Cybersecurity regulation in Ghana (2026)

The CSA released a draft amendment to Act 1038 that would grant the CSA Director-General and authorised officers powers to arrest, search, and seize — functions currently reserved for police — and impose stricter penalties for cyber offences. The bill is before Parliament's Communications Committee and has drawn fierce opposition from the parliamentary Minority over civil-liberties concerns.

At the opening of the 2024 National Cybersecurity Awareness Month, the CSA launched an updated NCPS establishing a National Cybersecurity Risk Management Framework, operationalising the national CERT ecosystem (CERT-GH), and setting standards for CII protection, cybersecurity certification, and child online protection. This is the operative strategic framework driving all current sectoral obligations.

The CSA launched a mandatory licensing and accreditation regime for firms providing cybersecurity services in Ghana, covering penetration testing, vulnerability assessment, SOC operations, and incident response. Companies must obtain CSA accreditation to operate lawfully, creating a direct compliance obligation for the cybersecurity-services market.

The Minister of Communications officially launched the CSA as Ghana's dedicated cybersecurity regulator under Act 1038, and simultaneously published the Directive for the Protection of Critical Information Infrastructure. The CII Directive requires designated infrastructure owners in energy, finance, and telecoms to undergo mandatory audits, report incidents within 24 hours, and disclose vulnerabilities within 72 hours.

Ghana's principal cybersecurity statute — 100 sections across 17 parts — establishes the Cyber Security Authority, creates a licensing regime for cybersecurity service providers, designates Critical Information Infrastructure categories, mandates incident reporting for regulated entities, and prescribes administrative and criminal penalties. It replaced the prior policy-only regime with binding legal obligations for the first time.

The government upgraded the National Cyber Security Secretariat (created in 2017) into the National Cyber Security Centre with an expanded mandate to coordinate national incident response and oversee implementation of the NCSPS. This institutional step built the operational nucleus that would ultimately become the Cyber Security Authority under Act 1038.

President Akufo-Addo inaugurated the National Cybersecurity Inter-Ministerial Advisory Council during Ghana's inaugural National Cybersecurity Week and launched a revised NCSPS. The National Cyber Security Secretariat (NCSS) was simultaneously established and the first National Cybersecurity Advisor was appointed, marking Ghana's formal transition to a structured institutional framework for cybersecurity governance.

Ghana's Ministry of Communications, with World Bank support, secured Cabinet approval for the country's first formal National Cyber Security Policy and Strategy. The policy introduced five pillars — legal measures, technical measures, organisational measures, capacity building, and international cooperation — establishing the governance architecture on which all subsequent cybersecurity legislation has been built.

Act 843 established Ghana's data protection framework, creating the Data Protection Commission and imposing obligations on data controllers to implement security measures and to notify the Commission and affected data subjects of security breaches 'as soon as reasonably practicable.' It introduced Ghana's first legal breach-notification duty and remains in force alongside the Cybersecurity Act as a parallel compliance obligation.

Act 771 established NITA as the ICT-policy implementation arm of the Ministry of Communications, mandating it to develop and enforce IT standards and security guidelines for government agencies and e-government infrastructure. NITA's standards work provided the first mandatory cybersecurity baseline for the public sector and laid the regulatory-capacity foundation for the later Cybersecurity Act.

Act 772 was Ghana's first comprehensive cybercrime and electronic-evidence law, criminalising computer fraud, unauthorised access and interception, and electronic forgery with higher penalties than the general Criminal Code. It established procedural rules for seizing and authenticating electronic evidence and remains the primary criminal-law vehicle for cyber offences not specifically addressed by the Cybersecurity Act 2020.