Cybersecurity Act, 2020 (Act 1038)

ARRANGEMENT OF SECTIONS

Preliminary

1. Application

Cyber Security Authority

2. Establishment of the Cyber Security Authority

3. Objects of the Authority

4. Functions of the Authority

Governance of the Authority

5. Governing body of the Authority

6. Functions of the Board

7. Tenure of office of members of the Board

8. Meetings of the Board

9. Disclosure of interest

10. Establishment of committees

11. Allowances

12. Policy directives

13. Joint Cybersecurity Committee

14. Functions of the Joint Cybersecurity Committee

Administrative Provisions

15. Appointment of Director-General

16. Functions of the Director-General

17. Secretary to the Board

18. Appointment of inspectors

19. Functions of inspectors

20. Appointment of other staff

21. Divisions of the Authority

22. Internal Audit Unit

Financial Provisions

23. Funds of the Authority

24. Bank account of the Authority

25. Borrowing powers of the Authority

26. Expenses of the Authority

27. Accounts and audit

28. Annual report and other reports

Cybersecurity Fund

29. Establishment of the Cybersecurity Fund

30. Object of the Fund

31. Sources of moneys for the Fund

32. Bank account for the Fund

33. Management of the Fund

34. Disbursement from the Fund

Critical Information Infrastructure

35. Designation of critical information infrastructure

36. Registration of critical information infrastructure

37. Withdrawal of designation of critical information infrastructure

38. Management and compliance audit of critical information infrastructure

39. Duty of owner of critical information infrastructure

40. Access to critical information infrastructure

National and Sectoral Computer Emergency Response Teams

41. Establishment of the National Computer Emergency Response Team

42. Functions of the National Computer Emergency Response Team

43. Responsibility of the Authority relating to response to cybersecurity incident

44. Sectoral Computer Emergency Response Team

45. Cybersecurity incident monitoring and response system

46. Early warning system

Cybersecurity Incident Reporting

47. Duty to report cybersecurity incident

48. Cybersecurity incident point of contact

Licensing of Cybersecurity Service Providers

49. Licensing of cybersecurity service providers

50. Application for licence

51. Grant of licence

52. Non-transferability of licence

53. Validity and duration of licence

54. Suspension of licence

55. Revocation of licence

56. Review of decision of Authority

Accreditation and Certification

57. Accreditation of cybersecurity professionals and practitioners

58. Certification of cybersecurity products and technology solutions

Cybersecurity Standards, Enforcement and Education

59. Cybersecurity standards and enforcement

60. Cybersecurity public awareness and education

61. Research and development programme

Protection of Children Online

62. Indecent image and photograph of a child

63. Dealing with child for purposes of sexual abuse

64. Aiding and abetting of child dealing for purposes of sexual abuse

65. Cyberstalking of a child

66. Sexual extortion

Other Online Sexual Offences

67. Non-consensual sharing of intimate image

68. Threat to distribute prohibited intimate image or visual recording

Cybersecurity and Investigatory Powers

69. Application for production order of subscriber information

70. Issue of production order for subscriber information

71. Application for interception of traffic data

72. Issue of interception warrant for traffic data

73. Application for interception of content data

74. Issue of interception warrant for content data

75. Duration and extension of a production order or an interception warrant

76. Interception capability

77. Retention of data

Realisation of Property

78. Freezing of assets

79. Realisation of property

80. Utilisation of proceeds of realisable property

Industry Forum

81. Establishment of Industry Forum

82. Industry code

Miscellaneous Provisions

83. International co-operation

84. Immunity of members of the Authority

85. Cybersecurity Risk Register

86. Request for information

87. Blocking, filtering and taking down illegal content

88. Co-operation

89. Oath of Secrecy

90. Trial court and procedural powers

91. Guidelines

92. Directives

93. Administrative penalties for contraventions

94. Unlawful access

95. General penalty

96. Regulations

97. Interpretation

98. Repeals and savings

99. Consequential amendments

100. Transitional provisions

SCHEDULES

FIRST SCHEDULE - Cybersecurity Services

SECOND SCHEDULE - Table of Administrative Penalties

THIRD SCHEDULE - Oath of Secrecy

PURPOSE

AN ACT to establish the Cyber Security Authority; to regulate cybersecurity activities in the country; to promote the development of cybersecurity in the country and to provide for related matters.

