Consultancy Services for the Development of National Cybersecurity Strategy Toolkit for the African Union Member States – WARDIP PROJECT

REQUEST FOR EXPRESSIONS OF INTEREST (INDIVIDUAL CONSULTANT SELECTION) Country: Ethiopia Name of Project: Digital Transformation for Africa/ Western Africa Regional Digital Integration Program SOP -1 Grant No: P180117 Assignment Title: Consultancy Services for the Development of National Cybersecurity strategy Toolkit for the African Union Member States – WARDIP PROJECT Reference No. ET-AUC-502728-CS-INDV The African Union Commission has received financing from the World Bank toward the cost of DIGITAL TRANSFORMATION FOR AFRICA/ WESTERN AFRICA REGIONAL DIGITAL INTEGRATION PROGRAM (DTFA/ WARDIP) SOP-1.and intends to apply part of the proceeds for consulting services The consulting services (“the Services”) include Selection of Individual Consultant for the Development of National Cybersecurity strategy Toolkit for the African Union Member States – WARDIP PROJECT The key objective of the assignment is to develop a toolkit for the purpose of guiding AU MS on the development of their national cybersecurity strategies to ensure strengthened cybersecurity governance frameworks and harmonization with the AU Continental AI Strategy among others. The consultant is expected to perform the following activities:

• Develop inception report,
• Perform desk work assessment of African countries cybersecurity strategy readiness using methodologies such as surveys, desk review of national strategies and interviews.
• Define readiness with measurable criteria
• Review the continental cybersecurity strategy which will constitute the building blocks for the toolkit,
• Conduct needs assessment of countries relating to cybersecurity strategies and collect national and regional (AU) cybersecurity related frameworks/ blueprints as basis for the toolkit development,
• Review existing work by RECs and AUC pertaining to regional cybersecurity strategies/ blueprints and identify areas for updating and improvements to draw inferences from lessons learned of what worked on the ground and what did not work considering the African context,
• Identify practical priority areas in the short, medium and long term. These areas must respond to African users’ needs,
• Draft a comprehensive toolkit for national cybersecurity strategies to be used by African member states,
• The toolkit should include incident response frameworks, cyber risk assessments, and national-level SOC guidance. The toolkit should also include pillars aligned with global standards such as Governance and Legal, Protection of Critical Infrastructure, Incident response & resilience, capacity & awareness, cooperation & PPP
• The toolkit should contain a Cybersecurity Resilience Framework with incident response playbooks for AU Member States and a mapping table aligning international frameworks with the AU context.
• The toolkit should outline a collaboration framework for public-private partnerships, which are critical for cybersecurity capability building thus ensuring stronger integration with public-private partnerships and encouraging collaboration with tech firms, ISPs, and financial sectors,
• Organize a validation workshop on the developed (toolkit) involving African technical experts and policy stakeholders.
• Finalize the documents following experts’ feedback and recommendations,
• Develop a user manual, training, awareness raising and best practices materials to support the implementation and dissemination of the toolkit. The user manual/ training material should incorporate Key Performance Indicators (KPIs) for measuring cybersecurity progress.

EXPECTED DELIVERABLES . The project deliverables and work products shall be as follows: Deliverables Deliverables after signing of contract Development of national cybersecurity strategy toolkit for AU MS 1. Inception report 1 month 2. Needs assessment, case collection developed, and baseline data compiled (including mapping of existing policies, institutions, CSIRTS and legal frameworks per country) 2 months 3. Toolkit for national cybersecurity strategies drafted (including model templates and checklists-Strategy structure, action plan, KPI table, etc) 3 months 4. A comprehensive toolkit for national cybersecurity strategies developed in Africa in both English and French languages 4 months 5. Best practices, user manual, training materials and awareness raising content developed to support the implementation and dissemination of the toolkit

• Months

Duration of Assignment: The duration of the assignment is 5 Months The detailed Terms of Reference (TOR) for the assignment are attached to this Request for Expression of Interest. The African Union Commission now invites eligible individuals (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services. The requirement for the assignment is described below Academic and education background Advanced University Degree in the following fields:

• Telecommunications/ICT/Compute Science/ Computer Engineering
• Business management and/or Law
• Database/Software Applications Management

Minimum Diploma/ Certification in Digital Policy/ Strategy formulation/CISSP/CISM/ISO 27001 Lead Implementer/Auditor or equivalent is an added advantage Professional Experience

• At least 10 years of practical experience and proven expertise in successfully undertaking similar projects and assignments in the development of national/regional cybersecurity blueprint/ toolkit along with its action plan / tactical roadmap at national and regional levels with preference of a prior extensive knowledge of the African landscape.
• At least 5 years of experience in the African region regarding the African cybersecurity strategies landscape trends, principles, challenges, priorities and indicators,
• Knowledge of national cyber readiness indicators within the African continent.

