The Cyber Security Authority (CSA), Ghana’s cybersecurity regulator, is proposing significant changes to the 2020 Cybersecurity Act, and the move has drawn widespread public criticism.

Established in 2020, the CSA is tasked with preventing, managing, and responding to cybersecurity threats, promoting awareness, and strengthening Ghana’s digital resilience. In its latest push to fulfil this mandate, the Authority is seeking broader powers.

Under Section 20B of the amendment, the Director-General, Deputy Director-General, and authorised officers would gain powers of arrest, search, and seizure to investigate and prosecute cybercrimes, acting under the authority of the Attorney General. The amendment also allows the CSA to recover proceeds from cybercrimes.

A Joint Cybersecurity Committee — comprising representatives from key state institutions such as the National Communications Authority, the Bank of Ghana, and the Financial Intelligence Centre — will support implementation of national cybersecurity measures.

However, critics warn that the Act’s ambition to set security standards and certify emerging technologies such as artificial intelligence and blockchain could inadvertently stifle innovation. At a time when Ghana’s technology ecosystem is accelerating, overly rigid regulation might slow development and discourage experimentation.

Safeguarding critical infrastructure

The amendment grants the Minister for Communications the power to designate what constitutes critical information infrastructure (CII). This includes systems tied to defence, finance, utilities, emergency services, and digital platforms. Once designated, these systems would be governed by specific regulatory procedures published in the Gazette.

While intended to protect key digital assets, the minister’s broad discretion — particularly the power to classify “any other services” as critical — raises concerns about potential overreach. 

A further worry is the shift in language regarding the withdrawal of CII status. Where designations “shall” be published in the Gazette, withdrawals “may” be published. This subtle change could enable declassification without public notice, undermining transparency and accountability.

Funding and incentives

Expanded powers require resources, and the CSA stands to gain significant funding. In addition to parliamentary allocations and voluntary contributions, the Authority will receive 50% of all fines imposed under the Act, 9% of corporate tax, and 12% of the communications service tax. It will also collect levies on Bank of Ghana–licensed businesses and a portion of government e-service fees.

According to Ghana’s Annual Tax Report (PDF), these provisions could generate more than GH₵3.53 billion in additional revenue. Yet many citizens worry that granting the Authority half of all fines could incentivise indiscriminate penalties, prompting calls for this clause to be revised or removed.

Regulating the practice of cybersecurity

The amendment extends beyond institutions to individuals. Cybersecurity professionals will be prohibited from practising without CSA accreditation, and those who charge fees must obtain a licence. Even those offering services on a not-for-profit basis must be accredited.

The Authority is also mandated to establish a national certification scheme for cybersecurity practitioners and service providers, including those offering cyber hygiene certifications — a local alternative to frameworks like ISO 27001 or NIST. The CSA will further set limits on fees charged for these certifications.

Guardrails against online harassment

Not all provisions are about control. The amendment introduces new sections protecting children and vulnerable groups from cyberbullying, cyberstalking, and online harassment. Cyberbullying is defined as any digital communication that undermines dignity or causes fear, distress, or harm.

This means, for instance, that technology can no longer be used to send threatening messages or make sexual advances toward a child. While unauthorised monitoring of individuals is prohibited, parents and guardians are exempted when acting to protect minors. Social media and online gaming companies must also take active steps to safeguard young users.

While many Ghanaians fear the amendment grants the CSA unchecked powers, certain safeguards exist. 

The Authority can only investigate or prosecute cybercrimes with the Attorney General’s approval. Searches, seizures, and system inspections require prior authorisation from the High Court. Moreover, prosecutions will proceed through existing courts, preserving defendants’ right to a fair hearing.

Still, doubts remain. Princess, a technology lawyer, notes that Ghana’s courts are already overburdened, making timely approvals difficult. 

“They are two government institutions,” she says. “At the end of the day, I’m not sure whether the courts would be protecting citizens or the agency.”

Free speech and misinformation

Another contentious provision criminalises the spread of misleading information. Critics fear it could be weaponised to silence dissent. 

“I definitely think it represents unhealthy state control and could clamp down on free speech,” says Princess, adding that the absence of a clear definition of misleading information leaves room for arbitrary enforcement.