The draft NITA Bill should be shredded

One of Ghana’s veteran business journalists, now based in New York, reached out and asked if I have been following the NITA bill debate. Sadly, I hadn’t. Too much going on.

He pressed, subtly but firmly, so I did.

I appreciate the ambition of the current management at the Ministry. I am sure they want their names in neon above Black Star Square. But there is a serious katanomic odour blowing from the bill they are promoting.

They would do well to assemble a group of truly independent tech folks from the ICT chamber, not just a bunch of their friends, listen hard, talk less, and take the advice. If they did, they would gut that manuscript and return to the drawing board.

Here is why, based on my quick take on the bill.

Bottom line

The Ministry of Communications, Digital Technology, & Innovations (MOC) does not merely appear to be proposing to “license IT professionals.”

The draft NITA Bill is much bigger. The plan is to convert NITA from a coordinating ICT agency into a broad digital-sector regulator with powers over ICT infrastructure, cloud, SaaS, digital platforms, public-sector technology procurement, professional certification, business premises, mergers, ownership, standards, audits, sanctions, and even the structure of government digital infrastructure. It is a wholesale revamp.

No one would have quarrelled with the bill if it had focused on the big problems in the sector: public sector procurement indiscipline and a lack of incentives for R&D and support for local tech innovations.

Ghana certainly needs improved standards and practices in digital assurance, interoperability, and accountability for critical systems (already captured in the “critical infrastructure” policy).

The katanomics arise when instead of learning from national mistakes and proposing workable solutions, one jumps the process to venture into a whole range of areas where the country absolutely lack policy experience.

1. MOC’s Proposals

The draft/consultation bill proposes as follows:

A stronger NITA “Authority”

The Bill would establish NITA as a regulatory authority for ICT and digital services, with objects including regulation, coordination, promotion, standards, licensing, certification, interoperability, digital innovation, and public-sector ICT personnel management.

Mandatory licensing of ICT business activity

Section 35 (the bombshell that has sparked so much controversy). It says no person may engage in business or a related activity in the ICT sector unless granted a licence. It expressly includes installation of ICT infrastructure, development or provision of ICT products and services, and activities requiring licensing or certification. Doing any of these without a license could get one jailed, or at best fined.

Who is to be licensed?

Section 36 lists categories such as public/commercial ICT infrastructure, cloud hosting, SaaS providers, government digital services partnerships, national digital platform operators, data centre operators, and any other category the Authority later determines.

Citizen-only ownership qualification

Section 37 says a licence applicant must be an adult Ghanaian citizen, or a company/partnership/association/body “wholly owned by a citizen.” Essentially, it would now be illegal to engage remote experts to work on a system deployed in Ghana. Essentially, half the whiz kids in Silicon Valley would have been ineligible to build their genius gizmos had America had a law like this.

Certification of ICT professionals

Section 46 says a person shall not be appointed as an ICT professional in a public or private institution unless certified by the Authority, and that NITA shall determine the criteria and procedure. (Funnily, this contradicts the definitions section where “certified professional” is confined to the public sector.)

Closure, seizure, suspension and enforcement powers

NITA could close premises or facilities, seize ICT products/equipment, suspend business, revoke licences, and impose administrative penalties in specified circumstances.

M&A and business-structure control

Section 49 appears to require NITA approval before sale, transfer, merger, amalgamation, or alteration of the nature of an ICT service provider’s business.

There are also some less controversial proposals about setting up a special purpose national e-government vehicle, promoting transparency and interoperability, and preventing vendor lock-in.

Let’s focus, however, on the areas of the Bill that have rankled so many ICT professionals and would clearly not have seen the light of the day if the Ministry bosses had done any serious sounding beyond their clique.

2. What do they mean by “ICT professional” anyway?

“IT/ICT professional” is not like “nurse,” “electrician,” “lawyer,” “chartered accountant,” or “professional engineer.” Those occupations usually have a more defined body of practice, recognised training path, public-risk rationale, and a reserved act or protected title.

“ICT” and “IT” are very loose umbrella terms. International occupational systems do not treat ICT as one unified profession. The International Standard Classification of Occupations classifies jobs by skill level and specialisation, not by one vague “IT professional” identity.

Eurostat and O*NET both list many distinct computer and mathematical occupations within that bracket: software developers, network architects, cybersecurity analysts, database administrators, web developers, data scientists, support specialists, QA testers, IT project managers, and many more.

Is the government of Ghana going to insist on licensing every single person in Ghana who builds a website, uses Microsoft Power BI to create some charts for a company, or deploys mermaid to craft some flyers for an event organiser?

The whole idea is totally ridiculous.

A more sensible approach would be to pry open the ICT chest open and only target the most critical functions. Example:

Critical Public Digital Infrastructure management (with a clear and rigorous process properly defined as to how any system gets to be elevated to that status to begin with); Financial services cybersecurity auditing; Tier II & III datacenter operations; Public hospital digital health network administration; Public ERP procurement readiness certtification. The bill could then have said that for those functions, licensed professionals are required. The licensing regime would then have been constructed in an industry-led fashion much like we have in leading accounting jurisdictions. Frankly, the civil service is the last place to situate licensing for a dynamic sector like ICT.

