Measures to address the security challenges of the information society have given rise to the concept of cybersecurity governance. One major aspect of cybersecurity governance is the establishment of legal measures to criminalize and deter malicious acts that affect the integrity, confidentiality, availability and security of digital data and computer systems. Accordingly, several States and intergovernmental organizations across the world have established legal frameworks to promote cybersecurity governance. This is also the case in Africa. The African Union has adopted a Convention on Cyber Security and Personal Data Protection, while other African regional intergovernmental organizations such as the Economic Community of West African States, the Common Market for Eastern and Southern Africa and the Southern African Development Community have established legal and policy frameworks for cybersecurity governance. In addition, many African States have developed legal and policy frameworks to promote cybersecurity, while some others in the process of developing such frameworks. However, most of Africa’s responses to cybersecurity governance have been focused on the establishment of criminal law measures. Yet while the establishment of criminal law measures is regarded as a critical component of cybersecurity governance, the isolated existence of such measures may not produce desirable outcomes in terms of minimizing cybersecurity vulnerabilities in Africa’s information society. This paper seeks to make a case for the development of other critical components of cybersecurity governance, including technical and organizational measures and user education. It suggests that ‘stand-alone’ criminal law measures will not be able to reduce the rising trends of cyber-criminality in Africa, and that the timely development of other critical components of cybersecurity governance is imperative especially due to the peculiar challenge of weak law enforcement capacities and justice delivery systems in many African States.