NKP Act vs CIPA Act 8 of 2019: What Changed

For four decades, the protection of South Africa's most strategically important sites was governed by the National Key Points Act 102 of 1980. That law has now been repealed. In its place, the Critical Infrastructure Protection Act, 2019 (Act 8 of 2019) — known as CIPA — establishes a modern, transparent framework for identifying, declaring and protecting critical infrastructure. If you operate a declared site or deploy security personnel to one, understanding this transition is no longer optional.

Why the NKP Act Was Repealed

The 1980 National Key Points Act was widely criticised for its secrecy and limited oversight. CIPA modernises the approach by introducing clear definitions, public accountability and structured oversight by the Minister of Police, the National Commissioner and the Critical Infrastructure Council. The shift reframes "national key points" as "critical infrastructure" and places defined obligations on the persons in control of such infrastructure.

What CIPA Introduces

• A declaration and categorisation process for identifying critical infrastructure based on risk.
• Defined roles for the Minister, National Commissioner and Critical Infrastructure Council.
• Duties of persons in control — including security measures, reporting obligations and cooperation with inspections.
• Inspection and enforcement provisions, with offences for non-compliance.
• A transitional framework so that sites previously declared as national key points are carried into the new regime.

The practical takeaway: training built on the old NKP Act is now out of date. Personnel must be trained to CIPA's terminology, duties and compliance obligations.

What It Means for Persons in Control

Under CIPA, the person in control of declared critical infrastructure carries direct responsibility for securing it. That includes implementing appropriate physical protection systems, maintaining records, reporting incidents, and ensuring that deployed security personnel are competent and compliant. Failure to meet these duties can constitute an offence.

What It Means for Security Training

Security officers, supervisors and control-room operators deployed to critical sites need training that reflects current law — not the repealed NKP Act. A compliant programme should cover the CIPA legal and governance framework, threat and vulnerability assessment, physical protection systems, incident management, insider risk, lawful use of force, and supervision and audit readiness. Crucially, that training must be PSIRA-accredited and SASSETA/SAQA-aligned so the resulting certificates are recognised and audit-ready.

The Transition in Practice

Many operators are still running legacy "NKP" programmes. The safest path is a programme that explicitly teaches the transition from the NKP Act to CIPA, incorporates the interim/draft CIPA regulations, and maps each module to SAQA/SASSETA unit standards. That way your personnel are compliant today and ready for regulatory changes as the regulations are finalised.