The TCRA Cybersecurity Code in 2026 — what every Tanzanian SME owner needs to know
The Tanzania Communications Regulatory Authority has been quietly raising the cybersecurity bar for online businesses since the Electronic and Postal Communications (Online Content) Code came into force. Here's what the Code actually expects from a small Tanzanian business in 2026 — in plain English, written by a hosting company that has to comply itself.
The short version
If your business has a website, an app, a payment endpoint, or a customer database — TCRA expects you to keep it secure, report incidents within 24 hours of detection, and prove on demand that you have the controls to do both. Most SMEs get there by choosing a hosting provider that already meets the bar — instead of building from scratch.
The six controls that matter most
HTTPS everywhere (TLS 1.2+)
Every endpoint, including admin pages. We auto-issue Let's Encrypt SSL on every domain and enforce HTTP-to-HTTPS redirects.
Encrypted backups, off-server, ≥ 30 days
TCRA asks for evidence of recovery capability. Our Sungura plan onwards ships daily encrypted backups to a separate Hetzner region.
Access logs retained 12 months
cPanel + WordPress login logs are kept for 12 months minimum on our infrastructure — long enough to cover any TCRA inspection.
Incident-response runbook
We hand every business hosting client a 4-page IR playbook: detect, contain, eradicate, recover, report.
Quarterly vulnerability scan
Imunify360 scans every account hourly; we send a clean-bill-of-health PDF quarterly that satisfies the "demonstrable monitoring" clause.
Designated security contact
TCRA expects a named individual. We add the contact to your hosting account and route incident alerts to them by SMS + email.
Why hosting choice = compliance choice
When TCRA asks for evidence — backups, logs, encryption, incident response — those artefacts almost all live inside your hosting environment. Choose an offshore shared host with no Tanzanian presence and you'll spend weeks reconstructing them under pressure.
Jumbe Nylon, our founder, sits on TCRA stakeholder calls precisely so the Code stays implementable by ordinary Tanzanian SMEs — not just by banks with seven-figure compliance teams. Every Sakurahost plan ships with the controls above baked in.
A 30-minute compliance check for your business
- Is HTTPS enforced on every page including admin? (Open
https://yoursite.co.tz/wp-admin/in a clean browser.) - Do you have a backup from the last 24 hours? (Ask your host to show it.)
- Is a security contact named in your business records?
- Do you have a one-page incident-response runbook?
- Do you log who has admin access — and review it monthly?
Any "no" is a compliance gap. We close all five for every Sakurahost business client in the first onboarding call.
Frequently asked questions
Who has to comply with the TCRA Cybersecurity Code?
Any business operating an online service from Tanzania — websites, e-commerce, fintech, ISPs, content providers — falls within scope. SMEs are not exempt; thresholds apply only to incident severity and reporting cadence.
Does the Code force me to host inside Tanzania?
TCRA hasn't issued a hard residency mandate for SMEs, but the Personal Data Protection Act 2022 layers on top — sensitive personal data attracts heavy transfer scrutiny. The simplest, lowest-risk path is to host in Dar es Salaam.
What counts as a reportable incident?
Any breach of confidentiality, integrity, or availability of an online service — data exposure, ransomware, prolonged outage, fraudulent access. SMEs report material incidents to TCRA within 24 hours of detection.
Do I need an ISO 27001 certificate?
No — full ISO is not required for an SME. But TCRA looks favourably on an information-security policy mapped to ISO 27001 controls. We supply our hosting clients a starter policy template.
Where does Sakurahost fit?
We're a Tanzanian-registered, TCRA-aware hosting provider. We log every admin action, take encrypted off-server backups, run TLS 1.3 by default, and write you the incident-response runbook the Code expects to see.
Related reading
Compliance-ready hosting from Tsh. 55,000/year
TLS 1.3, encrypted off-server backups, audit logs, named security contact, IR runbook — all included.