Cyber security operators to be licensed next year

THE Cyber Security Authority (CSA) is working actively towards a mandatory licensing regime for cyber security service providers by January next year.

This forms part of measures to sanitise the cyberspace.

Consequently, the authority is soliciting inputs from relevant stakeholders in the industry to help finalise its draft framework for licensing and accreditation.

When completed, the framework backed by the Cyber security Act, 2020 (Act 1038) will create a license regime to ensure that Cyber security Service Providers (CSPs), Cyber security Establishments (CEs) and Cyber security Professionals (CPs) strictly attain a higher level of compliance by January 1, 2023.

Sanctions

Failure to comply will attract both criminal and administrative sanctions.

Offenders risk being fined up to 5,000 penalty units equivalent to GH¢60,000 (GH¢12 x 5,000).

The acting Director-General (D-G) of the CSA, Albert Antwi-Boasiako, who made this known at a public consultation on licensing cyber security service providers in Accra on October 5, stated that the authority was working within schedule to meet the January 1, 2023 implementation date.

“The governing board of the CSA set a deadline for the authority indicating that effective January 1, 2023, every business that provides cyber security services needs to be licensed and that is what we are working towards,” he said.

Public consultation

The public consultation was organised by the CSA to collect inputs from stakeholders in the country’s cyber security space.

After the consultation, a final draft will be tabled before the board of CSA for approval to pave the way for implementation to start in January 2023.

The Ag D-G stated that with the new regime, an institution or individual would be mandated to apply for a practising license from the CSA and be granted before it could be recognised as a cyber security service provider.

He said the mandatory licensing, which was backed by Act 1038, would ensure that there was sanity within the industry in terms of capabilities and acceptable ways of conducting sensitive services in the country.

Protecting critical systems

Mr Antwi-Boasiako stated that Section 49 of the act introduced the mandatory licensing for cyber security service providers to improve the cyber security space.

“Internally, we had deliberations; the authority had produced a framework document with the support of certain key people within the industry,” he said.

He stated that while the new act might not address every single cyber security problem facing the country, it remained Africa’s best and among the top globally.

He said the provisions on the protection of critical information infrastructure, incident reporting and response, licensing and accreditation, the recognition of industry as a critical component of Ghana’s cyber security architecture, as well as regulations on lawful access to data for law enforcement purposes, were some of the areas from which the act drew its strength.

He observed that cyber security regulations had the benefit of protecting the country’s critical systems and its digital infrastructure.

Baseline requirement

The Functional Lead in-charge of Legal and Compliance at CSA, Ms Janifer Mensah, said when the new regime took effect, it would license cyber security service providers and provide accreditation for cyber security establishments and professionals.

“The accreditation process seeks to cover professionals who are rendering services in the cyber security space. The baseline requirement will cover the work experience, certification, as well as recommendation and references from current and previous employers.

“The duration for the accreditation certificate will be for a period of two years. The accreditation will be subject to certain terms and conditions, including continued professional development and adherence to some professional code of conduct,” she said.

The functional lead noted that the new regime would also introduce a mechanism for accrediting cyber security professionals from abroad who wished to work in the country’s cyberspace.