*2.2. National System*

To develop an effective cybersecurity strategy for the water and wastewater sector, it is prudent to first understand policy discussions at the national level [7]. On 23 March 2012, the NCPF was adopted by the South African Cabinet [36,62–64] and gazetted by the Minister of State Security on 23 September 2015 [65]. As the national cybersecurity strategy, the NCPF has six key objectives that can be summarised as "centralise coordination of cybersecurity activities, by facilitating the establishment of relevant structures, policy frameworks and strategies in support of cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge-based economy" [65] (p. 15). The NCPF's supporting legislation and policies were reviewed to determine where and how the water and wastewater sector fits in, if at all.

A review of the NCPF has since been done by various other researchers over the years, as detailed in Appendix A of this paper. Appendix A could have excluded all work published prior to September 2015, which was when the NCPF was officially gazetted. This is because, as discussed in later sections, some of the conclusions drawn from such work might currently be invalid or partially valid due to subsequent insertions, substitutions, and/or repeals of some pieces of legislation supporting the NCPF, notwithstanding the mergers and renaming of some governmen<sup>t</sup> departments. However, it was decided that the essence of the content of some of the previous research work—such as stakeholders involved, coordination structure, and perceived gaps and challenges—remained relevant. Appendix A therefore includes the NCPF review work from 2013 onwards, that is, the period after which the South African Cabinet adopted the NCPF in 2012.
