RETHINKING THE CYBERSECURITY AMENDMENT BILL: INTEGRATION AND COLLABORATION, NOT DUPLICATION

 INTRODUCTION

As Ghana moves to update its digital governance through the Cybersecurity (Amendment) Bill, 2025, it is crucial to ask whether the proposed reforms solve a real gap — or simply create legal clutter. While the bill aims to strengthen cybersecurity regulation, it does so by expanding the powers of the Cyber Security Authority (CSA) in ways that risk undermining the coherence of our criminal justice system.

The proposed amendments would give the CSA powers to investigate, arrest, and even prosecute cybercrime — roles traditionally handled by the Ghana Police Service and the Office of the Attorney-General. These new mandates not only replicate existing functions but blur institutional boundaries that exist for good reason:  accountability, oversight, and separation of powers.

More fundamentally, the bill reflects a troubling trend: the assumption that every digitally mediated harm must be treated as a new, standalone offence. This is legally unnecessary. Criminal legislation should be technology-neutral, except in rare cases where a technology creates a novel threat that cannot be addressed by existing law. Prefixes like “cyber-” — as in cyberbullying, cyberstalking, cyberfraud — often mask the reality that these acts are already punishable under Ghana’s traditional legal framework.

Indeed, Ghana is not starting from scratch. Laws like the Electronic Transactions Act (Act 772), Criminal Offences Act (Act 29), Whistleblower Act (Act 720), and the existing Cybersecurity Act, 2020 (Act 1038) already cover a broad range of cyber-related offences and regulatory needs.

Cybercrime should be tackled by specialized units within existing police and prosecutorial systems, not by creating parallel enforcement authorities. The role of a cybersecurity authority is to lead on policy, promote coordination, build technical capacity, and support intelligence-sharing — not to take over criminal investigations and prosecutions.

If passed in its current form, the amendment bill risks disrupting an already functioning legal framework in pursuit of powers that are unnecessary, untested, and potentially unconstitutional. This article argues for a more restrained, integrated approach — one that focuses on enforcing and coordinating the laws we already have.

THE CASE FOR TECHNOLOGY-NEUTRAL LAW

One of the most important — yet often overlooked — principles in modern criminal legislation is technology neutrality. Criminal laws are meant to prohibit certain harmful conduct, not the tools used to commit them. The emergence of new technology, on its own, should not lead us to redefine offences unless the technology creates a truly novel threat or capability that law cannot otherwise address.

Unfortunately, the current discourse around cybersecurity legislation in Ghana has made a fetish out of the prefix “cyber”. Labels such as cyberbullying, cyberstalking, and cyberfraud give the impression that these offences are somehow new or unregulated. But in truth, the acts themselves — bullying, stalking, fraud — are already criminal under Ghanaian law. The digital context may make them more common or harder to detect, but it does not render them legally novel.

The real challenge lies in enforcement and adaptation, not legislation. Our criminal justice system needs technical training, investigative tools, and coordination mechanisms to apply existing laws to new forms of conduct. Creating new laws for every “cyber” variant risks confusing the legal framework and creating duplicative offences that strain institutional clarity.

THE EXISTING LEGAL LANDSCAPE

Contrary to the assumptions behind the proposed amendment, Ghana already has a robust legal framework to address cyber-related offences. Five key statutes form the foundation of this framework:

1. Electronic Transactions Act, 2008 (Act 772)

This Act is the cornerstone of cybercrime law in Ghana. It defines and criminalizes offences such as:

·        Unauthorized access to systems and networks

·        Interference with data or services

·        Computer-related forgery and fraud

·        Protection of children from online exploitation

Sections 107–140 provide detailed offence definitions and penalties. The Act also regulates digital signatures, e-commerce, and data integrity — all core pillars of cyber governance.

2. Criminal Offences Act, 1960 (Act 29)

The general criminal code covers a wide range of acts that apply equally in digital contexts:

·        Threats and extortion

·        Harassment and defamation

·        Fraud and deception

·        Forgery and impersonation

Cyber-enabled versions of these offences don’t require separate legislation. The law already captures them in substance; what’s needed is better interpretation and enforcement in a digital context.

3. Whistleblower Act, 2006 (Act 720)

This Act provides protection for individuals who report misconduct, including cyber-related activities. It ensures:

·        Anonymity and confidentiality

·        Protection against victimization

·        Institutional reporting channels (including the Attorney-General, Police, CHRAJ, etc.)

The current bill proposes new reporting channels through the CSA, potentially creating parallel and conflicting regimes.

4. Cybersecurity Act, 2020 (Act 1038)

This Act already establishes the Cyber Security Authority, defines its functions, and outlines frameworks for:

·        National coordination

·        Protection of critical information infrastructure

·        Accreditation and standards

If fully implemented, Act 1038 already gives the CSA the tools it needs — without needing prosecutorial powers or law enforcement functions.

5. Electronic Communications Act (Act 775) & Amendment

This Act governs electronic communications systems and addresses:

·        Interference with signals

·        Damage to networks or infrastructure

·        Transmission of false or malicious messages

·        Use of communication systems for criminal purposes

It already contains provisions to investigate abuse of digital platforms and protect networks.

Together, these laws form a comprehensive, enforceable, and coherent legal framework. What’s needed is not a reinvention of cyber offences, but investment in enforcement, judicial awareness, and technical training within the institutions that already have constitutional authority.

