Ghana does not have to choose between a digital Wild West and a regulatory tollbooth at every API call. The intelligent middle path is risk-based regulation: firm where harm is real, light where innovation is still becoming.
The debate around the draft National Information Technology Authority Bill, 2025 has become noisy, and understandably so. Ghana’s digital economy is no longer a side project managed by hobbyists and public sector enthusiasm. It is now part of identity, payments, health, education, public procurement, taxation, cloud infrastructure, digital services, cybersecurity, artificial intelligence and the ordinary livelihoods of thousands of young people who build, fix, integrate and improvise systems every day.
A country in that position needs a credible digital regulator. That point should not be controversial. The National Information Technology Agency was not established as a ceremonial acronym. It was created under Act 771 to regulate and promote the deployment and use of ICT, and the Electronic Transactions Act also gives NITA a role in certification-related functions within the electronic transactions ecosystem.1
But the existence of a regulator is not an argument for every regulatory power. Law is not a mood. It is text, authority, limits, procedure and accountability. A regulator may be necessary and still be overbroad. A public concern may be genuine and still be legally inaccurate. That is why this debate must be separated into three baskets: core concerns that require amendment, ancillary concerns that require safeguards, and trivialities that should be corrected without being promoted into a constitutional emergency.
The existing law and the draft Bill are not the same
The most important analytical distinction is this: NITA’s existing statutory mandate is one question; the content of the proposed Authority Bill is another. Collapsing both into one argument produces bad law and worse public education.
On the existing-law side, the claim that NITA has no authority at all is wrong. Act 771 establishes NITA and gives it a mandate over ICT regulation, standards, licensing-related functions, registers, fees and the implementation of functions linked to the Electronic Transactions Act. Act 772 also recognises NITA’s role in facilitating the certifying agency structure for authentication and encryption services.2
So, where a fee, licence category or register is properly rooted in Act 771, Act 772, the Fees and Charges framework and a valid Legislative Instrument, it is not legally serious to say that NITA is simply implementing a future law before Parliament has spoken. Ghana’s constitutional order recognises Acts of Parliament and properly matured subsidiary legislation as law. A Legislative Instrument is not a policy memo with a stamp; once validly made and matured, it has legal force.3
That said, the official side should not overplay the point. The existence of a fee item in a Legislative Instrument is not a magic wand that cures every possible ultra vires concern. A public authority must still be able to point to the parent-law power behind the obligation, the activity being regulated, the person affected and the sanction imposed. The discipline of legality is not satisfied by saying, ‘there is a fee somewhere, therefore every burden is lawful everywhere’. That is not regulation; that is hide-and-seek with statutory authority.
What must be firmly debunked
Some public claims need to be answered directly, not because they are malicious, but because weak claims weaken serious advocacy.
First, ‘NITA has no authority’ is false. The better argument is not that NITA is a legal stranger to ICT regulation. The better argument is that the scope and manner of any specific regulatory action must be traced to clear legal authority.
Second, ‘all current fees are future-Bill fees’ is too broad. If existing fees are contained in valid Legislative Instruments made under the Fees and Charges framework and linked to an existing statutory mandate, they do not become unlawful merely because a new Bill also discusses the sector.
Third, ‘the Bill is already law’ should not be casually stated. A draft Bill remains a draft unless and until it goes through the constitutional legislative process, including parliamentary passage and presidential assent. In a constitutional democracy, policy ambition is not the same thing as enacted law.
Fourth, the claim that Ghana has no breach-notification law at all is inaccurate if stated generally. The Data Protection Act requires notification where personal data has been accessed or acquired by an unauthorised person, and the Cybersecurity Act imposes reporting obligations on owners of critical information infrastructure. The better critique is that the NITA Bill should cross-reference these regimes and avoid duplicated or contradictory reporting obligations.4
The core concerns are real, textual and not anti-regulation
The official response is right to reject misinformation, but wrong if it treats all criticism as noise. Several concerns are not speculative. They arise from the text of the draft Bill itself. These are the issues that deserve parliamentary attention before passage.