DATE OF ASSENT

29th December, 2020.

ACT

Preliminary

1. Application

(1) This Act applies to cybersecurity activities in the country.

(2) This Act shall be read together with other relevant enactments including the

(a) Criminal Offences Act, 1960 (Act 29);

(b) Evidence Act, 1975 (N.R.C.D. 323);

(c) Foreign Exchange Act, 2006 (Act 723);

(d) Anti-Money Laundering Act, 2008 (Act 749);

(e) Anti-Terrorism Act, 2008 (Act 762);

(f) Electronic Transactions Act, 2008 (Act 772);

(g) Electronic Communications Act, 2008 (Act 775);

(h) Economic and Organised Crime Office Act, 2010 (Act 804);

(i) Mutual Legal Assistance Act, 2010 (Act 807);

(j) Data Protection Act, 2012 (Act 843); and

(k) Payment Systems and Services Act, 2019 (Act 987).

Cyber Security Authority

2. Establishment of the Cyber Security Authority

(1) There is established by this Act the Cyber Security Authority as a body corporate.

(2) For the performance of functions, the Authority may acquire and hold property, dispose of property and enter into a contract or any other related transaction.

(3) Where there is a hindrance to the acquisition of land, the land may be acquired for the Authority under the State Lands Act, 1962 (Act 125) and the cost shall be borne by the Authority.

3. Objects of the Authority

The objects of the Authority are to

(a) regulate cybersecurity activities in the country;

(b) prevent, manage and respond to cybersecurity threats and cybersecurity incidents;

(c) regulate owners of critical information infrastructure in respect of cybersecurity activities, cybersecurity service providers and practitioners in the country;

(d) promote the development of cybersecurity in the country to ensure a secured and resilient digital ecosystem;

(e) establish a platform for cross-sector engagement on matters of cybersecurity for effective co-ordination and co-operation between key public institutions and the private sector;

(f) create awareness of cybersecurity matters; and

(g) collaborate with international agencies to promote the cybersecurity of the country.

4. Functions of the Authority

To achieve the objects under section 3, the Authority shall

(a) advise the Government and public institutions on all matters related to cybersecurity in the country;

(b) promote the security of computers and computer systems in the country;

(c) monitor cybersecurity threats within and outside the country;

(d) establish codes of practice and standards for cybersecurity, and monitor compliance with the codes of practice and standards by the public and private sector owners of critical information infrastructure;

(e) establish standards for certifying cybersecurity products or services;

(f) certify cybersecurity products or services in accordance with the standards established pursuant to paragraph (e);

(g) take measures in response to cybersecurity incidents that occur within and outside the country which may threaten

(i) national security;

(ii) the defence of the country;

(iii) the economy of the country;

(iv) international relations between the State and other countries;

(v) health of the public;

(vi) the safety of life and property; and

(vii) any other sector of the country likely to be affected by a cybersecurity incident;

(h) identify and designate critical information infrastructure and advise the Minister on the regulation of owners of critical information infrastructure to protect the critical information infrastructure of the country, in accordance with international best practice;

(i) provide technical support for law enforcement agencies and security agencies to prosecute cyber offenders;

(j) promote the protection of children online;

(k) issue licences for the provision of cybersecurity services specified in the First Schedule;

(l) establish standards for the provision of cybersecurity services specified in the First Schedule;

(m) support technological advances and research and development in cybersecurity to ensure a resilient and sustainable digital ecosystem;

(n) deploy strategies to implement research findings towards the promotion of the cybersecurity of the country;

(o) establish and maintain a framework for disseminating information on cybersecurity;

(p) submit periodic reports on the state of cybersecurity in the country to the Minister;

(q) educate the public on matters related to cybercrime and cybersecurity;

(r) build the capacity of persons in the public or private sector in matters related to cybersecurity;

(s) collaborate with law enforcement agencies to intercept or disable a digital technology service or product whose operation undermines the cybersecurity of the country;

(t) establish and maintain a national register of

(i) identified and potential risks;

(ii) the levels and impact of risks;

(iii) owners of critical information infrastructure; and

(iv) any other persons licensed or accredited to carry out cybersecurity activities; and

(u) perform any other functions which are ancillary to the objects of the Authority.