Knowledge and Expertise

• Experience in integrating, demonstrating and processing relevant data/content visually and graphically,
• Demonstrated ability to acquire and access up-to-date relevant data to support the assignment,
• Proven abilities to demonstrate similar prior assignments conducted by the consultant,
• Broad knowledge of cybersecurity prospects in Africa including regional and national budget needs, policy, Interoperability options and regulatory regimes,
• Knowledge of cybersecurity global trends on a 360-eagle view, cyber maturity models (ITU GCI, CMM, SCMM) and familiarity with AU Cybersecurity and Data Protection Frameworks

Project management, Business and organizational Skills

• The consultancy should possess relevant practical experience and proven expertise in successfully undertaking cybersecurity strategy projects’ management at national and regional levels,
• Proven timely project delivery at national and regional levels.

Stakeholder Engagement

• Excellent communication and negotiation skills to engage with a diverse range of stakeholders,
• Ability to build and maintain relationships with governmental bodies, industry partners, pertinent regional institutions and civil society.

Global Perspective:

• Awareness of international developments and trends in cybersecurity and cyber-resilience areas,
• Ability to apply global best practices to the local context.

Problem-Solving Skills:

• Analytical mindset to identify and solve complex challenges,
• Excellent report writing skills in English, ability to produce concise reports,
• Excellent interpersonal, presentation and communication skills, both orally and in writing,
• Proficiency in the use of standard office software packages, email and internet.

Collaboration and Teamwork:

• Ability to work collaboratively within teams and across AU / WB departments

Language Skills:

• Advanced level English or French is required and Proficiency in other official languages of the AU in both spoken and written communication will be considered an added advantage

Evaluation Criteria The Candidates shall be evaluated based on the criteria provided below; Evaluation Criteria

• Qualifications (30%): The required qualifications indicated in the ToR
• General experience (10%). The general experience indicated in the ToR.
• Specific Experience relevant to the assignment (50%): The Specific Experience relevant to the assignment indicated in the ToR.
• Language (10%): The language skills required is specified in the TOR

. The attention of interested Consultants is drawn to Section III, paragraphs, 3.14, 3.16, and 3.17 of the World Bank’s “Procurement Regulations for IPF Borrowers” July 2016, revised November 2020 (“Procurement Regulations”), setting forth the World Bank’s policy on conflict of interest. A Consultant will be selected in accordance with the Individual Consultant selection method set out in the Procurement Regulations. Further information can be obtained at the address below during office hours i.e. 0900 to 1700 hours. Expressions of interest must be delivered in a written form to the address below (in person, or by mail, or by e-mail) by 29 December 2025 African Union Commission, Attn: Head of Supply Chain Management Division Building C, 3rd Floor, P.O Box 3243, Roosevelt Street Addis Ababa, Ethiopia Tel: +251 (0) 11 551 7700 – Ext 4305 Fax: +251 (0) 11 551 0442; +251 11-551-0430 E-mails: tender@africanunion.org TERMS OF REFERENCE Consultancy Services for the Development of National Cybersecurity Strategy Toolkit for the African Union Member States – WARDIP PROJECT (CONSULTING SERVICES – INDIVIDUAL) December 2025 Addis Ababa

