The Cybersecurity Authority has come under intense criticism in recent days over the amended Cybersecurity Act, 1038. From attempts to gain sweeping control over Ghana’s cyberspace to the controversial 30% levy on industry players, the new amendment raises serious concerns. Here are four reasons why I believe that, rather than protecting it, the amended bill poses a significant threat to Ghana’s digital security landscape.
- Enables Unhealthy State Control over Ghana’s Digital and Cybersecurity Space
While Section 4A of the Cybersecurity (Amendment) Bill, 2025 is presented as a mechanism to strengthen Ghana’s digital safety, its broad and unchecked scope could easily be used as a tool for state control over communication and innovation. Clause 4A(b) empowers the Authority to “establish standards for certifying the security of innovative products, Artificial Intelligence, cloud technology, quantum computing, big data, Internet of Things (IoT), blockchain-based technology and any other emerging technologies.”
This provision, while seemingly protective, gives the Authority sweeping power to determine what qualifies as “secure” or “compliant.” Without clear oversight, this could lead to bureaucratic or political gatekeeping, where startups, innovators, or tech companies are prevented from deploying digital products or communication tools unless they receive government approval.
Such a requirement could slow technological progress and create a chilling effect on innovation, as developers might fear that politically sensitive or disruptive technologies will be denied certification.
Clause 4A (d) also authorizes the Authority to “accredit the cybersecurity establishments of critical information infrastructure owners, cybersecurity service providers, cybersecurity practitioners and professionals and other relevant persons or institutions.” This mandatory accreditation regime places nearly all digital actors including cybersecurity professionals, innovators, and even non-profit tech bodies under Clause 4A (e) thus under the Authority’s control.
In practice, this could be used to restrict dissenting voices, limit the operations of independent digital advocacy groups, or revoke the licenses of practitioners who criticize government digital policies. This combined with 4A (a), which allows the Authority to “investigate and on the authority of the Attorney-General, prosecute cybercrime,” poses a potential threat to digital freedom and an open, innovative internet ecosystem in Ghana.
- A self-financing system that can incentivize abuse of power
Section 31 of Act 1038 as amended seeks to strengthen the Communications Fund through multiple revenue streams, including “12% of the communications service tax” and “9% corporate tax for the Fund per annum,” however, its undefined scope raises serious concerns about state overreach and potential misuse.
The provision grants the Authority vast discretion to impose “a charge determined by the Authority in accordance with the Fees and Charges Act… and levied on persons licensed by the Bank of Ghana,” as well as to claim “a proportion of the fees charged on all government electronic services.” Such open-ended powers could be weaponized to impose heavy financial obligations on digital service providers, start-ups, and fintech firms effectively stifling innovation, deterring investment, and creating an uneven digital economy controlled by the state.
The inclusion of “50% of all fines arising from criminal penalties under the Act” could incentivise excessive enforcement and punitive measures against dissenting voices or non-compliant digital platforms. Instead of serving its stated goal of safeguarding communications and cyber infrastructure, the amendment could transform the Fund into a tool for policy manipulation, granting the state leverage over communication networks, online services, and financial technology players under the guise of funding digital development.
- A tool that could cripple the growth of Ghana’s cybersecurity industry
Section 57C(4) of the Cybersecurity Act explicitly states that “30% of the revenue generated by a certified cybersecurity professional or practitioner or cybersecurity service provider under the scheme shall be paid into the Cybersecurity Fund.” This clause alone poses a serious threat to the sustainability of Ghana’s cybersecurity industry.
By demanding a 30% cut of total revenue, the provision drains financial resources directly from service providers, regardless of their operational costs or profitability. For small and medium-sized cybersecurity firms that already struggle with high certification fees, compliance expenses, and limited market access, this could make business operations nearly impossible. The policy disincentivizes innovation and competitiveness, as firms would have little capital left to reinvest in technology, talent, or expansion. In essence, while framed as a contribution to national cybersecurity development, Section 57C (4) functions more like a state-imposed levy that cripples private growth.
- Empowers the CSA with Dangerous Police Powers That Threaten Digital Freedom
Section 20B of the amended Cybersecurity Act grants the Director-General, Deputy Director-General, and other authorised officers of the Cyber Security Authority “the powers of a Police Officer, including the powers of arrest, search and seizure,” along with “the same rights, protections, and immunities conferred on a Police officer under Act 30 and Act 350.”
While this amendment is framed as a measure to strengthen enforcement in Ghana’s digital space, it poses a greater threat to civil liberties and digital freedom than it offers protection. By equipping a regulatory agency with full police powers, the line between cybersecurity regulation and criminal law enforcement becomes dangerously blurred.
In effect, the Cyber Security Authority (CSA) originally designed to provide technical oversight and promote digital safety could now act as an armed enforcement body capable of conducting arrests, searches, and seizures without traditional police oversight.
This risks fostering abuse of power, intimidation of critics, and the suppression of online dissent under the pretext of “cybersecurity enforcement.” The inclusion of “rights, protections and immunities” means CSA officers could operate with near-total legal protection from accountability, allowing them to target individuals or organisations arbitrarily.
Instead of sanitsing the digital environment, Section 20B could create a surveillance-heavy, fear-driven cyberspace, where innovation, privacy, and free expression could easily be undermined by overreach and politicised enforcement.
By Elliot Nuertey