A Review Of Ghana’s Draft Cybersecurity (Amendment) Bill, 2025

INTRODUCTION

The objective of Ghana’s Cybersecurity Act, 2020 (Act 1038), was to provide a comprehensive legal framework for cybersecurity and related activities in an increasingly digital society. The Act established the Cybersecurity Authority (CSA) as the regulatory body responsible for overseeing cybersecurity activities in the country. As part of its objectives, the Act was to regulate cybersecurity activities in the country, ensure a strong and resilient digital ecosystem, and foster international cooperation.

Five years after its enactment, however, and against the backdrop of increasing cyber threats and the emergence of new technologies within the country, there has been a need to amend the Act, which has led to the introduction of the Cybersecurity (Amendment Bill), 2025. This article examines the key changes introduced by the Bill, highlighting notable innovations and areas of concern that merit further parliamentary review.

CRITICAL INFORMATION INFRASTRUCTURE (CII)

One of the central pillars of Ghana’s cybersecurity regime is the concept of Critical Information Infrastructure (CII). Under the Cybersecurity Act, 2020 (Act 1038), CII is defined as “a computer or computer system designated under section 35(1)”. This definition offers little substantive clarification of what constitutes CII. Instead, it relies almost entirely on ministerial designation.

The Draft Amendment Bill largely retains this approach but expands the grounds upon which a computer system or network may be designated as CII. The Minister may now designate a computer system or network infrastructure that is essential to public health and safety, national security, and the economic and social well-being of citizens as a CII, in addition to what the Act already provides.
The inclusion of public health reflects lessons from recent global crises and aligns with cybersecurity regulation with broader national resilience concerns. An example is the COVID-19 pandemic, which demonstrated the extent to which Ghana’s public health sector relies on digital systems. Although there were no cybersecurity incidents in Ghana’s health sector during the pandemic, the crisis highlighted the potential repercussions for public safety that could arise if critical health information systems were compromised, thereby justifying their inclusion within the scope of cybersecurity regulation.

When the definition of CII in section 35 of Act 1038 is compared with other definitions adopted in the Cyber Security Authority (CSA)’s directives and regional instruments, such as the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the statutory framework still falls short. Both the CSA and the Malabo Convention describe CII as infrastructure whose disruption would have a destructive impact on national security, economic stability, public safety, and the sustainability of cyberspace. The continued reliance on ministerial discretion, without a clear statutory definition, raises concerns about predictability, transparency, and consistency in designation.

PROTECTING CII: OBLIGATIONS AND ENFORCEMENT

The Bill maintains the obligation under section 36 of Act 1038, which requires owners of CII to register with the CSA, but it significantly strengthens enforcement mechanisms. Administrative penalties for failure to comply with CSA directives now range from 5000 to 50,000 penalty units and extend beyond CII owners to include cybersecurity service providers, developers, innovators, and other relevant actors in the cybersecurity ecosystem. These enhanced penalties underscore the government’s intent to ensure compliance and accountability.

MANDATORY INCIDENT REPORTING AND AUDITS

The Bill reinforces mandatory cybersecurity incident reporting by requiring CII owners to report any cybersecurity incident within 24 hours of detection to the relevant Sectoral Computer Emergency Response Team (S-CERT) or to the National Computer Emergency Response Team (N-CERT) where no sectoral team exists. Failure to report within the prescribed timeframe attracts penalties of between 250 and 10,000 penalty units.

S-CERTs themselves are also subject to sanctions if they fail to forward incident reports to the N-CERT. Beyond reporting, CII owners are required to conduct post-incident cybersecurity audits and submit the audit reports to the CSA.

These improved actions are commendable in several ways. First, the long-standing issue of under-reporting, where organisations hide incidents out of concern for their reputation or business, is addressed by the implementation of explicit reporting deadlines and sanctions. Secondly, extending sanctions to S-CERTs for failure to forward reports strengthens institutional accountability and ensures that the reporting chain functions effectively. Lastly, the requirement for post-incident cybersecurity audits ensures systematic weaknesses are identified and corrected.