WHAT THE AMENDMENT BILL PROPOSES AND WHY IT IS PROBLEMATIC

The Cybersecurity (Amendment) Bill, 2025 introduces several significant changes to the existing 2020 Act — many of which go well beyond coordination or regulation. At the heart of the amendment is an unmistakable trend: centralizing power in the hands of the Cyber Security Authority (CSA) and pushing it into law enforcement and prosecutorial territory.

1. Prosecution and Investigation Powers

The amendment proposes inserting Section 4A, which allows the CSA to:

“Investigate and prosecute offences under this Act or any other relevant enactment in collaboration with the Attorney-General.”

This language is ambiguous — it suggests prosecutorial independence, rather than a supportive or referential role. The result is a blurry overlap with the constitutional mandate of the Attorney-General and established agencies like the Ghana Police Service and the Economic and Organised Crime Office (EOCO). Rather than collaborating within the system, the CSA seems to be building a parallel track of enforcement.

2. Powers of Search, Seizure, and Arrest

New provisions such as Sections 20A–20C empower the CSA to:

·        Enter premises,

·        Seize devices,

·        Require information,

·        And potentially arrest suspects under cybercrime allegations.

Such powers traditionally come with strict checks and balances, especially when used by security agencies. Handing them to a regulatory authority without the same internal oversight structures raises concerns about abuse, due process, and legal overreach.

3. Expanded Control Over Critical Information Infrastructure

The amendments give the CSA authority to:

·        Designate and manage what constitutes “critical information infrastructure” (CII),

·        Impose compliance obligations,

·        Audit and sanction non-complying institutions.

This may lead to regulatory overreach, particularly where such infrastructure is already regulated under sector-specific legislation (e.g., banking, telecoms, utilities). Without clear boundaries, this risks conflicting mandates and regulatory fatigue.

In summary, the amendment pushes the CSA beyond its intended coordinating and policy-making role into a space already occupied by constitutionally established institutions. Instead of reinforcing Ghana’s criminal justice system, it threatens to fragment it — duplicating enforcement powers and complicating institutional relationships.

THE BETTER ALTERNATIVE — INTEGRATION, NOT DUPLICATION

If the goal is to strengthen Ghana’s cybersecurity governance, the answer is not to expand enforcement powers through legislative duplication. The answer lies in better integration of existing laws and institutions, combined with meaningful capacity-building across agencies.

1. Strengthen Inter-Agency Coordination

Rather than assign the CSA investigative or prosecutorial powers, its role should be that of:

·        A central coordinator, bridging institutions like the Ghana Police, EOCO, NIB, the judiciary, and regulators.

·        A policy leader, setting national standards and leading awareness campaigns.

·        A technical support agency, offering digital forensics capacity and intelligence to law enforcement.

Mandating joint task forces, shared databases, and harmonized protocols would be more effective than placing arrest powers in a regulatory body.

2. Focus on Enforcement, Not Expansion

Ghana’s cyber-related laws already cover most digital harms. What’s lacking is:

·        Technical training for prosecutors, judges, and police officers.

·        Investment in cyber forensics and investigative tools.

·        Public-private collaboration to monitor threats and report offences.

These challenges are operational, not legislative. What we need is execution, not expansion.

3. Preserve Institutional Boundaries and Accountability

The reason Ghana’s Constitution separates roles among the Police, Attorney-General, judiciary, and regulators is to ensure:

·        Transparency,

·        Due process, and

·        Institutional accountability.

Giving CSA law enforcement powers dilutes these principles. It creates legal uncertainty — especially if citizens or companies are subject to overlapping or conflicting authority from multiple government bodies.

A more sustainable path is one that reinforces Ghana’s criminal justice system, not sidelines it. We do not need new structures for every new threat. We need trustworthy institutions with the capacity to respond to those threats using the laws we already have.

ACTS SHOULD NOT BECOME OPERATIONS MANUALS

One striking feature of the proposed amendment is its level of procedural detail. Provisions on investigation steps, data handling, seizure protocols, and compliance processes suggest that the bill is drifting into territory better suited for a Legislative Instrument (LI) or administrative directive.

Act should operate at the level of policy, principles, structure, and authority — not administrative checklists. Operational matters, particularly those that may need updating over time, are best left to regulations made under the Act. That approach ensures both clarity and flexibility, while preserving Parliament’s role in setting policy direction without micro-managing implementation.

In its current form, the amendment bill risks becoming an operations manual disguised as primary legislation — a move that could limit agility, complicate enforcement, and erode legislative quality.

CONCLUSION

Ghana’s efforts to improve cybersecurity governance are both timely and necessary. However, the Cybersecurity (Amendment) Bill, 2025 risks taking the wrong path by expanding the enforcement powers of the Cyber Security Authority in ways that undermine legal clarity and institutional accountability.

We do not need to criminalize the same conduct twice just because it occurs online. We do not need to create parallel enforcement bodies when existing agencies — if well-coordinated and resourced — can already do the job. And we do not need to constantly reinvent legal categories just to match the buzzwords of the day.

Cybercrime is real. So is overregulation. A balanced, integrated approach is not only more legally sound — it is more likely to be effective.

Let us focus on what we already have: a suite of strong laws, tested institutions, and a constitutional structure that works when respected. The path forward is not duplication. It is discipline in how we legislate and commitment in how we enforce.

And above all, we must remember: an Act is not an operations manual. If we continue to confuse legislative policy with administrative detail, we risk weakening both.