By Enoch Yankson, Cyber Resilience Professional
Ghana’s proposed Cybersecurity (Amendment) Bill, 2025, sponsored by the Ministry of Communication and Digitalisation, represents a significant legislative effort to evolve the nation’s digital defence framework, originally established by the Cybersecurity Act, 2020 (Act 1038).
From a professional cybersecurity standpoint, the Bill presents a crucial dichotomy: it introduces necessary measures to enhance national digital resilience while simultaneously proposing structural changes that could undermine the very principles of trust, privacy, and innovation essential for a robust security ecosystem.
This article provides a balanced assessment of the proposed amendments, weighing the strategic benefits against the critical concerns regarding overreach and governance.
The Case for Enhanced Digital Resilience: Strategic Benefits
The official rationale for the amendment is rooted in the need to address the rapidly evolving cyber threat landscape and ensure the sustainability and effectiveness of the Cyber Security Authority (CSA). These proposed changes align with global best practices for national cybersecurity strategy in several key areas.
Strengthening Critical National Information Infrastructure (CNII) Protection
The primary security benefit of the Bill is its focus on Critical National Information Infrastructure (CNII). The amendments aim to provide clearer and more robust mechanisms for the designation, protection, and regulation of systems vital to national security and economic stability (e.g., banking, energy, and telecommunications) [1]. Academic analysis confirms that the Cybersecurity Act, 2020 (Act 1038) already provides the legal basis for the protection of all designated CNII in Ghana [1].
From a risk management perspective, this is a necessary and overdue step. A successful attack on CNII can have catastrophic real-world consequences. Granting the CSA the enhanced authority to enforce security standards, conduct mandatory audits, and coordinate incident response across these sectors is essential for the national security posture. This centralised approach ensures a consistent, high-level baseline of security across Ghana’s most valuable digital assets.
Professionalising the Cybersecurity Sector
The proposal to establish a mandatory certification scheme for cybersecurity professionals and service providers (Sections 57A–57C) is intended to standardise the quality of cybersecurity services in Ghana [2]. The goal of this measure is to raise the overall security floor by ensuring that only qualified and vetted individuals handle sensitive security matters. This provision builds upon the existing framework in the 2020 Act, which mandates certification programs for cybersecurity professionals and practitioners [2].
| Feature | Strategic Benefit |
| Standardisation | Creates a unified framework for skills and competence, reducing the risk of engaging incompetent practitioners. |
| Accountability | Establishes a clear line of responsibility and accountability for service providers involved in national security. |
| Global Alignment | Signals to international partners and investors that Ghana is committed to a professional, regulated cybersecurity workforce. |
Critical Concerns: Potential for Overreach and Governance Risks
While the intentions behind the Bill are laudable, several proposed amendments introduce significant governance and operational risks that could inadvertently weaken Ghana’s digital ecosystem and erode public trust.
The Blurring of Mandates: Regulatory Body to Enforcement Agency
The most contentious provision is the expansion of the CSA’s investigative and enforcement powers (Section 20B), which grants the Director-General and authorised officers the powers of a Police Officer, including the powers of arrest, search, and seizure [3].
This shift is problematic because it blurs the line between a regulatory body and a law enforcement agency. The core function of a cybersecurity regulator is to set standards, monitor compliance, and facilitate incident response. Law enforcement, conversely, focuses on investigation and prosecution. Legal analysts argue that this concentration of power breaches a constitutional firewall, as the exclusive right to prosecute criminal offences is vested in the Attorney-General under Article 88 of the 1992 Constitution [3].
“The Authority’s fundamental identity—as a civilian, coordinating, and capacity-building institution—would be replaced with a security-style apparatus operating outside established oversight channels. ILAPI contends that this shift would not only violate the Constitution but could chill private-sector cooperation, deter innovation, and invite political manipulation under the guise of cybersecurity enforcement” [3].
From a technical perspective, this overlap creates potential conflicts of interest. An agency focused on compliance (prevention) may compromise forensic integrity (investigation) if its personnel are not adequately trained in criminal procedure and evidence handling. Furthermore, centralising such immense power in a single authority without clear, independent judicial oversight poses a risk to civil liberties and due process.
Weakened Judicial Oversight and Warrantless Access
Section 59J, concerning the Power of Entry, Inspection, and Audit, allows CSA inspectors to enter premises and audit computer systems with seven days’ notice based on a “reasonable belief” of non-compliance, potentially without a warrant [3].