JURISDICTIONAL REACH AND FOREIGN ENTITIES

Although the long title of Act 1038 suggests a territorially limited application that regulates cybersecurity activities “in the country”, the Bill expands the Act’s practical reach. Section 35(e) requires the Minister to consider whether a designated CII supports international business involving Ghanaian citizens or government interests. Section 35(e) of the Bill extends the Act’s jurisdictional reach to cover incidents that transcend Ghana’s borders.

The Bill further affects foreign-based companies that provide digital services to persons in Ghana. Courts may issue production orders and warrants compelling foreign entities to furnish computer data under sections 59F and 59G.

EXPANDED POWERS OF THE CYBER SECURITY AUTHORITY

A defining feature of the Bill is the expansion and consolidation of powers vested in the Cyber Security Authority. Subject to article 88 of the 1992 Constitution of Ghana, the CSA is empowered to investigate and, with the authority of the Attorney-General, prosecute cybercrime. Senior officials and authorised officers are vested with police-like powers, including the power to arrest, search, and seize.

Investigative officers may access, copy, remove, or render inaccessible computer data, seize computer systems, compel individuals to provide technical information, and, with judicial approval, extend searches to interconnected computer systems within Ghana.

Although these powers are designed to enhance enforcement efficiency, they are extensive and susceptible to abuse, particularly the powers relating to entry, inspection, and the freezing of property. The concentration of investigative, regulatory, and prosecutorial authority in a single institution remains one of the most controversial aspects of the Bill.

DATA RETENTION AND PRIVACY IMPLICATIONS

The Bill preserves the data retention framework under Act 1038, requiring service providers to retain subscriber information for six years and traffic and content data for twelve months. Any extension of retention beyond one year (for traffic data and content data) requires a High Court order specifying the duration of retention.

While these provisions are intended to support criminal investigations, they raise concerns regarding data protection, privacy rights, and proportionality, particularly in the absence of stronger safeguards on access, use, and destruction of retained data.

JUDICIAL OVERSIGHT AS A SAFEGUARD

To mitigate the breadth of enforcement powers, both Act 1038 and the Amendment Bill subject the CSA’s actions to judicial oversight. The High Court must be satisfied that warrants and preservation orders are necessary for a criminal investigation, proportionate and protective of third-party privacy interests.

A court must also confirm freezing orders imposed by the CSA on assets within fourteen days. These safeguards are critical. However, their effectiveness ultimately depends on rigorous judicial scrutiny and institutional independence.

OFFENCES, PENALTIES, AND PROPORTIONALITY

The Cybersecurity Amendment Bill has introduced additional offences and penalties to supplement those under the Act, including unauthorised access and computer-related fraud.

Unauthorised access is defined in the Bill as “access of any kind by a person to a programme or data held in a computer without authority if the person is not personally entitled to control access of the kind in question to the programme or data and the person does not have consent to access the kind of programme or data from the person who is entitled to control access.”
The Bill also broadly covers computer-related fraud, including intentional, fraudulent, or dishonest manipulation of computer data or systems to cause the loss of property to another person or to procure unlawful gain in money or other property.

While these definitions allow flexibility to address emerging threats, they risk criminalising legitimate cybersecurity research and testing.

The Bill also significantly increases penalties for certain offences, particularly those involving the non-consensual sharing of intimate images, cyberbullying, online harassment, and threats to distribute prohibited content. For example, the penalty for the non-consensual sharing of intimate images increases from one (1) to three (3) years under the Act to three (3) to ten (10) years under the Bill.

While some view these enhanced penalties as necessary deterrents in an increasingly harmful digital environment, others consider them excessive and potentially disproportionate.

REGULATORY OVERLAP AND INSTITUTIONAL TENSIONS

Another area of concern is regulatory overlap. The Bill presents potential regulatory overlaps under the Electronic Transactions Act, 2008 (Act 772). Act 772 already vests investigative and prosecutorial authority in cyber inspectors under the National Information Technology Agency (NITA) to investigate and prosecute offences, creating potential duplication and institutional conflict.

