Cybersecurity - Ghana

Enacted 29 December 2020, the Act is Ghana's primary cybersecurity statute. It creates the Cyber Security Authority, regulates cybersecurity service providers and practitioners, and provides the legal basis for protecting Critical Information Infrastructure.

The Minister designated 13 sectors as CII by Gazette Notice No. 132 on 23 September 2021, followed by the launch of the CII Protection Directive on 1 October 2021. CII owners must register systems with the CSA, conduct periodic security audits, and report incidents.

Act 1038 requires owners of designated CII systems to report cybersecurity incidents to CERT-GH within 24 hours of detection. A dedicated online incident reporting portal is operated by the CSA.

Cybersecurity service providers must obtain a licence from the CSA; individual practitioners must be accredited. Cybersecurity products and technology solutions also require CSA certification before deployment.

The Data Protection Act, 2012 (Act 843) requires data controllers to notify the Data Protection Commission and affected individuals as soon as reasonably practicable following a personal-data security breach, complementing the CSA incident-reporting regime.

A draft Cybersecurity (Amendment) Bill, 2025 was published by the CSA for public consultation (extended to 14 November 2025). It proposes expanded CSA investigative and enforcement powers, stricter penalties, and explicit parallel breach-notification to the Data Protection Commission. As of May 2026, it has not been passed by Parliament.