Ghana: Implemented Cybersecurity Act 2020 (Act 1038) including security measures for critical information infrastructure providers

On 29 December 2020, the Cybersecurity Act 2020 (Act 1038) entered into force following its signing and publication in the official gazette. The Act outlines measures for the designation, registration, and management of critical information infrastructure (CII). The Minister, advised by the Authority, can designate computer systems or networks as CII if they are essential for national security, economic and social well-being, or public safety. Designated CII must be registered with the Authority, and any changes in ownership must be reported within seven days. The Authority can conduct periodic audits to ensure compliance with the Act's provisions. Owners of CII must report cybersecurity incidents within 24 hours and submit audit reports to the Authority. Unauthorised access to CII is prohibited, with penalties including fines and imprisonment. The Act also establishes the National Computer Emergency Response Team (CERT) and Sectoral CERTs to respond to cybersecurity incidents. These teams coordinate responses, collect incident data, and submit monthly reports to the Authority. The Authority may establish a cybersecurity incident monitoring and response system, including an early warning system for public advisories. Institutions must report cybersecurity incidents to the relevant CERT within 24 hours, with non-compliance resulting in administrative penalties.