Ghana: Implemented CSA Directive for the Protection of Critical Information Infrastructure (CII) including 24-hour incident reporting and 72-hour vulnerability disclosure obligations

On 1 October 2021, the Cyber Security Authority (CSA) adopted and implemented the Directive for the Protection of Critical Information Infrastructure, pursuant to the Cybersecurity Act 2020 (Act 1038). The Directive requires designated CII Owners to develop board-approved cybersecurity policies, appoint accountable officers, and implement technical and organizational measures, such as asset protection, access control, and employee training. Designated CII Owners are also mandated to conduct regular risk assessments and audits, report cybersecurity incidents to the relevant authorities within 24 hours and disclose any vulnerabilities identified during assessments within 72 hours. These measures are designed to ensure the confidentiality, integrity, and availability of Ghana’s Critical Information Infrastructure, with penalties for non-compliance.