Ghana's Cybersecurity Amendment Bill risks turning protection into control

The new Cybersecurity (Amendment) Bill, 2025, though presented as a step toward strengthening Ghana’s digital resilience, feels overly rigid and risks crossing the line between protection and control.

While cybersecurity is crucial in this age of rampant scams, AI manipulation, and data breaches, the Bill in its current form gives too much unchecked power to the Cyber Security Authority (CSA). This could lead to overregulation, reduced privacy, and an erosion of freedom online values that are essential in any democratic society.

For example, Section 3, which expands the CSA’s mandate to license and certify all cybersecurity practitioners and service providers, might appear helpful on paper but could have the opposite effect in practice.

The provision, if left unmodified, risks creating a bureaucratic chokehold on small innovators, independent researchers, and ethical hackers who may not have the means to meet strict licensing demands.

Instead of fostering a vibrant cybersecurity ecosystem, it could discourage creativity and limit opportunities for skilled individuals outside major corporations.

Similarly, Sections 4 and 6, which address cyber incident reporting and enforcement, are too broadly worded. The vague language could be exploited to justify excessive monitoring of online activity under the guise of “incident investigation” or “threat prevention.”

Without strict safeguards, these sections could be used to intimidate citizens, journalists, or activists whose online expression challenges authority. Cybersecurity must never become a tool for digital surveillance or censorship.

Moreover, while Section 5 seeks to improve data protection, it still leaves too much power concentrated in the hands of the CSA. There must be a clear separation between cybersecurity enforcement and data governance to prevent abuse.

The collaboration between the CSA and the Data Protection Commission should not mean the CSA can access citizens’ private data without oversight. Transparency and accountability must be explicitly built into the law.

To make the Bill more balanced, Ghana must strengthen oversight mechanisms so that no authority can act unilaterally. The CSA should be subject to parliamentary or judicial review before intercepting, monitoring, or investigating private communications. Such checks will ensure that cybersecurity measures do not infringe on citizens’ constitutional rights to privacy and free speech.

The licensing system should also be restructured to be more inclusive and practical. Instead of applying a one-size-fits-all requirement, the law should distinguish between corporate cybersecurity firms, government contractors, and individual professionals. Independent researchers, startups, and ethical hackers should have flexible registration options that encourage participation, not exclusion.

In addition, the investigative powers of the CSA must be clearly defined. Any digital surveillance or data access must require a court warrant and follow strict legal conditions. This will protect ordinary citizens from unauthorized intrusion while still enabling legitimate cyber investigations when truly necessary.

Transparency is equally vital. The CSA should be required to publish annual public reports detailing the number of investigations conducted, data accessed, and cases prosecuted. Public accountability builds trust, which is the foundation of effective cybersecurity.

Finally, the Bill should make public consultation a legal requirement before major cybersecurity directives or policies take effect. This will ensure that the voices of citizens, businesses, civil society, and the tech community are heard in shaping Ghana’s digital future. Laws built through collaboration are more likely to be respected, effective, and sustainable.

In its current form, the Cybersecurity Amendment Bill, 2025 risks turning Ghana’s digital space into a tightly controlled environment where expression and innovation are limited. Cybersecurity should not come at the cost of freedom.

The government must ensure that its desire to protect the nation online does not inadvertently create fear and silence among its citizens. Real digital security empowers people, it doesn’t police them.