• Introduction

The world is embracing Digital Transformation to drive a prosperous and peaceful future for mankind. Digital transformation has the potential to accelerate socio-economic and political transformation and fast-track the development of critical sectors such as agriculture, energy, transport, trade, manufacturing, fintech, health and education. Digital Transformation can propel the continent to realize the AU Agenda 2063 goals and aspirations. The internet penetration in Africa is growing form 10% (2010) to 38% (2024)[1] and expected to grow faster within the next decade. Moreover, the continent is embarking on huge digital transformative initiatives[2] to create the digital economy and society. Furthermore, the continent thrives to realize the largest free trade zone in the world which requires more connectivity, free flow of information, huge payment transactions among others. Hence, the continent’s dependency on technology, even though, not at the level of developed nations, is increasing rising and at the same time exposing its people and business cyber threats and cybercrime. Emerging Digital Technologies have the potential to exponentially transform the way we work, communicate, learn and interact with each other. Furthermore, according to a study by the World Bank, Africa’s contribution to the global workforce is projected to be the largest in the world by year 2100, it is therefore critical for African countries to increase uptake of the Digital Technologies to drive employment growth for the more than 22 million African joining the workforce each year. A 2020 study by the International Finance Corporation (IFC) revealed that the digital economy could contribute $1.8 billion (5.2%) to the continent’ GDP by 2025, and around $712 billion (8.5%) by 2050. However, recent AfricaCERT Cybersecurity Survey covering 40 African countries in 2024 revealed that more than one third of the surveyed countries did not have a national cybersecurity strategy and that in most countries legal harmonization remains a challenge, with limited adoption of comprehensive laws and regulations The current awareness and preparedness to combat cybercrime on the continent is at a very low level to the extent of not being able to defend and protect even the 38% of the connected population and the sparse critical infrastructures. As a result, the African cyberspace is characterised as a safe haven for cyber criminals. This African leadership has realized the vital necessity to secure the African cyberspace and has adopted cybersecurity as one of the flagship project of AU 2063 agenda. This ambition has been supported by several decisions adopted by the AU Organs within the last decade. Starting from the “AU reference Framework for the harmonization of Telecom ICT policies and Regulations”, the entry into of force of Malabo Convention on Cybersecurity and Personal Data Protection in June of 2023, the adoption of the AU Child Online Safety and Empowerment Policy, the adoption of the “AU Digital transformation Strategy”[3]. (DTS) and ending with the recent adoption of the African Digital Compact and the Continental AI Strategy in July 2024. These instruments recognize Cybersecurity as a vital cross cutting sector. Cybersecurity is a component of the above-mentioned instruments, and the toolkit will contribute to their implementation by supporting African Union Member States to develop their national cybersecurity strategies. The fundamental objective of the DTS is that by “BY 2030 all our people should be digitally empowered to benefit from Digital Economy and able to access safely and securely to at least (6 MB/s) all the time wherever they live in the continent at an affordable price of no more than 1CTS USD per MB through a smart device manufactured in the continent at the price of no more than 100 USD to benefit from all basic e-Services and content of which at least 30% is developed and hosted in Africa by Africans.”[4] According to the World Economic Forum, cybercrime has grown to such an extent that it can now be described as the world’s third-largest economy, after the US and China. It is estimated that cybercrime could reach around $10.5 trillion by 2025. Hence, developing comprehensive cybersecurity strategies for Africa and her Member States is urgently required to protect the current and future African cyberspace and guide actions related to cybersecurity at the national/ regional/ continental levels. To this end, the AU Commission is coordinating the development of a continental cybersecurity strategy by end of Q1 of 2025. Therefore, the development of a toolkit to support AU Member States draft their own national cybersecurity strategies in line with the continental cybersecurity strategy is becoming a high priority for the AU Commission. The toolkit should be augmented by awareness raising and capacity building campaigns by AU Commission to make sure that countries will be motivated and stand ready to develop/ update their own national strategies.

• AIM AND OBJECTIVES OF THE ASSIGNEMENT

The key objective of the assignment is to develop a toolkit for the purpose of guiding AU MS on the development of their national cybersecurity strategies to ensure strengthened cybersecurity governance frameworks and harmonization with the AU Continental AI Strategy among others.

• SCOPE OF WORK

The consultant is expected to perform the following activities:

• Develop inception report,
• Perform desk work assessment of African countries cybersecurity strategy readiness using methodologies such as surveys, desk review of national strategies and interviews.
• Define readiness with measurable criteria
• Review the continental cybersecurity strategy which will constitute the building blocks for the toolkit,
• Conduct needs assessment of countries relating to cybersecurity strategies and collect national and regional (AU) cybersecurity related frameworks/ blueprints as basis for the toolkit development,
• Review existing work by RECs and AUC pertaining to regional cybersecurity strategies/ blueprints and identify areas for updating and improvements to draw inferences from lessons learned of what worked on the ground and what did not work considering the African context,
• Identify practical priority areas in the short, medium and long term. These areas must respond to African users’ needs,
• Draft a comprehensive toolkit for national cybersecurity strategies to be used by African member states,
• The toolkit should include incident response frameworks, cyber risk assessments, and national-level SOC guidance. The toolkit should also include pillars aligned with global standards such as Governance and Legal, Protection of Critical Infrastructure, Incident response & resilience, capacity & awareness, cooperation & PPP
• The toolkit should contain a Cybersecurity Resilience Framework with incident response playbooks for AU Member States and a mapping table aligning international frameworks with the AU context.
• The toolkit should outline a collaboration framework for public-private partnerships, which are critical for cybersecurity capability building thus ensuring stronger integration with public-private partnerships and encouraging collaboration with tech firms, ISPs, and financial sectors,
• Organize a validation workshop on the developed (toolkit) involving African technical experts and policy stakeholders.
• Finalize the documents following experts’ feedback and recommendations,
• Develop a user manual, training, awareness raising and best practices materials to support the implementation and dissemination of the toolkit. The user manual/ training material should incorporate Key Performance Indicators (KPIs) for measuring cybersecurity progress.
• EXPECTED DELIVERABLES