5. Governance of the Authority Governing body of the Authority

(1) The governing body of the Authority is a Board consisting of

(a) the Ministers responsible for

(i) Communications;

(ii) the Interior;

(iii) National Security; and

(iv) Defence;

(b) the Director-General of the Authority;

(c) three persons from the Industry Forum nominated by the Industry Forum; and

(d) three other persons nominated by the President on the advice of the Minister, at least two of whom are women.

(2) The President shall nominate the Minister as chairperson of the Board.

(3) The chairperson and other members of the Board shall be appointed by the President in accordance with article 70 of the Constitution.

6. Functions of the Board

The Board shall, subject to the provisions of this Act,

(a) have oversight responsibility for the Authority;

(b) be responsible for the strategic direction and policies of the Authority;

(c) manage and disburse the Cybersecurity Fund in accordance with section 30; and

(d) ensure the efficient and effective performance of the functions of the Authority.

7. Tenure of office of members of the Board

(1) A member of the Board shall hold office for a period of four years and is eligible for re-appointment for another term only,

(2) Subsection (1) does not apply to the Director-General.

(3) A member of the Board, other than a member appointed under paragraph (a) or (b) of subsection (1) of section 5, may, at any time, resign from office in writing addressed to the President through the Minister.

(4) A member of the Board who is absent from three consecutive meetings of the Board without sufficient cause ceases to be a member of the Board.

(5) The President may, by a letter addressed to a member, revoke the appointment of the member.

(6) Where a member of the Board is, for a sufficient reason, unable to act as a member, the Minister shall determine whether the inability may result in the declaration of a vacancy.

(7) Where there is a vacancy

(a) under subsection (3), (4) or (5) or subsection (2) of section 9;

(b) as a result of a declaration under subsection (6); or

(c) by reason of the death of a member,

the Minister shall notify the President of the vacancy and the President shall, subject to section 5, appoint a person to fill the vacancy for the unexpired term.

8. Meetings of the Board

(1) The Board shall meet at least once every quarter for the conduct of business at a time and place determined by the chairperson.

(2) The chairperson shall, at the request in writing of not less than one-third of the membership of the Board, convene an extraordinary meeting of the Board, at a time and place determined by the chairperson.

(3) The chairperson shall preside at meetings of the Board and in the absence of the chairperson, a member of the Board, other than the Director-General, elected by the members present from among their number shall preside.

(4) The quorum at a meeting of the Board is seven members of the Board.

(5) Matters before the Board shall be decided by the majority of the members present and voting and in the event of an equality of votes, the person presiding shall have a casting vote.

(6) The Board may co-opt a person to attend a meeting of the Board but that person shall not vote on any matter for decision at the meeting.

(7) The validity of any proceedings of the Board shall not be affected by a vacancy among the members of the Board or by a defect in the appointment or qualification of a member.

(8) The Board shall, subject to this section regulate the procedure for the meetings of the Board.

9. Disclosure of interest

(1) A member of the Board who has an interest in a matter for consideration by the Board

(a) shall disclose in writing the nature of that interest and the disclosure shall form part of the record of the consideration of the matter; and

(b) is disqualified from being present at or participating in the deliberations of the Board in respect of that matter.

(2) Where a member contravenes subsection (1), the chairperson shall inform the President in writing to revoke the appointment of the member.

(3) Without limiting any further cause of action that may be instituted against the member, the Board shall recover any benefit derived by a member who contravenes subsection (1).

10. Establishment of committees

(1) The Board may establish committees consisting of members of the Board and non-members or both, to perform a function of the Board.

(2) A committee of the Board composed of members and non-members shall be chaired by a member of the Board.

(3) A committee of the Board composed of non-members only shall be advisory.

(4) Section 9 applies to a member of a committee of the Board.

11. Allowances

Members of the Board and members of a committee of the Board shall be paid allowances determined by the Minister in consultation with the Minister responsible for Finance.

