Dr. Albert Antwi-Boasiako
The Cyber Security Authority (CSA) has announced a grace period until September 30, 2023, within which Cybersecurity Service Providers (CSPs), Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs) are to obtain a licence or accreditation.
According to the authority, the deadline is to ensure players in the cybersecurity sector have the required approval and permit to operate in the country.
The move is also in compliance with Act 1038 and the Guidelines for the licensing of CSPs and accreditation of CEs and CPs.
Subsequently, it will also enable the compliance requirement of the Public Procurement Authority (PPA) which would take effect from October 1, 2023, to ensure that best practices are observed especially in procuring cybersecurity services in the public sector.
Speaking at a media briefing in Accra yesterday, Director-General CSA, Dr. Albert Antwi-Boasiako, said when the regulation is finally enforced, Ghana will become the first country in Africa, and one of the few in the world after the likes of Singapore, to introduce a licensing regime for, and accreditation for Cybersecurity Establishments and Professionals.
Again, he said the exercise would complement Ghana’s efforts in improving its ITU Global Cybersecurity Index ranking from third to first in Africa and among the top 25 in the world.
“This regulatory exercise which has been enforced has significant benefits to the industry including national and global visibility, Cybersecurity Incident and Threat Intelligence Sharing, Industry Recognition and Profile, and Eligibility for Industry Forum Membership, among others.
“The Government of Ghana, through the CA, and other relevant agencies such as the PPA have a shared responsibility of addressing cybersecurity matters and are committed to fighting cybercrime and maintaining the public safety of citizens online,” he emphasised.
Licensing/Accreditation Regime
The importance of cybersecurity development to the digitalisation drive of our country necessitated the enactment of the Cybersecurity Act, 2020 (Act 1038), which established the Cyber Security Authority (CSA) to regulate cybersecurity activities, promote its development in the country and provide for related matters.
As a Regulator of Ghana’s cyberspace, Sections 49, 57 and 58 of Act 1038 mandate the CSA to license Cybersecurity Service Providers (CSPs) and accredit Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).
Accordingly, an exercise to this effect commenced on March 1, 2023, to ensure that only licensed and accredited professionals and institutions are lawfully empowered to engage in business.
The rationale for this process is to ensure compliance with Act 1038 and to provide a streamlined mechanism for ensuring that CSPs, CEs and CPs throughout the country carry out cybersecurity-related activities in accordance with approved international best practice while providing greater assurance of cybersecurity and safety to consumers and addressing national security concerns.
So far, 448 cybersecurity professionals representing 40 per cent of the target have undergone the process to get licensed. This is followed by 25 cybersecurity establishments, representing 50 per cent of the target, and 92 cybersecurity service providers, representing 90 per cent of the target also going through the process.
Dr. Antwi-Boasiako said the CSA has, since the commencement of this regulatory exercise, engaged agencies, institutions and associations that offer cybersecurity-related services and hopes those who are yet to register and regularise their activities would do so before September 30, 2023.
Chief Executive Officer (CEO), PPA, Frank Mante, said considering the cross-sectoral nature of cybersecurity and its effects on the socioeconomic development of the country, it is expedient that the PPA collaborates with key agencies to ensure that adequate systems and processes are put in place to promote cyber resilience across sectors.
“This will contribute to the overall objective of the PPA in harmonising the processes of public procurement in the public service to secure a judicious, economic, and efficient use of state resources,” he said.
Mr. Mante said the focused areas of collaboration include ensuring that Covered Entities, in procuring cybersecurity services in accordance with the Guidelines developed pursuant to Act 1038, engage Cybersecurity Service Providers who are licensed by the CSA; and ensuring that Covered Entities engage Cybersecurity Establishments and Cybersecurity Professionals who are accredited by the CSA in performing cybersecurity-related functions.
“Through this collaboration, the PPA will ensure that as part of vetting procurement applications to the PPA Board, cybersecurity issues are considered and Cybersecurity Service Providers who submit applications to the PPA Board are accredited by the CSA before being considered for any form of engagement,” he stressed.
Furthermore, he said the CSA through the PPA will ensure that covered procurement entities are in compliance with standards and inculcate the licensing and accreditation provisions in their qualification and prequalification criteria for the selection of CSPs, CEs and CPs pursuant to provisions under Sections 22 and 23 of the Public Procurement Act, 2003 (Act 663), as amended, on qualification and prequalification of tenderers and service providers.
“This partnership will also go a long way to supporting the PPA in training persons engaged in public procurement regarding the implementation of the Guidelines,” he said.
By Jamila Akweley Okertchiri