All deliverables, including reports, architecture, plans, and other artifacts, will be submitted shall be provided in both electronic and printed formats to the Infrastructure and Energy Directorate project manager for acceptance and/or approval. The project deliverables and work products shall be as follows: Deliverables Deliverables after signing of contract Development of national cybersecurity strategy toolkit for AU MS 1. Inception report 1 month 2. Needs assessment, case collection developed, and baseline data compiled (including mapping of existing policies, institutions, CSIRTS and legal frameworks per country) 2 months 3. Toolkit for national cybersecurity strategies drafted (including model templates and checklists-Strategy structure, action plan, KPI table, etc) 3 months 4. A comprehensive toolkit for national cybersecurity strategies developed in Africa in both English and French languages 4 months 5. Best practices, user manual, training materials and awareness raising content developed to support the implementation and dissemination of the toolkit 5 Months

• Duration of Assignment

The duration of the assignment is 5 Months

• CONSULTANT PROFILE

At minimum, the selected consultant should possess the following skills:

• Academic and education background

Advanced University Degree in the following fields:

• Telecommunications/ICT/Compute Science/ Computer Engineering
• Business management and/or Law
• Database/Software Applications Management

Diploma/ Certification in Digital Policy/ Strategy formulation/CISSP/CISM/ISO 27001 Lead Implementer/Auditor or equivalent is an added advantage Professional Experience

• At least 10 years of practical experience and proven expertise in successfully undertaking similar projects and assignments in the development of national/regional cybersecurity blueprint/ toolkit along with its action plan / tactical roadmap at national and regional levels with preference of a prior extensive knowledge of the African landscape.
• At least 5 years of experience in the African region regarding the African cybersecurity strategies landscape trends, principles, challenges, priorities and indicators,
• Knowledge of national cyber readiness indicators within the African continent.

Project management, Business and organizational Skills

• Experience in integrating, demonstrating and processing relevant data/content visually and graphically,
• Demonstrated ability to acquire and access up-to-date relevant data to support the assignment,
• Proven abilities to demonstrate similar prior assignments conducted by the consultant,
• Broad knowledge of cybersecurity prospects in Africa including regional and national budget needs, policy, Interoperability options and regulatory regimes,
• Knowledge of cybersecurity global trends on a 360-eagle view, cyber maturity models (ITU GCI, CMM, SCMM) and familiarity with AU Cybersecurity and Data Protection Frameworks

Knowledge and Expertise

• The consultancy should possess relevant practical experience and proven expertise in successfully undertaking cybersecurity strategy projects’ management at national and regional levels,
• Proven timely project delivery at national and regional levels.

• Stakeholder Engagement

• Excellent communication and negotiation skills to engage with a diverse range of stakeholders,
• Ability to build and maintain relationships with governmental bodies, industry partners, pertinent regional institutions and civil society.

Global Perspective:

• Awareness of international developments and trends in cybersecurity and cyber-resilience areas,
• Ability to apply global best practices to the local context.

Problem-Solving Skills:

• Analytical mindset to identify and solve complex challenges,
• Excellent report writing skills in English, ability to produce concise reports,
• Excellent interpersonal, presentation and communication skills, both orally and in writing,
• Proficiency in the use of standard office software packages, email and internet.

Collaboration and Teamwork:

• Ability to work collaboratively within teams and across AU / WB departments

Language Skills:

• Advanced level English or French is required and Proficiency in other official languages of the AU in both spoken and written communication will be considered an added advantage.