12. Policy directives

To achieve the object of this Act, the Minister may give directives in writing on matters of policy to the Board and the Board shall comply.

13. Joint Cybersecurity Committee

(1) There is established by this Act a Joint Cybersecurity Committee.

(2) The Joint Cybersecurity Committee consists of

(a) a Justice of the Superior Court of Judicature with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Chief Justice;

(b) the Director-General of the National Information Technology Agency or a representative of the Director-General with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Director-General;

(c) the Director-General of the National Communications Authority or a representative of the Director-General with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Director-General;

(d) the Executive Director of the Data Protection Commission or a representative of the Executive Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Executive Director;

(e) the Governor of the Bank of Ghana or a representative of the Governor with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Governor;

(f) the Chief Executive Officer of the Financial Intelligence Centre or a representative of the Chief Executive Officer with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Chief Executive Officer;

(g) the Director of the Bureau of National Investigations or a representative of the Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Director;

(h) the Executive Director of the Economic and Organised Crime Office or a representative of the Executive Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Executive Director;

(i) the Director-General of the Criminal Investigation Department of the Ghana Police Service or a representative of the Director-General with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Inspector-General of Police;

(j) the Director of Operations of the National Security Council Secretariat or a representative of the Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Head of the National Security Council Secretariat

(k) the Director of the Bureau of National Communications or a representative of the Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Director

(l) the Director-General of Defence Intelligence or, a representative of the Director-General with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Chief of Defence Staff;

(m) the Comptroller-General of the Immigration Service or a representative of the Comptroller-General with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Comptroller-General;

(n) the Director of External Intelligence or a representative of the Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Chief of Defence Staff;

(o) a representative of the Ghana Armed Forces not below the rank of a Colonel with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Chief of Defence Staff;

(p) the Director of the Public Prosecutions Division of the Office of the Attorney-General or a representative of the Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Attorney-General;

(q) the Director-General of the Authority; and

(r) the Executive Director of the Ghana Domain Name Registry or a representative of the Executive Director with the requisite knowledge and skills in cybercrime and cybersecurity matters, nominated by the Executive Director.

(3) A nomination under subsection (2) shall be made in consultation with the Authority.

(4) The President shall appoint the members of the Joint Cybersecurity Committee.

(5) The Director-General of the Authority shall preside at meetings of the Joint Cybersecurity Committee and in the absence of the Director-General, a member of the Committee elected by the members present from among the number shall preside.

(6) The Joint Cybersecurity Committee shall meet at a time and place determined by the Director-General.

(7) The quorum at a meeting of the Joint Cybersecurity Committee is ten members.

(8) Matters before the Joint Cybersecurity Committee shall be decided by a majority of the members present and voting and in the event of an equality of votes, the person presiding shall have a casting vote.

(9) The Joint Cybersecurity Committee shall regulate the procedure for meetings of the Committee.

(10) Members of the Joint Cybersecurity Committee shall be paid allowances determined by the Minister in consultation with the Minister responsible for Finance.

(11) The Joint Cybersecurity Committee may establish sub-committees comprising members of the Joint Cybersecurity Committee and non-members, including representatives from the private sector, to perform a function of the Joint Cybersecurity Committee.

(12) A sub-committee established under subsection (10) shall meet regularly for the conduct of business where the exigencies require.

(13) The Joint Cybersecurity Committee shall have a Secretariat at the Headquarters of the Authority.

14. Functions of the Joint Cybersecurity Committee

(1) The Joint Cybersecurity Committee shall collaborate with the Authority and the sectors or institutions represented on the Committee for the implementation of relevant cybersecurity measures.

(2) The Joint Cybersecurity Committee is answerable to the Board in the performance of functions of office.

Administrative Provisions

15. Appointment of Director-General

(1) The President shall, in accordance with article 195 of the Constitution, appoint a Director-General for the Authority.

(2) The Director-General shall hold office on the terms and conditions specified in the letter of appointment.

(3) A person is qualified for appointment as a Director-General if that person

(a) has the relevant qualifications and expertise in cybersecurity matters; and

(b) is a person of proven integrity.

