Frequently Asked Questions (FAQs) on the Licensing Of CSPs and the Accreditation of CEs and CPs

  • A Cybersecurity Service Provider (CSP) is a person/entity licensed under Act 1038 to provide a cybersecurity service. A cybersecurity service is a service for a reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to a person and includes the services enumerated in the First Schedule of the Cybersecurity Act, 2020 (Act 1038).

    The services to be covered under the current licensing regime include but not limited to the following:


  • a. Vulnerability Assessment and Penetration Testing (VAPT)
  • b. Digital Forensics Services (DFS)
  • c. Managed Cybersecurity Services (MCS)
  • d. Cybersecurity Governance, Risk and Compliance (GRC)
  • e. Cybersecurity Training (CT)
  • NB: If the services a CSP intends to offer are not covered above, the CSP may still apply and the Authority will assess the application and make a determination, in accordance with the First Schedule of the Cybersecurity Act, 2020 (Act 1038).

    To obtain a licence, a Cybersecurity Service Provider is required to meet a number of requirements, including: completion of online application form, description of services offered as well as the technical processes in offering such services, validation of accreditation status of cybersecurity professionals employed to deliver the service, submission and confirmation of business Registration status, submission of tax clearance certificate, and a proof or willingness to provide cybersecurity insurance coverage to cover potential losses arising from the delivery of cybersecurity services, among others.

    Details of the requirements as well as the application process shall be made available to prospective cybersecurity service providers once they register to commence the application process.

    The CSA shall within thirty (30) days of receipt of a complete application for a licence, inform the applicant of the decision via e-mail and/or online portal.

    Yes, the licence of a Cybersecurity Service Provider may be revoked based on specific grounds including but not limited to the following


  1. a. The licence has been obtained by fraud or misrepresentation.
  2. b. The licensee has ceased to carry on the business for which the license was issued
  3. c. The licensee has been convicted of an offence involving fraud, dishonesty, moral turpitude, or an offence under this Act.
  4. d. A circumstance existed at the time the licence was granted or renewed that the Authority was unaware of, which would have otherwise prevented the Authority from granting or renewing the licence of the licensee if the Authority had been aware of the prevailing conditions at the time of license issuance
  5. e. The licensee no longer meets the requirements for holding the licence.

    According to section 49 of Act 1038, operating without a licence as a Cybersecurity Service Provider in Ghana is an offence punishable by a penalty equivalent to the cost of damage caused and the financial gain made.

  • a. The foreign Cybersecurity Service Provider will have to register with the Registrar-General of Ghana to operate as a business. In this case, the requirements for licensing for domestic cybersecurity firms also applies to a foreign entity.

  • b. In case a foreign Cybersecurity Service Provider is unable to meet the above requirements or does not intend to set up and operate in Ghana, the service provider shall provide evidence of partnership with a Ghanaian-owned licenced Cybersecurity Service Provider, before providing any of the licensable services provided.

    A licence granted is valid for two (2) years from the date specified on the licence.

    A licenced Cybersecurity Service Provider who intends to continue operations shall not later than one (1) month before the expiration of the licence, apply to the Authority for a renewal of the licence.

    The CSA may suspend a licence for not more than six (6) months where;


  • a. The licensee fails to renew the licence not later than one month before the expiration of the licence.
  • b. The licensee fails to comply with a condition specified in the licence.

    The applicant shall receive notification on the outcome of the licence application via email and/or the online portal of CSA.

    An applicant can check the progress of the application via the CSA’s online portal.

    Yes. Existing CSPs have a grace period of six (6) months from the date of commencement of this exercise to obtain a licence.

    No. As specified in section 52 of Act 1038. A person who transfers a licence commits an offence which may lead to the payment of fines and/or a term of imprisonment.

  • A Cybersecurity Establishment (CE) is any establishment within an organisation set up to investigate cybercrimes and mitigate cybersecurity incidents. CEs include Digital Forensic Laboratories, Managed Cybersecurity Services, and other related services.

    The types of CEs to be accredited are:

  • a. Digital Forensic Facilities
  • b. Managed Cybersecurity Service Facilities
  • NB: If the operations a CE intends to perform are not covered above, the CE may still apply, and the Authority will assess the application and make a determination.