Data, Services, and facilities to be provided by the Client The organization will provide all relevant existing documents to facilitate the consultant work to allow the consultant to perform remote and/or field duties to successfully carry out the assignment. Client’s Management Arrangement The consultant will report to the Director I&E. The consultant reviews of progress will be done at each stage of the process (from Inception, milestones stages to the final reports). Agency: Africa Union Commission Procurement method: Individual Consultant Selection Notice type: Request for Expression of Interest Status: Published Value: 54000.0 USD

REQUEST FOR EXPRESSIONS OF INTEREST (INDIVIDUAL CONSULTANT SELECTION) Country: Ethiopia Name of Project: Digital Transformation for Africa/ Western Africa Regional Digital Integration Program SOP -1 Grant No: P180117 Assignment Title: Consultancy Services for the Development of National Cybersecurity strategy Toolkit for the African Union Member States – WARDIP PROJECT Reference No. ET-AUC-502728-CS-INDV The African Union Commission has received financing from the World Bank toward the cost of DIGITAL TRANSFORMATION FOR AFRICA/ WESTERN AFRICA REGIONAL DIGITAL INTEGRATION PROGRAM (DTFA/ WARDIP) SOP-1.and intends to apply part of the proceeds for consulting services The consulting services (“the Services”) include Selection of Individual Consultant for the Development of National Cybersecurity strategy Toolkit for the African Union Member States – WARDIP PROJECT The key objective of the assignment is to develop a toolkit for the purpose of guiding AU MS on the development of their national cybersecurity strategies to ensure strengthened cybersecurity governance frameworks and harmonization with the AU Continental AI Strategy among others. The consultant is expected to perform the following activities: Develop inception report, Perform desk work assessment of African countries cybersecurity strategy readiness using methodologies such as surveys, desk review of national strategies and interviews. Define readiness with measurable criteria Review the continental cybersecurity strategy which will constitute the building blocks for the toolkit, Conduct needs assessment of countries relating to cybersecurity strategies and collect national and regional (AU) cybersecurity related frameworks/ blueprints as basis for the toolkit development, Review existing work by RECs and AUC pertaining to regional cybersecurity strategies/ blueprints and identify areas for updating and improvements to draw inferences from lessons learned of what worked on the ground and what did not work considering the African context, Identify practical priority areas in the short, medium and long term. These areas must respond to African users’ needs, Draft a comprehensive toolkit for national cybersecurity strategies to be used by African member states, The toolkit should include incident response frameworks, cyber risk assessments, and national-level SOC guidance. The toolkit should also include pillars aligned with global standards such as Governance and Legal, Protection of Critical Infrastructure, Incident response & resilience, capacity & awareness, cooperation & PPP The toolkit should contain a Cybersecurity Resilience Framework with incident response playbooks for AU Member States and a mapping table aligning international frameworks with the AU context. The toolkit should outline a collaboration framework for public-private partnerships, which are critical for cybersecurity capability building thus ensuring stronger integration with public-private partnerships and encouraging collaboration with tech firms, ISPs, and financial sectors, Organize a validation workshop on the developed (toolkit) involving African technical experts and policy stakeholders. Finalize the documents following experts’ feedback and recommendations, Develop a user manual, training, awareness raising and best practices materials to support the implementation and dissemination of the toolkit. The user manual/ training material should incorporate Key Performance Indicators (KPIs) for measuring cybersecurity progress. EXPECTED DELIVERABLES . The project deliverables and work products shall be as follows: Deliverables Deliverables after signing of contract Development of national cybersecurity strategy toolkit for AU MS 1. Inception report 1 month 2. Needs assessment, case collection developed, and baseline data compiled (including mapping of existing policies, institutions, CSIRTS and legal frameworks per country) 2 months 3. Toolkit for national cybersecurity strategies drafted (including model templates and checklists-Strategy structure, action plan, KPI table, etc) 3 months 4. A comprehensive toolkit for national cybersecurity strategies developed in Africa in both English and French languages 4 months 5. Best practices, user manual, training materials and awareness raising content developed to support the implementation and dissemination of the toolkit Months Duration of Assignment: The duration of the assignment is 5 Months The detailed Terms of Reference (TOR) for the assignment are attached to this Request for Expression of Interest. The African Union Commission now invites eligible individuals (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services. The requirement for the assignment is described below Academic and education background Advanced University Degree in the following fields: Telecommunications/ICT/Compute Science/ Computer Engineering Business management and/or Law Database/Software Applications Management Minimum Diploma/ Certification in Digital Policy/ Strategy