Without a more precise delineation of responsibilities, this overlap may undermine regulatory efficiency and create legal uncertainty and institutional conflict.

INTERNATIONAL COOPERATION

The Bill reinforces the CSA’s mandate to collaborate with states, international organisations, and agencies to promote cybersecurity. Section 3 lists international collaboration as a core objective of the CSA, while Section 83 emphasises the promotion of cyberspace security through international cooperation. This includes engagement with bodies such as the African Network of Cybersecurity Authorities (ANCA) and the International Criminal Police Organisation (INTERPOL).

Given the transnational nature of cybercrime, Ghana’s legal framework for international cooperation involves multiple statutes. A comparison of the Cybersecurity (Amendment) Bill, 2025 and the Mutual Legal Assistance Act, 2010 (Act 807) is therefore essential. The two laws are complementary and pursue the same objective of strengthening Ghana’s response to cross-border crime.

While the Cybersecurity (Amendment) Bill is directed at the regulation of cyber-related offences and activities, including those with extraterritorial implications, the Mutual Legal Assistance Act, administered under the authority of the Attorney General, provides the formal framework through which Ghana may request or render cooperation to foreign states in the investigation and prosecution of criminal offences.

As a result, although the two laws complement each other in purpose, they overlap at the procedural and institutional levels, creating some ambiguity about whether CSA-led international cooperation may bypass the supervised mechanisms mandated by Act 807, which requires any act of international cooperation to be approved by the Attorney General.

FUTURE-PROOFING AND KEY INNOVATIONS

Beyond strengthening existing provisions, the Draft Cybersecurity (Amendment) Bill, 2025 introduces several notable innovations. The Bill positions the CSA to certify emerging technologies, aligning with the proposed Emerging Technologies Bill, 2025, which covers artificial intelligence, blockchain, Internet of Things (IoT), cloud computing, and quantum technologies. This forward-looking approach is commendable and reflects an understanding that cybersecurity regulation must evolve alongside technological innovation.

Additionally, the Bill expands the objects of the CSA to include the prevention and detection of cybercrime, as well as the confiscation of its proceeds. At the same time, the 2020 Act primarily focuses on regulation, coordination, and enforcement. The Bill further introduces additional statutory functions under section 4A, broadening the CSA’s operational scope. By explicitly listing these functions, the Bill provides clearer legal authority for activities that previously relied on implied power. It also allows for the appointment of multiple Deputy Directors-General, reflecting the CSA’s growing size and complexity. While this change may improve administrative efficiency and specialisation, the absence of a statutory cap on the number of Deputy Directors-General raises questions about governance and accountability.

Another notable innovation is the expansion of the Cyber Security Fund. The Fund is expanded to include additional sources, potentially ensuring the CSA’s financial sustainability under its expanded mandate. At the same time, this expansion underscores the need for transparency and safeguards to prevent misuse. A major policy development is the introduction of a national cyber hygiene certification scheme and a formal framework for certifying cybersecurity practices or professionals. It also introduces a framework for accrediting non-profit cybersecurity institutions, recognising the role of civil society, research institutions, and capacity-building organisations in national cybersecurity. These initiatives aim to establish standards for maintaining the security and integrity of systems, networks, and data and offer a locally relevant alternative to international frameworks, particularly benefiting small and medium-sized enterprises.

Finally, the Bill expands the CSA’s enforcement powers to consolidate and extend investigative authority, including production and preservation orders, the search and seizure of data, the freezing of property linked to cybercrime, and compelled disclosure of technical information. While these powers strengthen enforcement, they also heighten concerns about proportionality and safeguards.

CONCLUSION

The Draft Cybersecurity (Amendment) Bill represents a decisive expansion of Ghana’s cybersecurity regulatory framework. It moves the current framework beyond basic regulation toward professionalisation, financial sustainability, proactive enforcement, and future readiness. However, significant concerns remain, and as Parliament considers the Bill, careful attention must be paid to refining statutory definitions, clarifying institutional roles, and addressing the issues raised to ensure a secure and resilient cyberspace for Ghana.