Unlicensed cybersecurity service providers risk sanctions — Authority

Cybersecurity service providers in Ghana who fail to obtain licences from the Cyber Security Authority (CSA) by January 2025 will face legal sanctions, including administrative fines and criminal prosecutions under the law regulating the industry. 

Currently, the authority has commenced enforcement actions such as issuing regulatory notices to institutions providing cybersecurity services.

The Director-General of the CSA, Dr Albert Antwi-Boasiako, gave the warning at a ceremony to issue certificates and accreditations to some service providers in Accra last Friday.

Those who were issued with the certificates included 13 cybersecurity service providers (CSPs), three cybersecurity establishments (CEs) and 58 cybersecurity professionals (CPs).

The CSA, on March 1, 2023, triggered a regulatory regime to license Cybersecurity Service Providers (CSPs) and accredit Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs), under the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59.

The objective was to provide a streamlined mechanism for ensuring that CSPs, CEs and CPs offered their services in accordance with approved standards and procedures in line with domestic requirements and international best practices and provided greater assurance of cybersecurity and safety to consumers while addressing national security concerns.

So far, the authority has registered 276 CSPs, 73 CEs, and 1,563 CPs, many of whom are yet to complete the application process.

Standards

Dr Antwi-Boasiako explained that given the intrusive nature of cybersecurity services, it was important for all CSPs CEs, and CPs to meet the required standards to operate, especially within critical information infrastructure, including electoral systems and networks.

“If we do not get the collaboration and commitment after more than a year of engaging collaboratively, then the authority will not hesitate to resort to legal remedies to ensure that there is compliance.

“From next year, we will be publishing cyber security providers in good standing. If you are not, you cannot offer cyber security services in the country. We will come in the first quarter of 2025 fully prepared to execute what the law says we should execute,” the Director-General of the CSA said.

The authority, he said, would continue to support CSPs, CEs, and CPs by building their capacities and aligning their services with international best practices.

In line with this, he said the authority had launched the Industry Forum under Section 81 of Act 1038 to provide a platform for stakeholders to share ideas, shape policy and enhance industry standards.

To enhance the regulatory process, Dr Antwi-Boasiako announced that the CSA had also inaugurated Independent Assessors to support the authority in executing relevant regulatory activities.

“These accredited Cybersecurity Professionals will conduct site inspections, cybersecurity audits, and assist in research and development,” he said, appealing to all stakeholders to cooperate with the assessors as they worked collaboratively with the authority.