16. Functions of the Director-General

(1) The Director-General is responsible for the day-to-day administration and management of the Authority and is answerable to the Board in the performance of functions under this Act.

(2) The Director-General is responsible for the implementation of the decisions of the Board.

(3) The Director-General may delegate a function to an officer of the Authority but shall not be relieved of the ultimate responsibility for the performance of the delegated function.

17. Secretary to the Board

(1) The Authority shall designate a person appointed under section 20 as the Secretary to the Board.

(2) A person shall not be engaged as Secretary to the Board unless that person has

(a) a professional qualification that equips that person with the requisite knowledge and experience to perform the functions under subsection (3); or

(b) by virtue of an academic qualification, or as a member of a professional body, is considered by the Board as capable of performing the functions of the Secretary.

(3) The Secretary shall subject to the directives of the Board

(a) arrange the business of the Board;

(b) keep the minutes of the meetings and decisions of the Board in the form required by the Board; and

(c) perform any other functions that the Board or the Director-General may direct.

(4) The Secretary is answerable to the Board in the performance of the functions of office.

18. Appointment of inspectors

(1) The President shall appoint inspectors for the Authority.

(2) An inspector shall hold office on the terms and conditions specified in the letter of appointment and the emoluments of the inspector shall be charged on the funds of the Authority.

(3) A person is qualified for appointment as an inspector if that person

(a) has knowledge and background in technology and cybersecurity; and

(b) is a person of proven integrity.

(4) Despite subsection (1), an inspector appointed under this act is not subject to the direction or control of a person or any authority in the performance of functions under this Act.

19. Functions of inspectors

(1) An inspector shall

(a) ensure that a production order or an interception warrant issued under this Act is used for the purpose for which the order or warrant was issued;

(b) ensure that data retained or retrieved in accordance with this Act is used for the purpose for which that data was retained or retrieved; and

(c) submit quarterly reports on the outcome of inspections carried out to the Board.

(2) The expenses incurred in the performance of the functions of an inspector shall be charged on the funds of the Authority.

(3) An inspector is answerable to the Board in the performance of the functions of office.

20. Appointment of other staff

(1) The President shall, in accordance with article 195 of the Constitution, appoint any other staff of the Authority that are necessary for the efficient and effective performance of the functions of the Authority.

(2) Other public officers may be transferred or seconded to the Authority or may give assistance to the Authority.

(3) The Authority may, for the efficient and effective discharge of the functions of the Authority, engage the services of consultants and advisors on the recommendation of the Board.

21. Divisions of the Authority

(1) The Board may establish divisions of the Authority that are necessary for the efficient and effective performance of the functions of the Authority.

(2) A division of the Authority shall be headed by a director.

22. Internal Audit Unit

(1) The Authority shall have an Internal Audit Unit in accordance with section 83 of the Public Financial Management Act, 2016 (Act 921).

(2) The Internal Audit Unit shall be headed by an Internal Auditor who shall be appointed in accordance with the Internal Audit Agency Act, 2003 (Act 658).

(3) The Internal Auditor is responsible for the internal audit of the Authority.

(4) The Internal Auditor shall, subject to subsections (3) and (4) of section 16 of the Internal Audit Agency Act, 2003 (Act 658), at intervals of three months

(a) prepare and submit to the Board, a report on the internal audit carried out during the period of three months immediately preceding the preparation of the report; and

(b) make recommendations in each report, with respect to matters which appear to the Internal Auditor as necessary for the conduct of the affairs of the Authority.

(5) The Internal Auditor shall, in accordance with subsection (4) of section 16 of the Internal Audit Agency Act, 2003 (Act 658), submit a copy of each report prepared under this section to the Director-General and the chairperson of the Board.

Financial Provisions

23. Funds of the Authority

The funds of the Authority include

(a) moneys approved by Parliament;

(b) administrative penalties;

(c) any other internally generated funds;

(d) loans, grants and donations approved by the Minister responsible for Finance;

(e) an amount charged on the Fund subject to the approval of the Board; and

(f) any other moneys approved by the Minister responsible for Finance.

