Researched by Alfa Shaban
Ghana’s first full-blown Cybersecurity law, Act 1038, was first promulgated in 2020. It was to be complemented by 11 existing legislations, among others, the Criminal Offenses Act 1960 (Act 29), the Anti-Terrorism Act 2008 (Act 762) and the Economic and Organized Crime Office Act, 2010 (Act 804).
The Cybersecurity Act, 2020 set up the Cyber Security Authority (CSA) “to regulate cybersecurity activities in the country, to promote the development of cybersecurity in the country and to provide for related matters.”
Five years on, the Ghana government has proposed an amendment to the Cybersecurity Act through the Cybersecurity (Amendment) Bill, 2025.
In this analysis piece, GhanaFact dissects the main proposed amendments and insertions to the draft amendment Bill as circulated by the CSA.
The proposed amendment is summarised in the first paragraph as follows: “AN ACT to amend the Cybersecurity Act, 2020 (Act 1038):
- to confer powers on the Cyber Security Authority to investigate and prosecute cybercrime on the authority of the Attorney-General and recover proceeds of cybercrime;
- to revise the object and functions of the Cyber Security Authority;
- to revise the governance and administration of the Cyber Security Authority;
- to revise the enforcement powers of the Cyber Security Authority and to provide for related matters.”
Key numbers to note:
- Total number of proposed changes – 50
- Number of amendments proposed – 24
- Number of insertions proposed – 24
- Number of proposed objects of CSA – 2
- Number of new functions for the CSA – 9
1 – New objects for CSA, expanded functions, seat for intelligence agencies
The 2020 law stated seven objectives for the CSA. The amendment bill proposes two more objects as follows:
(e) prevent and detect cybercrime;
(f) to facilitate the confiscation of proceeds of cybercrime;
The draft amendment proposes nine new functions for the CSA, key new functions address the area of emerging technologies, prosecution of cybercrime and accreditation of cybersecurity institutions and professional bodies.
The CSA is expected to “establish standards for certifying the security of innovative products, Artificial Intelligence, cloud technology, quantum computing, big data, Internet of Things (IoT), blockchain-based technology and any other emerging technologies.”
JCC ropes in intelligence agency heads or reps
The Joint Cybersecurity Committee (JCC) of the NSA is expanded to accommodate three heads of state institutions; the Executive Director of the Data Protection Commission, the Director of the National Intelligence Bureau and the Director General of the National Signals Bureau.
At the administrative level, the CSA is also seeking to be allowed to appoint Deputy Directors-General “as are necessary for the performance of the functions of the Authority.”
2 – Police powers
There are expansive amendments with respect to the CSA being granted police powers to allow the Director-General, their deputies and other authorised officers to be allowed to arrest, search and seize and have the same rights, protections and immunities granted to police officers under all existing laws.
Other related sections detail processes that shall be undertaken before, during or after any search, arrest and or seizures by the CSA, including processes that need the involvement of the courts – the High Court to be specific.
- Sections 59A (Enforcement powers of the CSA),
- 59B (Power to conduct investigations and prosecute cybercrimes),
- 59C (Power to request for information),
- 59D (Application for production order to collect computer data)
- 59E (Grant of production order)
- 59F (Application for warrant to arrest, search and seize computer data, computer or computer system),
- 59G (Grant of warrant),
- 59H (Application for preservation order to preserve computer data),
- 59I (Grant of preservation order),
- 59J (Power of entry, inspection and audit) and
- 59K (witness and informant protection) detail the processes involved in exercising the CSA’s police powers.
The controversy
Several cyber professionals commenting on portions of the bill as applied to the CSA’s police powers argued that they were too far-reaching and could, just as existing laws, be exploited by public officials.
A software engineer, Michael Asiedu, in an analysis of the draft amendment, wrote on X: “The dangerous thing is, it is not about security. It’s about control. They want to give the CSA police powers to arrest, search, and seize. They want it to investigate and prosecute citizens directly.
“They want the power to freeze your assets before a court ever hears your case. They can force you to hand over private information, raid your office without a warrant, and label speech they dislike as ‘false information,” he added.
3 – Cyber hygiene and contribution to its fund
Cyber hygiene is a new term in Ghana’s cybersecurity law. Yet it was one of the contentious parts of the amended bill during initial discussions on the bill on social media platforms.
According to the European Union Agency for Cybersecurity (ENISA), cyber hygiene refers to the “simple practices and steps we can all take to protect our personal information and devices from cyber threats. By following a few basic guidelines, you can significantly reduce your risk of falling victim to cyber-attacks, ensuring that your data remains secure, and your online activities are safe.”
According to the draft amendment bill, the entire section (57A) is proposed under the topic Cyber hygiene certification scheme. A scheme that mandates the CSA to, among others, standardise, review and set administrative fees for professionals and institutions engaged in cyber hygiene operations and the accrediting of non-profit cybersecurity institutions.
Controversy
The controversy around the cyber hygiene clause was captured under Section 57(C)(4), which states: “30% of the revenue generated by a certified cybersecurity professional or practitioner or cybersecurity service provider under the scheme shall be paid into the cybersecurity fund.”
The clause was interpreted by some social media users, as a case of the CSA demanding 30% of charges that it was set to impose on services that cybersecurity professionals or institutions should charge.
An X user, Nana Boateng, noted: “CSA will collect money from certification and licensing fees, meaning the same body that polices you also profits from regulating you. In other words, the CSA both regulates who can operate (policing role), and earns revenue from the very licences.”
4 – Cyberbullying and online harassment, cyberstalking and computer-related offenses
In the 2020 law, Article 67 dealt with “Non-consensual sharing of intimate images,” while Article 68 treated “Threat to distribute prohibited images and visual recordings.”
In the proposed draft amendment, Article 67A gets a new heading, “Cyberbullying and online harassment.” This article comprehensively seeks to legislate the use of the internet or any form of electronic medium or technology to bully a child or an adult. A proposed insertion of Article 67B also deals with cyberstalking of a person.
5 – Cyber-related fraud and forgery
Two other major insertions were cyber-related fraud and forgery offenses captured in articles 95A and 95B of the amendment. The articles spell out the circumstances under which cyber fraud and forgery can be established and the applicable sanctions under available legislation.
Critique on social media
Again Nana Boateng (@koboateng) on X, in a thread critiquing the draft amendment bill, questioned the wide-ranging powers that the CSA was being given. “The Bill provides no independent oversight over these inspections beyond internal CSA authorisation. There’s no outside body checking these inspections, only the CSA itself decides when and how they happen.”
In his view, the Cybersecurity (Amendment) Bill 2025 “goes far beyond protecting citizens from hackers. It gives the government sweeping powers over data, technology, and even who gets to work in the digital space.
“Some of these powers are necessary for national security, but without strict oversight, clear limits, and judicial control, they can easily become tools for surveillance and abuse. Ghana needs cybersecurity laws but not at the expense of privacy, free speech, and innovation,” he added.
The CSA, through the Communication Ministry, is, however, accepting inputs into the drafted document as part of broader stakeholder consultations on the draft amendment, which has gained a lot of traction, especially online.
The process to submit feedback is via this link on the CSA website. The public consultation period concluded on October 24, 2025, but has been extended to November 14, 2025.