  • A digital forensic facility is one established and equipped with the requisite technology and standard operating procedures for the identification, acquisition, preservation, processing, analysis and reporting on data stored in electronic format or evidence to support legal proceedings (corporate, administrative, or criminal proceedings).
  • A managed cybersecurity service facility is one established and equipped with the requisite technology and standard operating procedures for the provision of security services including threat monitoring, detection, prevention, mitigation, response, and security advisory. Computer Emergency Response Teams (CERTs) Facility and Security Operation Centres (SOCs) are considered Managed Security Service Facilities.

    To obtain an accreditation, a Cybersecurity Establishment is required to meet a number of requirements, including: completion of online application form, description of services offered as well as the technology set up in offering such services, submission of standard operating procedures, validation of accreditation status of cybersecurity professionals employed to deliver the service, submission and confirmation of business Registration status, among others.

    Details of the requirements as well as the application process shall be made available to prospective cybersecurity establishments once they register to commence the application process.

    The CSA shall within thirty (30) days of receipt of a complete application for an accreditation certificate, inform the applicant of the decision of the Authority via e-mail and/or online portal.

    An accreditation certificate is valid for two (2) years from the specified date of issuance.

    An accredited CE which intends to continue operations shall, not later than one (1) month before the expiration of the accreditation certificate, apply to the Authority for a renewal of the accreditation certificate.

    Yes, the accreditation of a CE may be revoked based on grounds which include the following: The CSA may suspend an accreditation for not more than six (6) months where;

  • a. The certificate holder fails to renew the accreditation not later than one month before the expiration date.
  • b. The certificate holder fails to comply with a condition specified in the accreditation.

    Yes. The accreditation of a CE may be revoked based on grounds which include but are not limited to the following;

  • a. The accreditation has been obtained by fraud or misrepresentation.
  • b. It is not in the public interest for the accreditation certificate holder to continue to carry on the business of an accredited cybersecurity establishment.
  • c. The accreditation holder no longer meets the requirement for holding the accreditation.

    The applicant shall receive notification on the outcome of an application via email and/or the online portal of CSA.

    An applicant can check the progress of the application via the CSA’s application portal.

    No, an accreditation cannot be transferred to another CE.

    To obtain an accreditation, a Cybersecurity Professional (CP) is required to meet a number of requirements, including completion of an online application form, applicant’s national ID (Ghana card), (for foreigners, a non-citizen Ghana Card or photocopy of the biodata page of a valid passport), submission of a Curriculum Vitae (CV) that clearly shows the applicant’s relevant experiences in cybersecurity, submission of a recommendation or reference, and an undertaking to undergo background checks and verification, among others.

    Details of the requirements as well as the application process shall be made available to prospective cybersecurity professionals once they register to commence the application process.

    To obtain an accreditation, a foreign-based Cybersecurity Professional (CP) is required to meet a number of requirements, including completion of online application form, submission of background check report issued by competent authority of the country of origin or the country of residence for the past five (5) years, submission of bio-data page of a valid travel document, evidence of a job or consultancy offer or an intention by a Ghanaian-based entity to offer a cybersecurity job or consultancy, submission of relevant academic and professional qualifications and certifications for verification, submission of insurance cover where applicable, proof of membership of a cybersecurity professional body and recommendations issued by current/previous employer or firm which contracted the services of the applicant, among others.

    Details of the requirements as well as the application process shall be made available to prospective cybersecurity professionals once they register to commence the application process.

    The CSA shall within thirty (30) days of receipt of a complete application for accreditation, inform the applicant of the decision of the CSA via e-mail and/or online portal.

    Yes. The CSA may suspend an accreditation for not more than six (6) months where;

  • a. The holder fails to renew the accreditation not later than one (1) month before the expiration date.
  • b. The holder fails to comply with a condition specified in the accreditation.

    The CSA may suspend an accreditation for not more than six (6) months based on the grounds stated in the accreditation conditions such as when certificate holder fails to renew the accreditation certificate not later than one (1) month before the expiration of the accreditation, among others.

  • a. The accreditation being obtained by fraud or misrepresentation.
  • b. The accreditation certificate holder ceasing to carry on business for which the accreditation was obtained.
  • c. The holder no longer meets the requirement for holding the accreditation.

    The applicant shall receive notification on the outcome of an application via email and/or the online portal of CSA.

    An accreditation certificate is valid for two (2) years from the date specified on the certificate.

    An accredited CP who intends to continue operations shall, not later than one (1) month before the expiration of the certificate, apply to the Authority for a renewal of the accreditation certificate.

    An applicant can check the progress of an application via the online portal of CSA.

    No. An accreditation certificate cannot be transferred to another CP.