formulation/CISSP/CISM/ISO 27001 Lead Implementer/Auditor or equivalent is an added advantage Professional Experience At least 10 years of practical experience and proven expertise in successfully undertaking similar projects and assignments in the development of national/regional cybersecurity blueprint/ toolkit along with its action plan / tactical roadmap at national and regional levels with preference of a prior extensive knowledge of the African landscape. At least 5 years of experience in the African region regarding the African cybersecurity strategies landscape trends, principles, challenges, priorities and indicators, Knowledge of national cyber readiness indicators within the African continent. Knowledge and Expertise Experience in integrating, demonstrating and processing relevant data/content visually and graphically, Demonstrated ability to acquire and access up-to-date relevant data to support the assignment, Proven abilities to demonstrate similar prior assignments conducted by the consultant, Broad knowledge of cybersecurity prospects in Africa including regional and national budget needs, policy, Interoperability options and regulatory regimes, Knowledge of cybersecurity global trends on a 360-eagle view, cyber maturity models (ITU GCI, CMM, SCMM) and familiarity with AU Cybersecurity and Data Protection Frameworks Project management, Business and organizational Skills The consultancy should possess relevant practical experience and proven expertise in successfully undertaking cybersecurity strategy projects’ management at national and regional levels, Proven timely project delivery at national and regional levels. Stakeholder Engagement Excellent communication and negotiation skills to engage with a diverse range of stakeholders, Ability to build and maintain relationships with governmental bodies, industry partners, pertinent regional institutions and civil society. Global Perspective: Awareness of international developments and trends in cybersecurity and cyber-resilience areas, Ability to apply global best practices to the local context. Problem-Solving Skills: Analytical mindset to identify and solve complex challenges, Excellent report writing skills in English, ability to produce concise reports, Excellent interpersonal, presentation and communication skills, both orally and in writing, Proficiency in the use of standard office software packages, email and internet. Collaboration and Teamwork: Ability to work collaboratively within teams and across AU / WB departments Language Skills: Advanced level English or French is required and Proficiency in other official languages of the AU in both spoken and written communication will be considered an added advantage Evaluation Criteria The Candidates shall be evaluated based on the criteria provided below; Evaluation Criteria Qualifications (30%): The required qualifications indicated in the ToR General experience (10%). The general experience indicated in the ToR. Specific Experience relevant to the assignment (50%): The Specific Experience relevant to the assignment indicated in the ToR. Language (10%): The language skills required is specified in the TOR . The attention of interested Consultants is drawn to Section III, paragraphs, 3.14, 3.16, and 3.17 of the World Bank’s “Procurement Regulations for IPF Borrowers” July 2016, revised November 2020 (“Procurement Regulations”), setting forth the World Bank’s policy on conflict of interest. A Consultant will be selected in accordance with the Individual Consultant selection method set out in the Procurement Regulations. Further information can be obtained at the address below during office hours i.e. 0900 to 1700 hours . Expressions of interest must be delivered in a written form to the address below (in person, or by mail, or by e-mail) by 29 December 2025 African Union Commission, Attn: Head of Supply Chain Management Division Building C, 3rd Floor, P.O Box 3243, Roosevelt Street Addis Ababa, Ethiopia Tel: +251 (0) 11 551 7700 – Ext 4305 Fax: +251 (0) 11 551 0442; +251 11-551-0430 E-mails: tender@africanunion.org TERMS OF REFERENCE Consultancy Services for the Development of National Cybersecurity Strategy Toolkit for the African Union Member States – WARDIP PROJECT (CONSULTING SERVICES – INDIVIDUAL) December 2025 Addis Ababa Introduction The world is embracing Digital Transformation to drive a prosperous and peaceful future for mankind. Digital transformation has the potential to accelerate socio-economic and political transformation and fast-track the development of critical sectors such as agriculture, energy, transport, trade, manufacturing, fintech, health and education. Digital Transformation can propel the continent to realize the AU Agenda 2063 goals and aspirations. The internet penetration in Africa is growing form 10% (2010) to 38% (2024)[1] and expected to grow faster within the next decade. Moreover, the continent is embarking on huge digital transformative initiatives[2] to create the digital economy and society. Furthermore, the continent thrives to realize the largest free trade zone in the world which requires more connectivity, free flow of information, huge payment transactions among others. Hence, the continent’s dependency on technology, even though, not at the level of developed nations, is increasing rising and at the same time exposing its people and business cyber threats and cybercrime. Emerging Digital Technologies have the potential to exponentially transform the way we work, communicate, learn and interact with each other. Furthermore, according to a study by the World Bank, Africa’s contribution to the global