The path to the Cybersecurity (Amendment) Bill, 2025, is confronted by a delicate balance, the question is, how to secure Ghana’s digital infrastructure without compromising the constitutional architecture that underpins the rule of law. The draft Bill, while ambitious in expanding Ghana’s cybersecurity defences, stretches the Cyber Security Authority’s (CSA) remit far beyond its original purpose as a civilian coordination body.
The AGNOS Legal Company submission commends government’s intention to update the 2020 Cybersecurity Act to meet modern threats but argues that the Bill, in its present form, risks mission drift, constitutional tension, and regulatory duplication. In a country that prides itself on democratic accountability, legal certainty, and policy coherence, cybersecurity legislation must not only be powerful but must be principled.
Guarding Constitutional Boundaries in a Security-Sensitive Domain
The first major concern identified by AGNOS lies in Sections 3, 4A, and 5 of the Amendment Bill, which re-engineer the Authority’s objectives, functions, and governance composition. Section 3 expands the Authority’s “objects” beyond coordination to include prevention, detection, and confiscation of cybercrime proceeds. Section 4A then formalises a sweeping set of “further functions,” from investigating and prosecuting offences to setting technical standards for artificial intelligence, cloud computing, quantum technologies, and even “digital rights.”
Guarding Constitutional Boundaries in a Security-Sensitive Domain
The first major concern identified by AGNOS lies in Sections 3, 4A, and 5 of the Amendment Bill, which re-engineer the Authority’s objectives, functions, and governance composition. Section 3 expands the Authority’s “objects” beyond coordination to include prevention, detection, and confiscation of cybercrime proceeds. Section 4A then formalises a sweeping set of “further functions,” from investigating and prosecuting offences to setting technical standards for artificial intelligence, cloud computing, quantum technologies, and even “digital rights.”
This expansion, AGNOS contends, would convert a regulatory agency into an enforcement arm of government—a profound constitutional shift. Article 88 of Ghana’s Constitution vests the power to prosecute in the Attorney-General (AG) alone. Any entity exercising criminal or quasi-criminal authority must act under the AG’s direction or fiat. The proposed amendments, by granting autonomous enforcement and prosecutorial roles to the CSA, erode this fundamental safeguard.
The precedent from other jurisdictions is clear: in the United Kingdom, the National Cyber Security Centre (NCSC) is explicitly non-enforcement; in Singapore, the Cyber Security Agency coordinates but does not prosecute; in the United States, CISA remains a civilian technical agency. Ghana would therefore stand nearly alone in merging regulatory, investigatory, and punitive powers in a single authority—a concentration that undermines checks and balances and creates conflicts of accountability between the CSA, the Ghana Police Service, EOCO, and the AG’s Department.
AGNOS recommends that the law reaffirm the CSA’s civilian mandate and tether any enforcement activity to written fiat from the Attorney-General, supported by Memoranda of Understanding (MoUs) defining how referrals, joint investigations, and evidence management occur. This ensures collaboration without constitutional trespass.
Overlapping Mandates and the Perils of Regulatory Inflation
A second layer of concern arises from the Bill’s uncoordinated expansion of institutional powers. Ghana already operates a dense digital-governance ecosystem: the Ghana Standards Authority (GSA) sets and certifies technical standards; the National Communications Authority (NCA) regulates networks and telecommunications; the Bank of Ghana (BoG) oversees FinTech and payment systems; and the Data Protection Commission (DPC) enforces privacy compliance.
By empowering the CSA under Sections 58A and 59 to certify the security of emerging technologies including AI, blockchain, cloud, and quantum. The Bill effectively duplicates functions already dispersed across these agencies. AGNOS points out that such overlaps can breed confusion and inefficiency. Multiple regulators demanding separate audits or certifications would drive up compliance costs, fragment oversight, and invite forum shopping. The danger is not hypothetical: similar overlaps in financial-sector supervision during the late 2010s triggered regulatory disputes and delayed market innovation.
The AGNOS submission therefore proposes a structured inter-agency coordination model. Certification or standard-setting powers should only take effect through a Legislative Instrument (LI) issued after a Regulatory Impact Assessment (RIA) and formal concurrence with the GSA, NCA, BoG, and DPC. The LI would spell out scope, methodology, and cost implications, while the RIA would quantify economic effects on businesses.
To ensure adaptability, AGNOS further recommends a three-year sunset clause: any certification scheme should automatically expire unless Parliament renews it after review. This sunset mechanism forces periodic reassessment, preventing regulatory ossification and allowing the framework to evolve with technology.
Such procedural safeguards do not slow progress; they create confidence. Investors and innovators are more likely to engage in a system where regulatory lines are clear, costs predictable, and oversight rationalised. Cybersecurity policy should be an enabler of innovation, not a drag on it.
