The Cyber Security Authority (CSA) has announced the commencement of the process of licensing Cybersecurity Service Providers (CSPs), accreditation of Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).

This is in pursuant to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59, which mandates the Authority to regulate the above activities.

The intent of the regime is to ensure regulatory compliance with the Cybersecurity Act, 2020 (Act 1038) and to certify that CSPs, CEs and CPs offer their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices.

The licensing and accreditation regime will take effect from March 1, 2023, and will apply to existing and new CSPs, CEs and CPs. For a start, CSA will license Cybersecurity Service Providers in five key areas, namely; Vulnerability Assessment and Penetration Testing (VAPT), Digital Forensics Services, Managed Cybersecurity Services, Cybersecurity Governance, Risk and Compliance (GRC) and Cybersecurity Training. Cybersecurity professionals who have the relevant qualifications, demonstrable competence and industry experience shall also be accredited in the above areas as part of the regulations.

Accreditation of Cybersecurity Establishments will apply to Digital Forensics facilities and Managed Cybersecurity Service facilities operating in the country.

Background on the Licensing and Accreditation Regime.

Prior to the promulgation of the Cybersecurity Act, 2020 (Act 1038) and the establishment of the Cyber Security Authority (CSA), no government institution had the mandate to regulate cybersecurity service providers (CSP), cybersecurity establishments (CEs) and cybersecurity professionals (CPs) and the sector was generally not regulated.

It has become necessary that the industry is regulated by the CSA, to control cybersecurity risks and to protect the interests and safety of the Public, Children, Businesses, and Government. With the increasing rate of cybercrimes, CSPs, CEs and CPs have become critical components for mitigating cybersecurity threats and vulnerabilities within Ghana’s fast-developing digital ecosystem in line with the Cybersecurity Act, 2020 (Act 1038).

Cybersecurity services by its nature, are sensitive and intrusive. Cybersecurity service providers (CSPs), Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs) normally gain access to clients’ critical information assets thereby gaining knowledge of existing vulnerabilities and sensitive information, which could be potentially abused or exploited. It is also possible to have CSPs, CEs, and CPs who may not be competent or who may employ substandard processes to the detriment of Ghana’s digital ecosystem. In addition, some businesses or government agencies lack the capability of ascertaining the credibility or qualification of CSPs, CEs or CPs especially since there is no repository of licensed and accredited CSPs, CEs or CPs.

Furthermore, national security considerations are driving regulations in the sector to ensure only persons and institutions which are qualified and in good standing undertake these critical services. The Government, through the CSA, regulates the sector by providing a licensing framework in accordance with Sections 49 to 59 of Act 1038 to ensure that CSPs, CEs and CPs attain a higher level of compliance with Act 1038 and standards in line with international best practices.

This is to provide assurance to the public and other key stakeholders that the cybersecurity services they procure from industry will support in securing their assets and processes.

Section 57 of Act 1038 mandates the CSA to establish a mechanism to accredit cybersecurity professionals. Such an accreditation process provides recognition to accredited cybersecurity professionals, who have proven demonstrable competence in their specific cybersecurity profession.

Section 59 of Act 1038 further mandates the CSA to enforce cybersecurity standards and monitor compliance by public and private sectors including cybersecurity establishments or institutions.