More importantly, under no circumstances should any government aspire to poke its long nose into stuff like “writing code,” “installing a router,” “maintaining a school website,” “handling some graphic design,” “being a product manager at a food delivery company,” “using AI to generate a UI for a service,” or “working in an IT department of a small law firm.” The risks are not national-scale and employers should be left to manage their own personnel validation.

3. Ghanaian laws already provide some protection

A standard feature of Katanomics is to pile laws upon laws without much effort being spent on reviewing how the current laws are performing, why gaps, if any, have formed, and what the lessons really teach.

The Cybersecurity Act creates a targeted licensing/accreditation regime for cybersecurity service providers, establishments, professionals and practitioners. That makes sense because cybersecurity services can create high systemic risk, and the Act contains a specific institutional mandate around cyber protection. If that has not stopped fraud in banks and telcos, there is a need to enhance our understanding and respond accordingly.

The Data Protection Act regulates controllers and processors of personal data, requires registration, imposes security obligations, requires written processor arrangements, and provides breach-notification duties. If the Data Protection Commission is only taken fees and isn’t really measuring up, the right approach is to fix it.

The Engineering Council could decide to create top-tier categories for “software engineering,” as well as hardware and electronic engineering if it aims to elevate the field. It already has the pedigree and legal infrastructure to proceed if it deems the time right.

4. But don’t other countries already do this?

Well, some have tried but the lessons are worth taking.

Nigeria, for instance. The Computer Professionals Registration Council of Nigeria was created under a 1993 law and has a broad mandate over persons and organisations providing computing professional services.

The arrangement in Nigeria has gone nowhere. The country still has a huge informal and startup-driven tech sector. In practice, broad computing-profession regulation tends to become procurement gatekeeping, dues, professional conferences, anti-“quackery” rhetoric, and credential signalling. It has generated nothing of clear value to the sector.

Canada shows a narrower and more legally coherent model. Engineering regulators restrict titles such as “software engineer,” “computer engineer,” and “firmware engineer” where those titles imply professional engineering. But even there, regulators recognise that not all software development is software engineering. The Canadian fights over “software engineer” titles show how hard it is to map old professional-engineering concepts onto modern tech labour markets.

The United States tried a software-engineering professional-engineer exam pathway. The software engineering PE exam was first offered in 2013 and discontinued after 2019 because candidate numbers were too low.

Almost everywhere else, the approach has been to rely more on voluntary professional bodies, chartered status, competence frameworks, sector standards, procurement rules, data protection, cyber regulation, product regulation, and critical-infrastructure obligations. In many of these contexts and jurisdictions, industry associations take the lead.

5. It can get absurd pretty quickly

Meanwhile, AI has thrown a wrench into the whole wheel of what “IT work” even means today. m

In the pre-AI world, one might imagine a recognisable “software developer” writing code manually. In the AI world, a founder describes an app to a model, a non-technical employee uses AI to build an internal workflow, a designer generates front-end code, a business analyst deploys automations, and a cloud platform assembles infrastructure through templates. Who is the “ICT professional” here? The geography graduate with a few hours on reddit and stackoverflow under her belt typing out prompts? The AI tool vendor? The person who clicks deploy? The person who reviews the code? The company using the system?

A licensing regime based on “professional identity” will clash with AI-generated work because AI diffuses technical production across the entire economy. The more powerful AI gets, the less realistic it becomes to require every producer of digital functionality to hold a state-issued ICT license. Once again, if the Ministry had engaged beyond their small clique, everyone would have told them.

6. Hardware, networking and informality

On the physical device and network level, the absurdity start to get out of hand.

Ghana’s ICT economy is not made up of just software startups. It includes laptop repairers, phone technicians, CCTV installers, router vendors, fibre/cabling contractors, school computer-lab maintainers, POS support agents, small network installers, market traders selling peripherals, informal refurbished-device dealers, cybercafé operators, church/media livestream technicians, and thousands of small businesses that keep digital life functioning. All these people are using ICT and making a living in the ICT-enabled economy.

If enforced aggressively, the scheme could:

raise the cost of basic repairs and installations; push informal technicians further underground; create opportunities for inspectors and middlemen to extract bribes; make small businesses operate through “certified” fronts; reduce access to affordable hardware support in rural and low-income areas; increase e-waste if repair markets are chilled; make public-sector maintenance more expensive by reducing the pool of eligible providers. It is a whole mess, and must be reined in before it transmutes from panic to catastrophe.

7. And the MESS doesn’t end there

The citizen-only ownership clause is potentially devastating. A Ghanaian startup with foreign VC, non-citizen co-founders, regional holding structures, offshore investors, or employee stock held by non-citizens may struggle if licensed ICT activity requires wholly citizen ownership. This may be more economically explosive than the “IT professionals” headline.

NITA, the Cyber Security Authority, Data Protection Commission, National Communications Authority, Bank of Ghana, Ghana Standards Authority, Public Procurement Authority, GIPC, Engineering Council, and sector regulators may all touch the same digital product. A fintech, for example, could face payment regulation, data protection registration, cybersecurity obligations, NITA licensing, cloud/data-centre requirements, and public procurement rules. The cost of doing business is already too high. Don’t make it worse!

