WHY THE INFORMATION REGULATOR SOUTH AFRICA'S FOCUS SHIFTED IN 2026

Compliance Hub Consulting
May 29
4 min read

The conversation around compliance in South Africa has been dominated by POPIA for years. Boards debate cybersecurity, companies scramble to draft privacy notices, and every second webinar promises to explain lawful processing.

But quietly, and with increasing intensity, the Information Regulator has redirected its attention toward something many businesses still treat as an administrative afterthought: the Promotion of Access to Information Act (PAIA).

And in 2026, that shift is no longer subtle.

The submission window for the 2025/2026 PAIA Annual Report is officially open and closes on 30 June 2026. For many organisations, this deadline is going to expose a deeper problem: businesses that created policies for compliance optics, but never built operational systems to support them.

The Era of “Passive Compliance” is Over

For years, many organisations approached PAIA with a checkbox mentality.

Create a PAIA Manual.
Upload it to the website.
Appoint an Information Officer.
Hope nobody asks questions.

That approach is now collapsing under regulatory scrutiny.

The Information Regulator has increasingly institutionalised enforcement through its eServices portal, transforming PAIA reporting from a once a year administrative exercise into an auditable compliance framework.

This means your compliance is no longer judged by whether you have documents. It is judged by whether your systems demonstrate operational accountability.

The most important shift in 2026 is that the Regulator now expects organisations to prove that their PAIA processes actually function in practice.

Information Officer Registration is No Longer Optional

One of the biggest stumbling blocks this year is the requirement for verified Information Officer registration.

Many businesses still mistakenly assume that merely designating an Information Officer internally is sufficient. It is not.

If the Information Officer’s registration on the eServices portal is incomplete, inactive, or unverified, the annual report submission cannot proceed.

This has created significant last minute panic for organisations discovering that:

Previous Information Officers have resigned
Registrations were never finalised
Verification emails were ignored
Delegations were never updated
Contact details no longer match company records

In practical terms, this means some companies may miss the reporting deadline before they even begin the reporting process.

The “Nil Return” Misunderstanding is Creating Risk

One of the most common and dangerous misconceptions around PAIA reporting is the belief that “nothing happened, so nothing needs to be submitted.”

This is incorrect.

Even if your organisation received zero PAIA requests between 1 April 2025 and 31 March 2026, a “Nil” return must still be filed.

This requirement matters because the Regulator is measuring accountability, not activity.

Failure to submit a Nil return effectively signals one of two things:

Either the organisation does not understand its legal obligations, or it lacks governance systems capable of monitoring them.

Neither interpretation reflects well during regulatory scrutiny.

Your Statistics Tell a Story About Your Governance

The annual report is not simply a data collection exercise.

It is a governance assessment tool.

The Regulator now expects organisations to disclose:

The number of access requests received
How many were granted
How many were refused
The legal grounds for refusal
Whether statutory deadlines were extended
Whether requests were handled within prescribed timeframes

This creates an important operational challenge.

Many businesses have no formal PAIA request tracking mechanism.

Requests arrive through email inboxes, HR departments, reception desks, legal teams, or customer service channels with no centralised logging process. In some organisations, staff do not even recognise when a communication qualifies as a PAIA request.

The result is fragmented reporting and significant compliance exposure.

An organisation cannot accurately report on requests it never properly tracked in the first place.

The PAIA Manual is Becoming a Verification Tool

Another major enforcement trend emerging in 2026 is the Regulator’s increased cross referencing of PAIA Manuals against annual report submissions.

This means your Section 51 Manual is no longer a static document uploaded once and forgotten forever.

The Regulator increasingly checks whether:

The manual is publicly accessible
Contact details are accurate
Physical addresses are current
Information Officer details align with eServices records
Internal request procedures are properly described

Many organisations are now discovering that their manuals still contain:

Former employee names
Old office addresses
Broken website links
Outdated organisational structures
References to repealed legislation

These inconsistencies create credibility issues that may trigger deeper regulatory attention.

The Real Risk is Not Fines. It is Evidence of Governance Failure.

Most organisations fear penalties. But the greater risk is often what non compliance reveals internally.

A poor PAIA process usually points to broader governance weaknesses:

Weak record management
Poor accountability structures
Inadequate document retention systems
Fragmented compliance ownership
Lack of executive oversight
Reactive rather than integrated governance culture

This is why regulators increasingly view PAIA as more than an information access law. It has become a lens through which organisational maturity is evaluated. An organisation that cannot account for information requests often struggles with broader governance disciplines as well.

The Critical Question Every Business Should Ask

The most revealing compliance question in 2026 is no longer:

“Do we have a PAIA Manual?”

It is:

“If the Information Regulator requested our PAIA request tracking log today, what would it reveal?”

Would it demonstrate: