Ghana’s Cybersecurity Act 2020 (Act 1038)

December 2020

View the original document

National Regulations

The Cybersecurity Act 2020 (Act 1038) is a law enacted in Ghana to regulate cybersecurity activities, establish a governance framework, and enhance national security by addressing cyber threats. The comprehensive framework for strengthening Ghana’s cybersecurity infrastructure, protecting digital assets, regulating cybersecurity services, and ensuring compliance with international cybersecurity best practices. It imposes strict regulations and penalties to deter cybercrime and safeguard critical national systems.

1. Establishment of the Cyber Security Authority

  • The Act creates the Cyber Security Authority (CSA) as the primary regulatory body.
  • The CSA is responsible for regulating cybersecurity activities, preventing cyber threats, licensing cybersecurity service providers, and ensuring national digital security.

2. Governance and structure

  • A Board of Directors oversees the CSA, with representatives from government ministries, industry forums, and presidential appointees.
  • A Director-General is appointed to handle daily operations.

3. Financial provisions

  • The CSA is funded through parliamentary allocations, administrative penalties, licensing fees, and international grants.
  • A Cybersecurity Fund is established to finance cybersecurity initiatives.

4. Critical information infrastructure (CII)

  • The Act allows the designation of critical information infrastructure, such as government systems, financial institutions, and telecommunications.
  • Owners of such infrastructure must register their systems, report cybersecurity incidents, and undergo periodic security audits.
  • Unauthorised access to CII is punishable by heavy fines and imprisonment.

5. National and Sectoral Computer Emergency Response Teams (CERTs)

  • The National Computer Emergency Response Team (CERT) is established to monitor and respond to cybersecurity threats.
  • Sectoral CERTs are also created for critical industries (e.g., banking, energy, health).

6. Licensing and accreditation

  • Cybersecurity service providers must obtain a license from the CSA.
  • Cybersecurity professionals and practitioners must be accredited.
  • Certification is required for cybersecurity products and technology solutions.

7. Cybersecurity incident reporting

  • Mandatory reporting of cybersecurity incidents within 24 hours to the relevant CERT.
  • Organisations failing to report incidents face administrative penalties.

8. Protection of children online

The Act criminalises:

  • Indecent images of children (creating, possessing, distributing).
  • Cyberstalking and sexual extortion of minors.
  • Online solicitation and grooming for sexual purposes.

Penalties range from imprisonment of 5 to 25 years.

9. Other online sexual offenses

  • Non-consensual sharing of intimate images (revenge porn).
  • Threats to distribute intimate content.
  • Convictions carry 1 to 3 years of imprisonment.

10. Investigatory powers and data retention

  • Law enforcement can obtain production orders for subscriber information.
  • Interception warrants allow authorities to monitor traffic and content data.
  • Service providers must retain data for 6 years (subscriber info) and 12 months (traffic and content data).

11. International cooperation and enforcement

  • The Act supports global cybersecurity cooperation.
  • It allows the blocking and filtering of illegal content.
  • Entities failing to comply face fines, revocation of licenses, and criminal charges.

12. Miscellaneous provisions

  • Establishment of an Industry Forum to set cybersecurity standards.
  • Administrative penalties for unauthorised access, non-compliance, and breaches.
  • Cybersecurity Risk Register to track cyber risks and vulnerabilities.