workforce is projected to be the largest in the world by year 2100, it is therefore critical for African countries to increase uptake of the Digital Technologies to drive employment growth for the more than 22 million African joining the workforce each year. A 2020 study by the International Finance Corporation (IFC) revealed that the digital economy could contribute $1.8 billion (5.2%) to the continent’ GDP by 2025, and around $712 billion (8.5%) by 2050. However, recent AfricaCERT Cybersecurity Survey covering 40 African countries in 2024 revealed that more than one third of the surveyed countries did not have a national cybersecurity strategy and that in most countries legal harmonization remains a challenge, with limited adoption of comprehensive laws and regulations The current awareness and preparedness to combat cybercrime on the continent is at a very low level to the extent of not being able to defend and protect even the 38% of the connected population and the sparse critical infrastructures. As a result, the African cyberspace is characterised as a safe haven for cyber criminals. This African leadership has realized the vital necessity to secure the African cyberspace and has adopted cybersecurity as one of the flagship project of AU 2063 agenda. This ambition has been supported by several decisions adopted by the AU Organs within the last decade. Starting from the “AU reference Framework for the harmonization of Telecom ICT policies and Regulations”, the entry into of force of Malabo Convention on Cybersecurity and Personal Data Protection in June of 2023, the adoption of the AU Child Online Safety and Empowerment Policy, the adoption of the “AU Digital transformation Strategy”[3]. (DTS) and ending with the recent adoption of the African Digital Compact and the Continental AI Strategy in July 2024. These instruments recognize Cybersecurity as a vital cross cutting sector. Cybersecurity is a component of the above-mentioned instruments, and the toolkit will contribute to their implementation by supporting African Union Member States to develop their national cybersecurity strategies. The fundamental objective of the DTS is that by “BY 2030 all our people should be digitally empowered to benefit from Digital Economy and able to access safely and securely to at least (6 MB/s) all the time wherever they live in the continent at an affordable price of no more than 1CTS USD per MB through a smart device manufactured in the continent at the price of no more than 100 USD to benefit from all basic e-Services and content of which at least 30% is developed and hosted in Africa by Africans.”[4] According to the World Economic Forum, cybercrime has grown to such an extent that it can now be described as the world’s third-largest economy, after the US and China. It is estimated that cybercrime could reach around $10.5 trillion by 2025. Hence, developing comprehensive cybersecurity strategies for Africa and her Member States is urgently required to protect the current and future African cyberspace and guide actions related to cybersecurity at the national/ regional/ continental levels. To this end, the AU Commission is coordinating the development of a continental cybersecurity strategy by end of Q1 of 2025. Therefore, the development of a toolkit to support AU Member States draft their own national cybersecurity strategies in line with the continental cybersecurity strategy is becoming a high priority for the AU Commission. The toolkit should be augmented by awareness raising and capacity building campaigns by AU Commission to make sure that countries will be motivated and stand ready to develop/ update their own national strategies. 2. AIM AND OBJECTIVES OF THE ASSIGNEMENT The key objective of the assignment is to develop a toolkit for the purpose of guiding AU MS on the development of their national cybersecurity strategies to ensure strengthened cybersecurity governance frameworks and harmonization with the AU Continental AI Strategy among others. 3. SCOPE OF WORK The consultant is expected to perform the following activities: Develop inception report, Perform desk work assessment of African countries cybersecurity strategy readiness using methodologies such as surveys, desk review of national strategies and interviews. Define readiness with measurable criteria Review the continental cybersecurity strategy which will constitute the building blocks for the toolkit, Conduct needs assessment of countries relating to cybersecurity strategies and collect national and regional (AU) cybersecurity related frameworks/ blueprints as basis for the toolkit development, Review existing work by RECs and AUC pertaining to regional cybersecurity strategies/ blueprints and identify areas for updating and improvements to draw inferences from lessons learned of what worked on the ground and what did not work considering the African context, Identify practical priority areas in the short, medium and long term. These areas must respond to African users’ needs, Draft a comprehensive toolkit for national cybersecurity strategies to be used by African member states, The toolkit should include incident response frameworks, cyber risk assessments, and national-level SOC guidance. The toolkit should also include pillars aligned with global standards such as Governance and Legal, Protection of Critical Infrastructure, Incident response & resilience, capacity & awareness, cooperation & PPP The toolkit should contain a Cybersecurity Resilience Framework with incident response playbooks for AU Member States and a mapping table aligning international frameworks with the AU context. The toolkit should outline a collaboration framework for public-private partnerships, which are critical for cybersecurity capability building thus ensuring stronger integration with public-private partnerships and encouraging collaboration with tech firms, ISPs, and financial sectors, Organize a validation workshop on the developed (toolkit) involving African technical experts and policy stakeholders. Finalize the documents following experts’ feedback and recommendations, Develop a user manual, training, awareness raising and best practices materials to support the implementation and dissemination of the toolkit. The user manual/ training material should incorporate Key Performance Indicators (KPIs) for measuring cybersecurity progress. 