Certification of ICT professionals: regulate risk, not curiosity
Section 46 is the most sensitive provision in the draft. It states that a person shall not be appointed as an ICT professional in a public or private institution unless certified by the Authority. That is not a small administrative clause. It is a gatekeeping rule for employment in both the public and private economy.5
The difficulty is not certification as such. Certification is legitimate for high-risk roles. Ghana can require stronger standards for persons who manage public sector systems, critical information infrastructure, cybersecurity operations, digital trust services, public identity platforms, financial technology integrations or other sensitive systems. Nobody serious is asking for a national database to be maintained by a self-declared expert whose only credential is confidence and a YouTube playlist.
The difficulty is overbreadth. The Bill does not define ‘ICT professional’ with enough precision. Does it include a freelance web developer? A junior data analyst? A startup CTO? A cloud support consultant? A creative technologist who automates workflows? An AI prompt engineer? A cybersecurity practitioner already certified under domestic and global schemes? A student intern? The answer should not depend on administrative mood after the Bill has passed.
The plumber analogy used in some official responses has rhetorical force, but it only goes so far. A plumber works on pipes within a regulated built environment. The digital economy is not a single pipe. It is a shifting ecology of builders, designers, systems integrators, analysts, creators, consultants, vendors and founders. If every digital worker requires permission before appointment, the law may end up licensing curiosity itself. That is not a standard; it is a bottleneck wearing a tie.
The amendment should be clear, it is suggested here by the writer that, mandatory certification should apply to public-sector ICT roles, critical infrastructure roles, regulated digital trust roles, cybersecurity-sensitive roles not already covered by another regulator, and other high-risk categories prescribed after consultation and regulatory impact assessment. For ordinary private-sector roles, Ghana should use voluntary certification, procurement incentives, professional registers, recognition of industry credentials and transitional grandfathering.
Licensing and the ownership problem
Sections 35 to 37 create another major concern. Section 35 requires a licence for a person engaging in business or related activity in the ICT sector. Section 36 lists broad licence categories, including public or commercial ICT infrastructure, cloud hosting, SaaS, government digital services partnership, national digital platform operation and data centre operation. Section 37 then says a person qualifies to apply if that person is a Ghanaian citizen or an entity wholly owned by a Ghanaian citizen.6
Read literally, this is a market-access wall. If the policy objective is to protect selected strategic service categories for Ghanaian participation, that objective should be stated with precision. If the objective is not to exclude foreign technology companies, multinational cloud providers, joint ventures, foreign-owned SaaS providers or Ghanaian subsidiaries of international companies, then the text must say so. Ministerial intention cannot cure statutory overbreadth. A court, investor or regulator will read the law, not the social media threads.
Ghana should protect local participation, but it should do so intelligently. Local content rules, knowledge-transfer obligations, beneficial ownership disclosure, local support requirements, security audits, tax compliance and data protection obligations can achieve policy goals without creating a blanket ownership rule that may frighten investment, frustrate partnerships and complicate Ghana’s digital trade ambitions.
The appropriate amendment is a category-specific licensing structure. Sensitive national infrastructure may justify stronger localisation requirements. Ordinary SaaS, cloud support, integration, development, analytics and digital service categories should not be swept into the same basket unless risk justifies it. Regulation should be a sieve, not a cement block.
Enforcement powers
The Bill provides for inspection, seizure, closure of premises, suspension and revocation of licences, cease-and-desist orders and other compliance powers. Some of these powers may be necessary. A regulator that cannot act where there is imminent harm to public safety, public security, critical systems or consumer protection is not a regulator; it is a help desk with a seal.
But technology enforcement is not the same as locking the door of a roadside shop. Seizing servers, devices or records can affect customer data, client confidentiality, business continuity, public access to services, financial operations and third-party rights. Closure may be justified where there is imminent danger. It is excessive if triggered by unclear licensing categories, ordinary filing defaults or minor non-compliance.
The Bill should therefore define enforcement thresholds. Search and seizure should generally require a warrant, except for tightly defined emergencies. There should be data-preservation protocols, confidentiality obligations, business continuity safeguards, written reasons, hearing rights and proportionality analysis before closure, suspension or seizure. A strong regulator does not need vague power. Vague power is what weakens confidence in strong regulation.
