CSA bans unaccredited cybersecurity service providers from conducting business

The Cyber Security Authority (CSA), which is tasked with overseeing cybersecurity-related activities and advancing the field’s development in Ghana, has prohibited cybersecurity service providers (CSPs), cybersecurity establishments (CEs), and cybersecurity professionals (CPs) from conducting business in the nation in the absence of a license or accreditation.

The Authority stated in a news release that it adheres to the deadline set for CSPs, CEs, and CPs to seek a license or accreditation in order to conduct business legally in the nation by December 31, 2023.

“The Cyber Security Authority will fully enforce the provisions of the Cybersecurity Act, 2020 (Act 1038)
regarding its mandate to regulate CSPs, CPs and CEs. Accordingly, CSPs, CEs and CPs who offer cybersecurity services without a licence or accreditation granted by the Authority, do so in contravention of Act 1038 and will face the full rigors of the Law including criminal prosecutions and administrative penalties where applicable” part of the statement reads.

It added, “Institutions and individuals are consequently advised to engage only licensed CSPs and accredited CEs and CPs.”

Read full statement below:

PRESS RELEASE

DO NOT OPERATE IN GHANA IF YOU ARE NOT LICENCED OR ACCREDITED – CSA TELLS CYBERSECURITY SERVICE PROVIDERS, ESTABLISHMENTS AND PROFESSIONALS

(Accra, Ghana) – Effective January 1, 2024, Cybersecurity Service Providers (CSPs), Cybersecurity Establishments (CEs), and Cybersecurity Professionals (CPs) without a license or accreditation are barred from operating in Ghana.

This follows the December 31, 2023, deadline issued by the Cyber Security Authority (CSA) to CSPs, CEs, and CPs to obtain a licence or accreditation to operate lawfully in the country.

The CSA will fully enforce the provisions of the Cybersecurity Act, 2020 (Act 1038) regarding its mandate to regulate CSPs, CPs and CEs. Accordingly, CSPs, CEs and CPs who offer cybersecurity services without a licence or accreditation granted by the Authority, do so in contravention of Act 1038 and will face the full rigors of the Law including criminal prosecutions and administrative penalties where applicable. Institutions and individuals are consequently advised to engage only licensed CSPs and accredited CEs and CPs.

To ascertain whether an entity or individual has been granted a licence or accreditation, the certificate number of the entity or individual can be authenticated online at https://www.csa.gov.gh/licence. The Authority may also be contacted via email: compliance@csa.gov.gh or Telephone: 0531140408.

Ghana becomes the first country in Africa and second globally, after Singapore to have taken such a bold and giant step to develop the cybersecurity industry in this regard.

Background

The Cybersecurity Act, 2020 (Act 1038), came into force in December 2020 to regulate cybersecurity activities and promote the development of cybersecurity in Ghana. The Act thus mandates the Authority to regulate cybersecurity entities, pursuant to sections 4(k), 49, 50, 51, 57 and 59.

The regulatory regime will among other things ensure:

• a streamlined mechanism for ensuring that CSPs, CEs and CPs offer their services in accordance with approved standards and procedures in line with domestic requirements and international best practice;

• greater assurance of cybersecurity and safety to consumers;

• an improved and maintained standard that offers baseline protection to

Ghana’s digital ecosystem and;

• that national security concerns are addressed.

The CSA and the Public Procurement Authority (PPA) are also collaborating to ensure that public sector entities procuring cybersecurity services do so in accordance with the Guidelines developed pursuant to Act 1038.

Stakeholder Engagements

Since October 2022, the CSA has been engaging all relevant stakeholders including cybersecurity service providers, establishments and professionals on the regulatory regime by deploying different communication strategies. There have been more than 30 different industry engagements, leading to the introduction and implementation of the licensing and accreditation regime provided in the Cybersecurity Act, 2020. The Authority further set up dedicated desks to receive all enquiries and to provide prompt feedback on the exercise to stakeholders.

As part of efforts to continuously engage and collaborate with the accredited and licensed cybersecurity professionals and institutions, the CSA is compiling a national register of licensed and accredited Cybersecurity Service Providers, Cybersecurity Establishments and Cybersecurity Professionals pursuant to section 4(t) of Act 1038 and will see to the establishment of the Industry Forum pursuant to section 81 of the Cybersecurity Act 2020 (Act 1038).

Issued by

Cyber Security Authority (CSA)

January 11, 2024

Ref: CSA/COMMS/PR/2024-01/01