24. Bank account of the Authority

The moneys for the Authority shall be paid into a bank account opened for the purpose, by the Authority with the approval of the Controller and Accountant-General.

25. Borrowing powers of the Authority

Subject to section 76 of the Public Financial Management Act, 2016, (Act 921), the Authority may obtain loans and any other credit facility on the guarantee of the Government from a bank or any other financial institution approved by the Minister responsible for Finance.

26. Expenses of the Authority

The expenses of the Authority shall be charged on the funds of the Authority.

27. Accounts and audit

(1) The Board shall keep books, records, returns and other documents relevant to the accounts in the form approved by the Auditor-General.

(2) The Board shall submit the accounts of the Authority to the Auditor-General for audit at the end of the financial year.

(3) The Auditor-General shall, within six months after the end of the immediately preceding financial year, audit the accounts and forward a copy each of the audit report to the Minister and the Board.

(4) The financial year of the Authority is the same as the financial year of Government.

28. Annual report and other reports

(1) The Board shall, within thirty days after the receipt of the audit report, submit an annual report to the Minister covering the activities and operations of the Authority for the year to which the annual report relates.

(2) The annual report shall include

(a) the report of the Auditor-General

(b) a list of persons granted licences and accreditation in the year to which the annual report relates;

(c) the number and outcome of production orders and interception warrants issued under this Act in the year to Which the annual report relates; and

(d) the report of an inspector attached as a separate report.

(3) The Minister shall, within thirty days after the receipt of the annual report, submit the report to Parliament with a statement that the Minister considers necessary.

(4) The Board shall submit to the Minister any other report which the Minister may require in writing.

Cybersecurity Fund

29. Establishment of the Cybersecnrity Fund

There is established by this Act a Cybersecurity Fund.

30. Object of the Fund

(1) The object of the Fund is to provide financial resources to promote and strengthen the cybersecurity of the country.

(2) To achieve the object of the Fund, moneys from the Fund shall be applied to relevant activities that the Board may determine.

(3) Without limiting subsection (2), moneys from the Fund shall be applied to

(a) support research and development in cybersecurity;

(b) support domestic, regional and international capacity building exercises in cybersecurity initiatives relevant to the cybersecurity of the country; and

(c) undertake any other activity that is ancillary to the object of the Fund.

31. Sources of moneys for the Fund

The sources of moneys for the Fund include

(a) seed money approved by Parliament;

(b) moneys which may become lawfully payable to the Authority for the Fund;

(c) grants, gifts, donations and other voluntary contributions;

(d) a charge determined by the Authority in accordance with the Fees and Charges (Miscellaneous Provisions) Act, 2018 (Act 983) and levied on persons licensed by the Bank of Ghana to carry on business;

(e) a proportion of the fees charged on all government e-services determined by the Authority in accordance with the Fees and Charges (Miscellaneous Provisions) Act, 2018 (Act 983)

(f) a levy that may be imposed by Parliament on e-services; and

(g) any other moneys approved by Parliament for the Fund.

32. Bank account for the Fund

Moneys for the Fund shall be paid into a bank account opened for that purpose by the Authority with the approval of the Controller and Accountant-General.

33. Management of the Fund

(1) The Board is responsible for the management of the Fund.

(2) Sections 27 and 28 on accounts and audit, and annual report and other reports apply to the Fund.

34. Disbursement from the Fund

The moneys from the Fund shall be disbursed in accordance with the policy guidelines of the Fund.

Critical Information Infrastructure

35. Designation of critical information infrastructure

(1) The Minister may, on the advice of the Authority, designate a computer system or computer network as a critical information infrastructure if the Minister considers that the computer system or computer network is essential for

(a) national security, or

(b) the economic and social well-being of citizens.

(2) Where the Minister designates a computer system or computer network as a critical information infrastructure, the Minister shall publish the designation in the Gazette.

(3) The Minister shall, in making a determination under subsection (1), consider if the computer system or computer network is necessary for

(a) the security, defence or international relations of the country;

(b) the production, preservation or identity of a confidential source of information related to the enforcement of criminal law;

(c) the provision of services directly related to

(i) communications and telecommunications infrastructure;

(ii) banking and financial services;

(iii) public utilities

(iv) public transportation; and

(v) public key infrastructure;

(d) the protection of public safety and public health, including systems related to essential emergency services;

(e) an international business or communication affecting a citizen of Ghana or any other international business in which a citizen of Ghana or the Government has an interest; or

(f) the Legislature, Executive, Judiciary, Public Services or security agencies.