Computer systems often hold sensitive personal data, trade secrets, and privileged communications. The concept of “reasonable belief” is inherently subjective and lacks the high legal threshold of probable cause required for a judicial warrant. This provision is deemed constitutionally indefensible, as Article 18(2) of Ghana’s Constitution guarantees the right to privacy of home, property, and correspondence, allowing interference only under due legal authority [3]. This provision risks:
- Undermining Data Protection: Accessing sensitive systems without a warrant conflicts directly with data protection principles and confidentiality obligations.
- Subjectivity and Abuse: The lack of external judicial check opens the process to potential harassment or competitive interference, eroding trust between the regulator and the private sector.
A strong cybersecurity framework must be built on trust and cooperation. Provisions that allow for warrantless access, even with notice, are antithetical to the principles of privacy and legal certainty that underpin a modern digital economy.
Impact of Mandatory Certification on Innovation
While the goal of professionalisation is laudable, the mandatory certification scheme raises practical concerns for the industry. If the fees are substantial and the process rigid, it could disproportionately disadvantage small firms, freelancers, and young innovators [3].
A better approach, aligned with international models, would be to establish an independent accreditation board and implement a tiered system. This would allow the CSA to regulate services for CNII and government contracts while fostering a competitive, skill-based market for general cybersecurity services.
Furthermore, the proposed revenue streams from fines and certification fees risk creating a perverse incentive structure, where enforcement becomes a revenue-generation tool rather than a security mandate, which conflicts with Ghana’s Public Financial Management Act, 2016 (Act 921) [3].
Conclusion and Recommendation
Ghana’s proposed Cybersecurity (Amendment) Bill, 2025, is a necessary response to the growing complexity of cyber threats. The commitment to CNII protection and professionalisation is strategically sound and must be commended.
However, the Bill, in its current form, overreaches in its proposed enforcement mechanisms. To ensure the Bill achieves its intended purpose, a safer, more resilient digital Ghana, the following adjustments are critical:
Separate Regulatory and Enforcement Functions: The CSA should retain its core regulatory and incident response coordination role. Law enforcement powers (arrest, seizure) should remain with established police and intelligence agencies, with the CSA acting as the technical expert and primary referral body. All prosecutions must proceed under written fiat from the Attorney-General [3].
Strengthen Judicial Oversight: All provisions for entry, inspection, and audit must be subject to a clear, high legal threshold, such as a judicial warrant based on probable cause, to safeguard constitutional rights and data privacy. The use of “shall obtain a warrant” must replace the weaker “may” in relevant sections [3].
Independent Certification Governance: The certification process should be managed by an independent body, or at least feature transparent, tiered fee structures and robust appeal mechanisms to prevent market rigidity and conflicts of interest. All funds collected should be paid into the Consolidated Fund to preserve fiscal discipline [3].
A successful cybersecurity framework is one that balances national security with civil liberties and market innovation. The current draft of the Bill leans too heavily toward unchecked state control, a position that, ironically, can undermine the very trust and cooperation needed to build a truly resilient national cybersecurity posture.
References
[1] Ngalim, B. (2023). Towards the legal protection of critical infrastructure in Africa against cyberwar and cyberterrorism. Journal of Cyberspace Studies, 7(1). [Online]. Available at: https://www.ssoar.info/ssoar/handle/document/92341.
[2] Mensah, G. B., Mijwil, M., & Abotaleb, M. (2025). Assessing Ghana’s Cybersecurity Act 2020: AI Training and Medical Negligence Cases. Journal of Integrated Engineering & Applied Sciences, 1(1), 14. [Online]. Available at: https://jieas.net/wp-content/uploads/2025/03/JIEAS_14.pdf.
[3] Institute for Liberty and Policy Innovation (ILAPI). (2025). Cybersecurity and Constitutional Order: Why ILAPI Calls for Redress Before Ghana’s Cybersecurity (Amendment) Bill Becomes Law. [Online]. Available at: https://ilapi.org/s-blog?id=20185.
The post A critical examination of proposed Cybersecurity (Amendment) Bill, 2025: Balancing resilience and oversight appeared first on The Business & Financial Times.
Read Full Story
Facebook
Twitter
Pinterest
Instagram
Google+
YouTube
LinkedIn
RSS