Administrative penalties
The administrative penalty provisions also need correction. A penalty range of 20,000 to 50,000 penalty units for failure to comply with a directive or refusal or neglect to provide required information is substantial. At the current GH¢12.00 value of a penalty unit, that translates into approximately GH¢240,000 to GH¢600,000.7
For a multinational, that may be a compliance line item. For a five-person startup, it may be a corporate funeral. The problem is not that penalties exist. The problem is that the Bill does not sufficiently scale penalties by company size, turnover, risk level, intentionality, recurrence, harm caused, remedial action, cooperation or whether the breach affects personal data, cybersecurity, critical infrastructure, consumers or public service continuity.
A serious regulator should not rely on administrative generosity to save good actors from a blunt statute. The statute itself should structure discretion. There should be warning notices, cure periods and lower bands for first-time non-critical breaches. There should also be heavy sanctions for deliberate, harmful, fraudulent or reckless conduct. The law should be firm enough to punish bad actors and intelligent enough not to accidentally punish growing ones.
The Tribunal must have visible fairness
The Bill establishes a Tribunal to hear appeals from decisions of the Authority and related dispute processes. That is a positive feature. The concern is institutional independence. The draft provides that the Tribunal’s expenses are charged on the funds of the Authority, and that its budget is submitted for approval by the Board of the Authority.8
This does not automatically make the Tribunal unlawful. Currently in Ghana sectoral tribunals sometimes draw funding from sectoral arrangements. But in a dispute against the Authority, a Tribunal whose budget depends on the Authority’s Board carries avoidable perception risk. Justice must not only be done; in regulatory governance, it must also be budgeted to appear done.
The better model is to ring-fence the Tribunal’s funding, remove NITA Board control over hearing budgets, publish decisions with appropriate redactions, use transparent appointment criteria and preserve judicial review for jurisdictional, procedural fairness and natural justice errors. An appeal body should not appear to be seated in the reception area of the regulator whose decision it is reviewing.
The e-government operator
The Bill’s proposal to create an e-government ICT infrastructure operator may actually be a step in the right direction. If NITA currently carries both infrastructure-operating and regulatory functions, then creating a separate operator could reduce an existing institutional anomaly.
However, separation on paper is not enough. If the new company is licensed by NITA, reports to NITA, is audited through NITA processes and includes NITA-linked representation in its governance, private competitors will reasonably ask whether the referee is still too close to one of the players. The answer should be a stronger firewall, to wit, an independent board composition, conflict rules, published service level agreements, competition-neutral procurement, separate accounts, value-for-money reporting and meaningful complaint rights for private operators.
AI, data protection, cybersecurity and institutional overlap
A modern ICT regulator cannot operate in isolation. Ghana already has adjacent institutional mandates around data protection, cybersecurity, electronic communications, banking and payments, procurement, standards, consumer protection, corporate registration and public-sector digital governance. If the NITA Bill does not coordinate these mandates, regulated entities may face duplicated fees, overlapping approvals, inconsistent incident-reporting obligations and regulatory forum-shopping.
On AI, the critique should be precise. The NITA Bill references emerging technologies, including artificial intelligence, but it is not itself a complete AI governance framework. That is a valid concern. However, it is also true that the Ministry has worked on a separate Emerging Technologies Bill and related policy instruments. The serious issue is therefore harmonisation, not rhetorical absence. The NITA Bill, Emerging Technologies Bill, Data Harmonisation Bill, Data Protection reform and Cybersecurity framework must speak to one another before the market is asked to obey all of them at once.9
Ancillary issues: not fatal, but important
Several issues do not necessarily defeat the Bill, but they require safeguards.
The trivialities
Every major Bill should be proofread. Drafting errors in penalty clauses, definitions and cross-references can create litigation. They should be corrected. But typographical errors should not become the main battlefield. If the strongest point against a 105-section technology governance Bill is a spelling error, then the Bill has already won the argument. Fortunately for critics, the real issues are much stronger than typographical comedy. The same applies to labels such as ‘digital coup’. The phrase may trend, but it does not draft better law. It gives official actors an easy route to dismiss serious objections as theatre.
The response Ghana needs now
The responsible position is neither to kill the Bill nor to clap it through. The responsible position is to correct it.