(4) The Minister shall, by publication in the Gazette, establish the procedure for the regulation of a critical information infrastructure.

36. Registration of critical information infrastructure

(1) The Authority shall register a critical information infrastructure.

(2) The Authority shall, by publication in the Gazette, determine

(a) the requirements for the registration of a critical information infrastructure;

(b) the procedure for the registration of a critical information infrastructure; and

(c) any other matter relating to the registration of a critical information infrastructure.

(3) Where there is any change in the legal ownership of a registered critical information infrastructure, the owner of the registered critical information infrastructure shall, within seven days after the change, inform the Authority of the change in ownership.

(4) An owner of a registered critical information infrastructure who contravenes subsection (3) is liable to pay to the Authority the administrative penalty specified in the Second Schedule.

37. Withdrawal of designation of critical information infrastructure

The Minister may, on the advice of the Authority and by publication in the Gazette, withdraw the designation of a critical information infrastructure at any time if the Minister considers that the computer system or computer network no longer satisfies the criteria of a critical information infrastructure.

38. Management and compliance audit of critical information infrastructure

(1) The Minister shall prescribe minimum standards for prohibitions in respect of the general, management of a critical information infrastructure that the Minister considers necessary for the protection of national security.

(2) The Authority shall carry out a periodic audit and inspection on a critical information infrastructure to ensure compliance with the provisions of this Act.

39. Duty of owner of critical information infrastructure

(1) An owner of a critical information infrastructure shall

(a) report a cybersecurity incident within twenty-four hours after the incident is detected to

(i) the relevant Sectoral Computer Emergency Response Team, or

(ii) the National Computer Emergency Response Team, in the case of a critical information infrastructure that does not belong to a Sectoral Computer Emergency Response Team;

(b) cause an audit to be performed on a critical information infrastructure; and

(c) submit a copy of the audit report to the Authority.

(2) An owner of a critical information infrastructure who contravenes

(a) paragraph (a) of subsection (1),

(b) paragraph (b) of subsection (1), or

(c) paragraph (c) of subsection (1)

is liable to pay to the Authority the administrative penalty specified in the Second Schedule.

40. Access to critical information infrastructure

(1) A person shall not without authorisation

(a) secure access, or

(b) attempt to secure access

to a computer system or a computer network designated as a critical information infrastructure.

(2) A person who contravenes subsection (1) commits an offence and is liable on summary conviction to a fine of not less than two thousand, five hundred penalty units and not more than fifteen thousand penalty units or to a term of imprisonment of not less than two years and not more than five years, or to both.

(3) Where the offence committed under subsection (1)

(a) results in a serious bodily injury, financial loss or damage to the computer system or computer network designated as a critical information infrastructure, the person who commited[sic] the offence

(i) in the case of an individual, is liable on summary conviction to a fine of not less than five thousand penalty units and not more than fifty thousand penalty units or to a term of imprisonment of not less than five years and not more than fifteen years or to both; or

(ii) in the case of a body corporate, a partnership or a firm is liable on summary conviction to a fine of not less than twenty-five thousand penalty units and not more than fifty thousand penalty units; and

(b) is deemed to be a terrorist act, the person who committed the offence is liable on conviction on indictment to a term of imprisonment of not less than seven years and not more than twenty-five years.

(4) Where an offence under subsection (3) is committed by a body corporate or by a member of a partnership or other firm, every director or officer of that body corporate or a member of the partnership or any other person concerned with the management of the firm shall be deemed to have committed that offence and is liable on summary conviction to a fine of not less than five thousand penalty units and not more than fifty thousand penalty units.

(5) A person shall not be convicted of an offence by virtue of subsection (4) if it is proved that

(a) due diligence was exercised to prevent the commission of the offence; and

(b) the offence was committed without the knowledge, consent or connivance of that person.