum Computing, Robotics, Machine Learning, 5G, 3D printing, Blockchain, Virtual Reality in digital trade. The Annex is underpinned by the principle of technology neutrality – i.e. merely provides a general framework to promote the development and responsible use of the emerging technologies in digital trade without necessarily aiming at regulating specific technology. The Annex provides for cooperation on ethical standards and regulatory alignment, risk assessment mechanisms and adaptive governance, and encourages public-private collaboration, research and development and the use of
regulatory sandboxes to test technologies before they are deployed in the market.
The Annex on Online Safety and Security
seeks to ensure a safe and secure digital environment for users, including protections
against cyber threats and harmful online content. The Annex includes commitments of State Parties to cooperate in addressing cybersecurity, information sharing on threats and incidents, the protection of vulnerable populations, especially children, and balancing content regulation with freedom of expression.