The Bill includes criminal offences, administrative penalties, licence suspension, business prohibition, closure, seizure, and penalties for negligent cybersecurity breaches or false certification claims. Some of that is justified for critical misconduct, but excessive criminalisation can chill innovation and incident reporting.

Now imagine:

A small NGO building a data-collection app could be treated as developing/providing an ICT product.

A small periurban school near Techiman appointing a self-taught but competent ICT teacher or network administrator could run into the Section 46 certification requirement if “ICT professional” is read broadly.

A startup adding cloud hosting, AI features, or platform functionality might need to ask whether it has changed the “nature” of its ICT business and needs approval.

A Ghanaian founder could be treated less favourably after raising foreign investment than before raising it.

An AI-assisted non-programmer could produce useful code, while a formally certified but incompetent person is legally privileged.

Even worse:

The merger/alteration approval clause is dangerous because it turns ordinary corporate switches into a whole regulatory fanfare. Startup pivots, acquisitions, restructurings and investment rounds depend on speed and certainty.

More licensing layers are likely to lead to slower product launches, especially in already tough fields like fintech. Think also about the higher legal costs, and more uncertainty for firms already dealing with Bank of Ghana, data protection, cybersecurity and AML obligations.

Paradoxically, overregulation can weaken cybersecurity. Small operators may avoid registration, breach reporting, or formal contracts because contact with the regulator feels dangerous.

Conversely, employers may over-apply the law and require NITA certification for analysts, IT support, product managers, data officers, website administrators, and junior developers, even where the legal risk is unclear.

Moreover, Ghana participates in regional and continental liberalisation frameworks, including ECOWAS free movement/establishment principles and AfCFTA services liberalisation. A broad citizen-only ICT licensing scheme may create avoidable trade and investment friction, even if Ghana retains policy space to regulate for legitimate objectives.

It is true that the Bill creates an appeals tribunal, but the tribunal is appointed through ministerial processes and funded through the NITA’s funds. Appeals to the Court of Appeal, on the other hand, are limited to points of law. That may be insufficient for a regime with such heavy commercial consequences.

9. A better law might look something like this

The Bill should be rewritten around regulated activities, not “IT professionals.”

The following quick fixes would be a good start:

Replace the broad Section 35 ban with a schedule of licensable high-risk ICT activities: public & sensitive commercial digital infrastructure, critical data centres, public cloud for government/critical sectors, critical SaaS for public services, cybersecurity-sensitive operations, and national platform operators.

Rewrite Section 46 so certification applies only to defined risk roles: public-sector chief information/security officers, critical infrastructure administrators, certified ICT auditors, digital identity administrators, public procurement sign-off professionals, and cybersecurity-sensitive roles. For everyone else, use voluntary certification or title protection.

Add exemptions for employees doing internal work, students, hobbyists, open-source contributors, micro repairers, ordinary retail sales, internal IT departments, low-risk website/app development, and small businesses below clear thresholds.

Remove or radically narrow the citizen-only ownership rule. Use public-procurement preferences, local-capacity requirements, security vetting for sensitive contracts, and Ghanaian participation incentives instead of a blanket nationality-based ownership restriction.

Limit transaction approvals to changes of control of high-risk licensees. Do not require approval for ordinary pivots, product changes, share issuances, acquisitions outside sensitive categories, or internal restructuring.

Create a lead-regulator rule. If the CSA, DPC, NCA, Bank of Ghana or another regulator already licenses the core risk, NITA should coordinate through memoranda and joint standards, rather than duplicating permissions.

Hardwire the due process in. The Bill should require that there should be published criteria, fee caps, timelines, deemed approvals where appropriate, written reasons, appeal stays except in emergencies, warrant requirements for seizure except imminent-risk cases, and compensation for wrongful closure.

Build an AI-specific assurance layer. Require secure development practices, AI-use documentation, human review for high-risk systems, logging, testing, model/data governance, incident reporting and audit trails. Avoid creating an “outmoded at birth” bill because of a failure to take AI into account.

Be sensitive to the informal economy. Ensure long transition periods, recognition of prior learning, apprenticeship routes, low-cost micro-certification, mobile registration, district-level support, and no criminal enforcement for low-risk actors during transition.

Require a regulatory impact assessment before commencement. The government should publish expected costs, affected occupations, SME effects, competition analysis, trade implications, institutional overlaps, enforcement budget, and anti-corruption safeguards.

Conclusion: the Ministry is off the bar but they can have another go A careful NITA law could be one of Ghana’s most anti-katanomic and groundbreaking digital economy reforms. Especially if it focuses on fixing wasteful, opaque, and pooly thought through public ICT procurement.

But a careless version could become a massive burden on the heads of a struggling, still nascent, technology sector. The draft bill tilts more to the latter than the former.

The MOC should get off its high horse while there is still time, abandon the bill in its current form, return to the drawing board, and come back with something more aligned with modern realities.