Accra, Ghana – Ghana is on course to become the first country in Africa, and one of the few in the world to introduce a licensing regime for Cybersecurity Service Providers and Accreditation for Cybersecurity Establishments and Professionals.

The regulatory regime, with the focus of developing Ghana’s cybersecurity industry, will in equal measure, propel the country’s efforts at improving its ranking on the Global Cybersecurity Index of the International Telecommunications Union (ITU) to be among the top 25 in the world.

Currently, Ghana is ranked third in cybersecurity readiness in Africa after Mauritius and Tanzania, and the government of Ghana, through the Cyber Security Authority (CSA), is committed to ensuring that Ghana takes the number one spot in Africa in the next few years.

It is against this backdrop that the CSA, as a regulator of Ghana’s cyberspace, and pursuant to Sections 49, 57, and 58 of the Cybersecurity Act, 2020 (Act 1038) has since March 1, 2023, commenced the process of licensing Cybersecurity Service Providers (CSPs) and accrediting Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CSPs).

When finally enforced, the regulatory exercise will ensure that only licensed and accredited professionals and entities are lawfully empowered to engage in business.

To give impetus to the new licensing regime, the CSA has joined forces with the Public Procurement Authority (PPA), with the objective of enforcing the guidelines for the Licensing of CSPs and Accreditation of CEs and CPs, as it applies to covered entities procuring cybersecurity services.

“This will contribute to the overall objective of the PPA in harmonising the processes of public procurement in the public service to secure a judicious, economic, and efficient use of state resources,” the Director-General of the CSA, Dr. Albert Antwi-Boasiako, said at a joint news conference with the PPA in Accra on Tuesday, August 15, 2023.

He noted that the importance of cybersecurity development to the digitalisation drive of Ghana called for the enactment of the Cybersecurity Act, 2020 (Act 1038), which established the CSA to regulate cybersecurity activities, promote its development in the country, and provide for related matters.

According to Dr. Antwi-Boasiako, the rationale for the licensing and accreditation exercise is to ensure compliance with Act 1038 as well as provide a streamlined mechanism for ensuring that Cybersecurity Service Providers, Cybersecurity Establishments, and Cybersecurity Professionals in the country executed their duties in accordance with approved international best practice.

Lending support to the new licensing regime spearheaded by the CSA, the Chief Executive Officer of the PPA, Mr. Frank Mante, expressed his delight about the collaboration to enforce the guidelines of the new regulatory framework.

He said the regulation would support the objective of the Authority as found in Section 2 of the Public Procurement Act, 2003 (Act 663) as amended, to harmonise public procurement to ensure the effective and judicious use of public funds.

He maintained that doing so was a sure guarantee that public procurement was done in a fair, transparent, and non-discriminatory manner as required by law while promoting a competitive local industry.

Mr. Mante intimated that because of the heightened risk of corruption and conflicts of interest in public procurement, it was important to include rules to preserve the integrity of the procurement process, as well as penalties for non-compliance for which reason he lauded the CSA for taking the bold step to introduce a licensing administration to regulate operators in the cyber sector.

    The areas of collaboration between the CSA and the PPA include ensuring that:
  • Covered Entities, in procuring cybersecurity services in accordance with the guidelines developed pursuant to Act 1038, engage Cybersecurity Service Providers who are licensed by the CSA.
  • Ensuring that Covered Entities engage Cybersecurity Establishments and Cybersecurity Professionals who are accredited by the CSA to perform cybersecurity-related functions.
  • Ensure that Cybersecurity Service Providers or Establishments who submit bids for business are subjected to the Public Procurement Act, 2003 (Act 663) as amended.
  • Supporting the PPA in training persons engaged in public procurement regarding the implementation of the Guidelines.

Cybersecurity Service Providers, Cybersecurity Establishments, and Cybersecurity Professionals have up until September 30, 2023, to take advantage of the ongoing regulatory exercise to obtain a license or accreditation to stay in business. The enforcement regime for compliance is October 1, 2023.