Ghana’s Cybersecurity (Amendment) Bill, 2025, has stirred significant debate among professionals, policymakers, and industry leaders on social media. While its stated purpose is to strengthen our capacity to combat cybercrime and secure the digital ecosystem, the Bill introduces major institutional risks that deserve careful scrutiny.
At the centre of the controversy is a proposal to transform the Cyber Security Authority (CSA) from a civilian regulatory agency into a law enforcement body with powers of arrest, search, seizure, and prosecution.
This shift would fundamentally alter the CSA’s role and blur the lines between regulation, policy, and enforcement in ways that could erode trust, innovation, and accountability in Ghana’s cybersecurity governance.
Regulators should regulate, not enforce
Globally, cybersecurity regulators exist to coordinate, guide, and standardise, not to police.
The most respected institutions in this space — the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, the National Cyber Security Centre (NCSC) in the United Kingdom, and the European Union Agency for Cybersecurity (ENISA) — operate as civilian, advisory agencies.
They set policy frameworks, coordinate responses, share intelligence, and help governments and businesses manage cyber risks.
None of them have police powers or the authority to prosecute.
When criminal activity is detected, it is referred to law enforcement agencies such as the FBI or the Department of Justice.
This model preserves independence, ensures checks and balances, and builds the trust necessary for voluntary compliance.
This Bill, however, takes a different path. Section 20B of the draft Bill gives the CSA’s Director-General and staff “the powers of a Police Officer, including powers of arrest, search and seizure.” Section 59B expands this even further, allowing the Authority to investigate, prosecute, and confiscate assets obtained from cybercrime.
In effect, the same institution that licenses cybersecurity companies and audits digital systems would also wield police powers over them.
This concentration of authority contradicts sound governance principles and violates one of the fundamental principles of cybersecurity itself — the separation of duties.
I should emphasize that I am, personally, a strong advocate for regulation through enforcement rather than mere rule-making which I have said on many platforms.
Regulations without consequence often remain ineffective. However, enforcement must always operate within a framework of clear separation of duties, a principle that is also fundamental to cybersecurity itself.
In cybersecurity governance, separation of duties prevents abuse, ensures oversight, and protects systems from insider threats. The same logic should guide institutional design.
The body that creates and monitors rules should not also be the one that enforces and punishes them.
When regulators double as enforcers, they compromise their neutrality and create conflicts of interest.
Effective regulation requires an ecosystem of independent but interdependent bodies — each with defined boundaries, yet working collaboratively toward the same goal.
The country already has a robust system for investigating and prosecuting cybercrime.
The Criminal Investigations Department (CID), National Security, National Intelligence Bureau (NIB), Financial Intelligence Centre (FIC), and Economic and Organised Crime Office (EOCO) all have established mandates in this domain.
Instead of duplicating these functions, the CSA should continue to serve as the technical coordinator and policy driver — strengthening collaboration among these institutions, providing technical expertise, and setting national cybersecurity standards.
If the Authority assumes police powers, it risks alienating the very stakeholders — the private sector, civil society, and academia — that it depends on for effective cybersecurity coordination.
Once an agency becomes both regulator and enforcer, cooperation is replaced by compliance anxiety.
Sections 59C to 59J of the Bill grant the Authority sweeping powers to demand information, freeze property, seize data, and inspect systems.
These provisions, though intended to enhance investigations, raise serious privacy and due-process concerns.
Ghana’s Data Protection Act, 2012 (Act 843) and Article 18(2) of the Constitution guarantee citizens the right to privacy. Expanding investigative powers without rigorous judicial oversight could undermine these protections.
A cybersecurity regulator’s role should be to safeguard digital rights — not to intrude on them. The CSA’s legitimacy depends on its ability to maintain that delicate balance.
The Bureaucracy of Licensing: An Innovation Barrier
Another issue lies in the Bill’s proposed funding model and licensing framework. Under Sections 49 and 57, all cybersecurity professionals, practitioners, and service providers — including non-profit organizations — must obtain licenses or accreditations from the CSA.
Moreover, the Authority introduces a “cyber hygiene certification scheme” requiring certified providers to pay up to 30% of their revenue into the Cybersecurity Fund.
Combined with penalties and administrative fees, this could create a costly bureaucracy that discourages participation in the field.
Ghana’s cybersecurity talent pool is young and still growing. Over-regulation risks turning away innovators, small firms, and independent experts.
Ironically, by making legal participation burdensome, we may push young people toward the very cybercriminal activities we seek to eliminate.
Regulators should focus on enabling innovation, not taxing it.
It must be said that the Bill does include commendable provisions.
The emphasis on protecting women, children, persons with disabilities, and vulnerable populations online reflects a welcome social awareness.
The focus on cyberbullying, online harassment, and cyberstalking addresses real and growing threats in the digital space.
Additionally, the attention to emerging technologies — such as Artificial Intelligence, cloud computing, blockchain, and quantum technologies — signals an understanding of future risks and opportunities.
These are valuable and timely steps, but they require a regulatory, not coercive, environment to succeed.
Public education, capacity building, and international collaboration remain the most effective tools for securing cyberspace.
A balanced path forward
The government’s determination to strengthen cybersecurity is commendable.
But rather than concentrating power, Ghana should pursue a balanced model grounded in cooperation, accountability, and technical excellence.
A better framework would:
- Maintain the CSA’s regulatory and coordinating role, consistent with international norms.
- Strengthen partnerships with law enforcement and intelligence agencies for enforcement.
- Remove or reduce the excessive licensing fees that discourage growth and innovation.
- Ensure strong privacy safeguards in line with constitutional rights.
- Fund the CSA transparently through parliamentary appropriation, not self-financing mechanisms tied to penalties or licenses.
This approach preserves both efficiency and oversight — two pillars of sound cybersecurity governance.
Ghana has made admirable progress in digital security and governance over the past decade.
The creation of the CSA was a forward-looking decision that positioned the country as a leader in Africa’s cybersecurity landscape.
But that progress rests on trust — the trust of citizens, businesses, and international partners that the Authority is impartial, professional, and guided by the rule of law.
Empowering the CSA to arrest and prosecute risks undermining that trust.
Enforcement is vital, but it must be structured, separated, and accountable.
The Cyber Security Authority should remain a civilian, collaborative regulator, focused on building capacity, strengthening resilience, and fostering cooperation across all sectors.
The real strength of cybersecurity governance lies not in power, but in balance.
By ASHRAF SAAKA
