Ghana Cybersecurity Services Licensing
Ghana has experienced several cybersecurity attacks on banks and critical infrastructure. The Government of Ghana (GoG) has created mandatory requirements overseen by the Ghanaian Cyber Security Authority (CSA) that apply to a broad range of infrastructure, financial, governmental, and commercial entities in the economy. The CSA will audit those entities to determine whether they are protecting data and infrastructure by implementing sufficient cybersecurity protection measures, as prescribed by the law. (See CS Ghana’s previous report on the cybersecurity market in Ghana.) As part of the audits, the CSA will assess whether the providers of cybersecurity services to those entities are licensed according to Ghana’s new licensing regime for the cybersecurity activities.
In March 2023, Ghana’s Cyber Security Authority (CSA) launched a new system of licensing for companies that provide cybersecurity-related services in the Ghanaian market. The licensing regulations, which enter into force in September 2023, create three separate categories of service providers with their respective requirements. To access to the licensing portal, see https://www.csa.gov.gh.
The following is a summary for ease of understanding for foreign operators.
Individual Cybersecurity Professionals
The first category of licensing is for individual cybersecurity professionals (CPs). The CSA defines them as persons accredited under the Cybersecurity Act to “perform a cybersecurity-related professional function.” Local (Ghanaian) applicants can gain this accreditation/obtain this license by:
- Completing an online form
- Providing national identification
- Submitting a resume that demonstrates cybersecurity expertise
- Submitting a reference, and
- Completing a background check.
Non-Ghanaian individuals must:
- Complete the same online form
- Submit a background check from a “competent authority” in the country of origin or the country of residence for the previous five years
- Submit the biodata page of a valid travel document (for example, a passport)
- Submit evidence of a job or consultancy offer with a Ghanaian based entity for a cybersecurity job
- Submit academic and professional qualifications and certifications
- Submit proof of insurance coverage, if applicable
- Submit proof of membership of in professional cybersecurity body, and
- Submit any recommendations from previous employers.
The CSA will notify applicants of its decision to approve the license within 30 days of receipt of a complete application. These Cybersecurity Professional License is valid for two years and can be renewed.
Cybersecurity Service Providers
The second category is Cybersecurity service providers (CSPs), which the CSA defines as persons/entities licensed to provide a cybersecurity service. Some of the cybersecurity services for which a license is required include Vulnerability Assessment and Penetration Testing (VAPT), Digital Forensics Services (DFS), Managed Cybersecurity Services (MCS), Cybersecurity Governance, Risk and Compliance (GRC), and Cybersecurity Training (CT).
Foreign CSPs must register with the Register-General of Ghana as a business. After that is done, the licensing requirements for foreign and domestic CSPs are the same. However, if the foreign CSP cannot meet this requirement or does not intend to set up and operate in Ghana, it must provide proof of a partnership with a Ghanaian-owned CSP, which is itself licensed. The Cybersecurity Authority has yet to formally define for the U.S. Embassy what the specific legal and financial terms are that would constitute a partnership in this context.
For this license, CSPs must:
- Complete the online application
- Describe services offered and the technical processes involved in them
- Validate the accreditation status of the cybersecurity professionals employed
- Confirm their business registration
- Confirm their tax registration and clearance and
- Confirm their willingness to provide insurance for any potential losses.
The CSA will notify applicants of its decision to issue a license within 30 days of receipt of a complete application. Licenses are valid for two years.
The third category is Cybersecurity Establishments (CEs), which the CSA defines as organizations formed to investigate cybercrimes and mitigate cybersecurity incidents. For the purposes of the licensing regime, CEs refers to Digital Forensic Laboratories and Managed Cybersecurity Service Facilities. However, if a CE intends to perform other functions that are not covered by this definition, the CE license may still apply at the CSA’s discretion.
If there are specific rules applying to foreign operators in this category, they are not yet formally spelled out on the licensing portal as of the date of publication of this report.
The CSA portal says that it will notify applicants of its decision to accredit within 30 days of receipt of a complete application. Licenses are valid for two years and can be renewed.
U.S. companies interested in the new licensing rules are advised to consult the registration portal and the Frequently Asked Questions, which are evolving. Upon starting the actual registration process for the license, the portal reportedly provides applicants with more details, as well.
U.S. companies can please contact Office.Accra@trade.gov for any feedback or concerns related to the new cybersecurity licensing regime. To see Commercial Ghana’s own market intelligence and explanations about emerging regulatory measures and other laws affecting business in Ghana, please see our extensive market intelligence reporting.