4. EXPECTED DELIVERABLES All deliverables, including reports, architecture, plans, and other artifacts, will be submitted shall be provided in both electronic and printed formats to the Infrastructure and Energy Directorate project manager for acceptance and/or approval. The project deliverables and work products shall be as follows: Deliverables Deliverables after signing of contract Development of national cybersecurity strategy toolkit for AU MS 1. Inception report 1 month 2. Needs assessment, case collection developed, and baseline data compiled (including mapping of existing policies, institutions, CSIRTS and legal frameworks per country) 2 months 3. Toolkit for national cybersecurity strategies drafted (including model templates and checklists-Strategy structure, action plan, KPI table, etc) 3 months 4. A comprehensive toolkit for national cybersecurity strategies developed in Africa in both English and French languages 4 months 5. Best practices, user manual, training materials and awareness raising content developed to support the implementation and dissemination of the toolkit 5 Months 5. Duration of Assignment The duration of the assignment is 5 Months 6. CONSULTANT PROFILE At minimum, the selected consultant should possess the following skills: Academic and education background Advanced University Degree in the following fields: Telecommunications/ICT/Compute Science/ Computer Engineering Business management and/or Law Database/Software Applications Management Diploma/ Certification in Digital Policy/ Strategy formulation/CISSP/CISM/ISO 27001 Lead Implementer/Auditor or equivalent is an added advantage Professional Experience At least 10 years of practical experience and proven expertise in successfully undertaking similar projects and assignments in the development of national/regional cybersecurity blueprint/ toolkit along with its action plan / tactical roadmap at national and regional levels with preference of a prior extensive knowledge of the African landscape. At least 5 years of experience in the African region regarding the African cybersecurity strategies landscape trends, principles, challenges, priorities and indicators, Knowledge of national cyber readiness indicators within the African continent. Project management, Business and organizational Skills Experience in integrating, demonstrating and processing relevant data/content visually and graphically, Demonstrated ability to acquire and access up-to-date relevant data to support the assignment, Proven abilities to demonstrate similar prior assignments conducted by the consultant, Broad knowledge of cybersecurity prospects in Africa including regional and national budget needs, policy, Interoperability options and regulatory regimes, Knowledge of cybersecurity global trends on a 360-eagle view, cyber maturity models (ITU GCI, CMM, SCMM) and familiarity with AU Cybersecurity and Data Protection Frameworks Knowledge and Expertise The consultancy should possess relevant practical experience and proven expertise in successfully undertaking cybersecurity strategy projects’ management at national and regional levels, Proven timely project delivery at national and regional levels. Stakeholder Engagement Excellent communication and negotiation skills to engage with a diverse range of stakeholders, Ability to build and maintain relationships with governmental bodies, industry partners, pertinent regional institutions and civil society. Global Perspective: Awareness of international developments and trends in cybersecurity and cyber-resilience areas, Ability to apply global best practices to the local context. Problem-Solving Skills: Analytical mindset to identify and solve complex challenges, Excellent report writing skills in English, ability to produce concise reports, Excellent interpersonal, presentation and communication skills, both orally and in writing, Proficiency in the use of standard office software packages, email and internet. Collaboration and Teamwork: Ability to work collaboratively within teams and across AU / WB departments Language Skills: Advanced level English or French is required and Proficiency in other official languages of the AU in both spoken and written communication will be considered an added advantage. Data, Services, and facilities to be provided by the Client The organization will provide all relevant existing documents to facilitate the consultant work to allow the consultant to perform remote and/or field duties to successfully carry out the assignment. Client’s Management Arrangement The consultant will report to the Director I&E. The consultant reviews of progress will be done at each stage of the process (from Inception, milestones stages to the final reports). Agency: Africa Union Commission Procurement method: Individual Consultant Selection Notice type: Request for Expression of Interest Status: Published Value: 54000.0 USD