Effective October 1, this year, no cyber security entity, service provider or professional can offer service to a public sector institution in Ghana without licensing and accreditation from the Cyber Security Authority (CSA).
This is in compliance with Cybersecurity 2020 (Act 1038) and guidelines for licensing of cyber security service providers and accreditation of cyber security entities and professionals.
The CSA commenced a mandatory licensing regime for cyber security service providers and professionals on March 1, 2023.
It had so far registered 448 cybersecurity professionals, 25 entities and 92 service providers.
This was announced at a media engagement on collaborations between the Cyber Security Authority and the Public Procurement Authority to ensure the enforcement of the licensing regime.
The Director-General of the CSA, Dr Albert Antwi-Boasiako, said the authority had offered a grace period until September 30, 2023, for service providers and operators to obtain a licence or accreditation for their activities.
He said the rationale for the enforcement was to ensure cyber security entities, service providers or professionals carry out their activities in accordance with international best practices.
Dr Antwi-Boasiako said that when the regulation was fully enforced, the country would become the first African nation among the top 25 countries in the world, and would also improve its International Telecommunication Union (ITU) global cyber security index ranking from third to first position.
“Our website will have a depository of licensed cyber security entities, service providers, or professionals where you can visit and know who is licensed,” he added.
The Chief Executive Officer of PPA, Frank Mante, said the authority had resolved to ensure full compliance in order that public sector entities engage firms that were licensed or certified by the CSA for all contracts relating to cyber security.
That, he said, would cover sole sourcing, restricted sourcing and any form of competitive tendering, adding that “cyber security is a serious issue”.
Mr Mante said it would also contribute to the overall objective of his outfit’s objective of harmonising processes of public procurement to ensure the judicious and efficient use of state resources.
“It is going to be a qualification requirement so if you do not have a licence from the cyber security authority you will be dropped at the initial stages of consideration for contracts.”
“So entities taking part in procurement processes to be awarded tenders must include proof of licence,” he said.
The Lead in charge of Legal and Compliance at the CSA, Jennifer Mensah, mentioned the sanctions to include the application of administrative penalties, and for habitual offenders, it will attract criminal sanctions of imprisonment of not less than two years.
Licence holders who flout the laws and the conditions of accreditation would have their licences revoked.
She explained that the sanctions were intended to serve as a deterrent and also to ensure compliance with the law.