Institutional Independence, Fiscal Accountability, and the Rule of Law
Beyond functional overreach, AGNOS’s critique focuses sharply on governance and fiscal control. The amendment to Section 5 expands the CSA’s Board to include multiple Ministers and political representatives. While this may seem to enhance inter-ministerial coordination, it risks politicising the Authority’s decision-making and undermining professional autonomy. Excessive executive representation would reduce the role of independent experts and civil-society voices, violating the principle of balanced governance recommended by the Organisation for Economic Co-operation and Development (OECD) and International Telecommunication Union (ITU) for cybersecurity regulators.
AGNOS proposes limiting government voting members to one-third of the Board, designating other ministers as non-voting observers, and mandating the inclusion of representatives from industry, academia, and consumer advocacy groups. Furthermore, fit-and-proper tests, fixed terms, and conflict-of-interest declarations should be codified to insulate Board deliberations from partisan control. The Authority’s legitimacy in both domestic and international arenas depends on visible independence and transparency.
The submission also challenges the proposed financing model under Section 31, which earmarks fixed percentages of the Communications Service Tax and corporate tax, plus 50% of administrative fines, to the Cybersecurity Fund. This model, AGNOS warns, contravenes the Public Financial Management Act, 2016 (Act 921) by creating off-budget earmarking and removing parliamentary control over public funds. More troublingly, linking enforcement penalties to institutional revenue creates perverse incentives: the Authority could subconsciously prioritise high-yield enforcement over objective regulatory fairness.
To resolve this, AGNOS advises eliminating automatic tax shares and fine retention. The CSA should be funded through the annual Appropriation Act, supplemented by capped internally generated funds and subject to Auditor-General audits and annual reporting to Parliament. Transparent financial governance not only ensures accountability but also sustains international confidence in Ghana’s cybersecurity ecosystem, especially among development partners and investors.
Balancing Security, Autonomy, and Accountability
AGNOS’s recommendations reflect a unifying principle: effective cybersecurity cannot exist outside the constitutional rule of law. The expansion of regulatory powers must be matched by commensurate checks including judicial, fiscal, and parliamentary. This philosophy underpins its position on several other key clauses:
- The Joint Cybersecurity Committee (Section 13) should remain a coordination forum, not a supervisory body. Its role must be codified as advisory only, with a published charter and annual activity report to avoid duplication with the CSA Board.
- The policy-advisory powers (Section 14) should remain non-binding and harmonised with the mandates of the DPC, NITA, and National Security Advisor, ensuring coherence in national digital-security planning.
- The introduction of Deputy Directors-General (Section 15A) should come with fit-and-proper and removal safeguards to preserve professional integrity.
- Aligning CSA staff conditions with those of security agencies (Section 20A) risks securitising a civilian regulator; employment frameworks must stay within the Single Spine Salary Structure and comply with the PFMA.
- The conferral of police powers (Section 20B) on CSA executives must be withdrawn entirely and replaced with seconded law-enforcement officers operating under AG direction.
Taken together, these provisions reveal a consistent pattern: each seeks to strengthen operational control but inadvertently weakens accountability. The AGNOS position restores equilibrium by ensuring that every new power—be it financial, investigative, or administrative—is tethered to an appropriate legal safeguard.
Conclusion
The AGNOS submission closes with a reminder that cybersecurity is not merely a technical matter; it is an exercise in governance ethics. A secure digital environment depends on public trust, and trust is earned when citizens see that their rights, data, and freedoms are protected by transparent laws and accountable institutions.
Ghana’s cybersecurity evolution should therefore reflect its democratic maturity. The Bill should enhance and not dilute oversight, clarify not confuse mandates, and enable not replace collaborative regulation. By advocating RIAs, inter-agency MoUs, and sunset reviews, AGNOS is urging lawmaker to build a living law one that learns, adapts, and corrects itself in step with technological change.
If passed in its current form, the Bill risks concentrating too much authority in one institution and creating fiscal and functional contradictions across the digital-governance landscape. But if lawmaker embraces the spirit of the AGNOS proposals anchoring reform in constitutional prudence, institutional independence, and cooperative governance Ghana can achieve something rare: a cybersecurity law that is both strong and just.
The task before lawmakers is therefore not only to legislate for safety but to legislate for legitimacy. As AGNOS Legal Company argues, security powers exercised without constraint may deliver short-term control but long-term fragility. In contrast, power exercised within the boundaries of law and oversight yields durable resilience, the kind of cybersecurity that protects not only systems, but also citizens and democracy itself.
Author:
Desmond Israel, Esq. is a Lecturer and Head of Department of Public Law And Governance at the GIMPA Law School, He is also a Partner in charge of Cyberlaw & Technology Practice at AGNOS Legal Company and a Senior Policy Analyst with Institute for Liberty and Policy Innovation (ILAPI)
2 Comments
A WordPress Commenter
September 5, 2024Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.
A WordPress Commenter
December 14, 2025Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.