The Ministry and NITA should publish a revised draft, together with a response matrix showing which stakeholder comments were accepted, rejected or deferred and why. That single act would improve trust immediately. It would also shift the debate from suspicion to text.
Parliament, when the Bill is eventually laid, should insist on targeted amendments before passage. The most urgent amendments should: define ‘ICT professional’; narrow mandatory certification to high-risk roles; rewrite licence eligibility to avoid a blanket 100 percent Ghanaian ownership rule; scale fees and penalties by risk and capacity; ring-fence Tribunal independence; strengthen enforcement safeguards; and harmonise the Bill with data protection, cybersecurity, electronic transactions, financial technology, competition and emerging technology reforms.
Industry, for its part, should submit specific drafting proposals, not only outrage. It is a known fact that policy changes when criticism becomes language that can enter a Bill.
Conclusion
Ghana needs NITA to be credible. The country needs standards for public digital systems, stronger interoperability, secure public infrastructure, better procurement discipline, cloud and data-centre assurance, and regulatory capacity for emerging technologies. That is the pro-regulation case, and it is strong.
But credibility does not come from broad powers alone. It comes from lawful limits, precise definitions, proportionate enforcement, independent appeals, regulatory coordination and sensitivity to the realities of the innovation economy. A modern technology regulator should not license every keyboard, frighten every startup, confuse every investor or duplicate every regulator. It should regulate risk, enable trust and leave room for experimentation.
The Bill’s defenders are right that NITA is not a legal ghost. Its critics are right that the current draft contains serious defects. The useful answer is therefore not noise. It is amendment. Ghana should modernise Act 771, but it should do so without licensing curiosity, criminalising legitimate innovation or turning digital governance into a queue management exercise.
The digital economy will not wait for perfect law. But law that intends to govern the digital economy must at least understand what it is trying to regulate. The NITA Bill can still get there. It simply should not arrive in Parliament wearing its zero-draft shoes.
Author:Desmond Israel, Esq. is a Lecturer and Head of Department of Public Law And Governance at the GIMPA Law School, He is also a Partner in charge of Cyberlaw & Technology Practice at AGNOS Legal Company, a Lead Consultant at Information Security Architects Ltd and a Senior Policy Analyst with Institute for Liberty and Policy Innovation (ILAPI)
References
1. National Information Technology Agency Act, 2008 (Act 771), especially sections on establishment, objects, functions, licensing, registers, fees, standards and coordination of ICT policy implementation. See also NITA public consultation materials confirming the review of Act 771 into the National Information Technology Authority Bill, 2025.
2. Electronic Transactions Act, 2008 (Act 772), including provisions establishing NITA’s role in facilitating the Certifying Agency and the licensing, monitoring, suspension, revocation and register framework for authentication and encryption service providers.
3. 1992 Constitution of Ghana, Articles 11(7) and 106; Fees and Charges (Miscellaneous Provisions) Act, 2022 (Act 1080); Fees and Charges (Miscellaneous Provisions) Regulations, 2023 (L.I. 2481); Fees and Charges (Miscellaneous Provisions) (Amendment) Regulations, 2025 (L.I. 2512).
4. Data Protection Act, 2012 (Act 843), section 31, on notification of security compromises involving personal data; Cybersecurity Act, 2020 (Act 1038), including critical information infrastructure incident reporting obligations.
5. Draft National Information Technology Authority Bill, 2025, section 46(1), certification of ICT professionals in public or private institutions.
6. Draft National Information Technology Authority Bill, 2025, sections 35 to 37, licensing requirements, licence categories and qualification for licence.
7. Draft National Information Technology Authority Bill, 2025, section 94; penalty unit value assessed by reference to the current GH¢12.00 statutory value commonly used in Ghanaian legislation.
8. Draft National Information Technology Authority Bill, 2025, sections 79 to 87, establishment, composition, expenses and appeals relating to the Tribunal.
9. Draft Emerging Technologies Bill, 2025 and Ministry/NITA public consultation materials on the broader digital legislative reform package. These materials show that AI and emerging technology governance are being considered outside the NITA Bill, but they do not remove the need for harmonisation within the NITA framework
