CSA begins licensing, accreditation of Cybersecurity Service Providers, others
In a significant move to ensure greater regulatory compliance with the Cybersecurity Act, 2020 (Act 1038), the Cyber Security Authority (CSA) of Ghana has announced the commencement of licensing for Cybersecurity Service Providers (CSPs) and accrediting Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs). Pursuant to sections 4(k), 49, 50, 51, 57, and 59 of the Act, the CSA will certify that CSPs, CEs, and CPs offer their services in line with approved standards and procedures in accordance with domestic requirements and industry best practices.
As part of the regulatory process, the CSA will first license existing and new CSPs, followed by the accreditation of CEs and CPs. The licensing regime will consider areas such as Vulnerability Assessment and Penetration Testing, Digital Forensics Services, Managed Cybersecurity Services, and Cybersecurity Governance, Risk, and Compliance. The scope of accreditation to Cybersecurity Establishments will consider Digital Forensics Facility and Managed Cybersecurity Service Facility.
The CSA’s move comes as Ghana’s fast-developing digital ecosystem faces increasing cybersecurity risks and vulnerabilities. Cybersecurity services, by their nature, are intrusive and can gain access to clients’ critical information assets. Thus, the regulatory exercise seeks to provide greater assurance of cybersecurity and safety to consumers, improve and maintain standards, and offer baseline protection to Ghana’s digital ecosystem.
Moreover, the CSA’s regulatory exercise aims to ensure that only qualified professionals with the appropriate certification provide cybersecurity services to support a secure and resilient digital ecosystem. This move will also give recognition to the cybersecurity profession as a critical profession to support and sustain the current digital transformation agenda. The CSA will enforce cybersecurity standards and monitor compliance by the public and private sectors, including Cybersecurity Establishments or institutions.
For existing CSPs already engaged in the business of providing cybersecurity services, the CSA will provide a six-month period from March 1 to September 30, 2023, to apply for a license. Failure to obtain a license within this period will lead to the cessation of operations until a license is obtained from the Authority.
This regulatory exercise will have significant benefits to the industry and the country. It will control cybersecurity risks, protect the interests and safety of the public, children, businesses, and the government, and raise the quality of Cybersecurity Service Providers’ deliveries. Furthermore, it will provide assurance to the public and other key stakeholders that the cybersecurity services they procure from the industry are effective in securing their assets and processes.
However, CSPs who engage in the business of providing cybersecurity services without the requisite license after September 30, 2023, will be in contravention of the Cybersecurity Act, 2020 (Act 1038) and will be liable to pay administrative penalties. Nevertheless, CSPs who apply for a license by September 30 may continue to provide their service until a decision on the application has been made by the Cyber Security Authority. A license or accreditation granted is valid for two (2) years from the date of issuance, as provided for in Section 53(1) of Act 1038.
The Cyber Security Authority’s move to license Cybersecurity Service Providers and accredit Cybersecurity Establishments and Professionals is a step towards ensuring regulatory compliance with the Cybersecurity Act, 2020 (Act 1038), and industry best practices. The exercise will provide greater assurance of cybersecurity and safety to consumers, raise the quality of Cybersecurity Service Providers’ deliveries, and ensure that qualified professionals with the appropriate certification provide cybersecurity services to support a secure and resilient digital ecosystem. This move will also give recognition to the cybersecurity profession as a critical profession to support and sustain the current digital transformation agenda.