Editor’s Note

Ardent Lens publishes long-form analysis grounded in primary sources. This piece is based on a clause-by-clause reading of the National Information Technology Authority Bill, 2025 (“the Bill”), a 38-page legislative instrument comprising 105 sections and one Schedule. Where we cite a section, the section number refers to the numbering in the Bill itself. Quotations are drawn directly from the text. Where we identify a risk or absurdity, we identify the specific provision that creates it. Where we make a normative claim — that something is dangerous, disproportionate, or unworkable — we explain the reasoning.

We have approached the Bill with the assumption that the drafters intend a legitimate public purpose: to modernise Ghana’s ICT regulatory framework, repeal the dated National Information Technology Agency Act, 2008 (Act 771), and create a single authority capable of coordinating the country’s digital transformation. That ambition is not in dispute. What is in dispute is the means – and the means, as currently drafted, raise serious questions that Parliament, civil society, the private sector, and citizens are entitled to ask before this Bill becomes law.


“Good ambition does not excuse bad drafting. A modern ICT regulator is overdue. A regulator with this much power and this little oversight is not the answer.”

Part I  ·  The Scale of What Is Being Proposed

Before the criticisms, the structure. A reader unfamiliar with the Bill should understand what is being created.

The Bill establishes the National Information Technology Authority (“the Authority”) as a body corporate (section 1). It dissolves the existing National Information Technology Agency established under Act 771 of 2008 (section 104), and transfers its assets, liabilities, contracts, and staff to the new Authority (section 103). It vests in the Authority forty-six enumerated functions under section 3 alone, ranging from licensing ICT infrastructure to certifying professionals to enforcing anti-trust policy in the ICT ecosystem.

It then layers on additional powers: a parallel duty to coordinate emerging-technology regulation; a mandate to maintain a national repository of public ICT assets; the role of certifying agency under a separate Electronic Transactions Act, 2025 (still being drafted, referenced repeatedly in this Bill as “Act …”); the resolution of domain-name disputes; the registration of every public-sector ICT project; the audit of public ICT systems; the certification of every ICT professional in any public or private institution; and the operation of a Regulatory Sandbox for innovations.

It then layers on enforcement: an inspector cadre with powers of entry, seizure, and search (sections 68–70); a Dispute Resolution Committee (sections 74–78); a quasi-judicial Tribunal whose decisions carry the force of a High Court judgment (sections 79–87); and a criminal-penalty regime running from one thousand to fifty thousand penalty units, with terms of imprisonment up to twenty years (sections 88–95).

It then layers on a commercial arm: an e-government ICT infrastructure operator company, to be incorporated within six months of the Act coming into force, with the Authority as both its regulator and – functionally – its referee (sections 31–34).

And it funds the whole arrangement with, among other sources, “one percent (1%) of regulatory fees on gross revenue of all ICT businesses” (section 23(d)).

That is the scale of what is being proposed. It is not a modernisation of an existing agency. It is the creation of one of the most powerful sectoral regulators in Ghana’s legal architecture, with revenue rights, prosecutorial powers, and licensing authority over an industry that touches every part of the modern economy.

“This is not a modernised version of Act 771. It is a different institution, with a wider mandate, broader powers, and weaker checks.”

Part II  ·  The Constitutional Problems

Ghana’s 1992 Constitution sets out specific procedures for the imposition of taxation, the creation of statutory levies, and the appointment of public officials. Several provisions of this Bill appear to be in tension with those rules. We address the most significant.

1. The 1% gross-revenue levy is a tax in everything but name

Section 23(d) provides that the funds of the Authority include “one percent (1%) of regulatory fees on gross revenue of all ICT businesses.”

The drafting is striking. The provision does not say one per cent of profit. It does not say a fee for a service rendered. It does not condition the charge on the cost of regulating the entity. It says one per cent of gross revenue – the top line, before any expenses are deducted – of every business in the ICT sector.

A levy of this nature has three constitutional and economic problems.

First, it is functionally a tax. Under Article 174(1) of the Constitution, “no taxation shall be imposed otherwise than by or under the authority of an Act of Parliament.” A charge that takes a fixed percentage of gross revenue, irrespective of the cost of regulatory oversight provided to the business in return, is a tax in the ordinary economic sense. Calling it a “regulatory fee” does not change its character. Whether Parliament can lawfully delegate the imposition of such a charge to a sector regulator, rather than impose it directly in primary legislation with a defined rate-setting mechanism, is a question that deserves Supreme Court attention before the Bill is passed.

Second, it is regressive against margins. Ghana’s ICT sector includes both high-margin software firms and low-margin infrastructure resellers, payment processors operating on thin spreads, and start-ups that may run negative operating margins for years before breaking even. A one per cent levy on gross revenue hits a payments company running on a 0.4% net margin completely differently from a software-as-a-service company running on a 30% net margin. For some businesses, this levy will exceed their entire annual profit. For others, it is a rounding error. That is not regulation; that is industrial policy by inadvertence.

Third, the Bill does not define “ICT business.” Section 102 defines “ICT” extremely broadly: “all technologies, systems, infrastructure, software, and platforms used for the collection, processing, storage, transmission, and dissemination of digital information and electronic communications.” On this definition, a bank that runs core banking software is an ICT business. A logistics company with a tracking app is an ICT business. A school with a learning management system is an ICT business. Every modern company, in other words, is an ICT business. The Bill does not say how the levy will be calculated for businesses whose ICT activity is incidental to their core operations, nor whether a company already paying regulatory fees to the Bank of Ghana, the NCA, the SEC, the CSA, or the DPC will also be liable for this one per cent on top.

“One per cent of gross revenue of every ICT business in Ghana is not a regulatory fee. It is a tax — and Parliament should impose it directly, with a defined scope, or not at all.”


2. The technical-clearance power is a procurement veto

Section 52(2) requires every public institution to “obtain technical clearance from the Authority before undertaking any major ICT procurement or deployment.” Section 52(3) allows the Authority itself to define what counts as “major.”

This is, in practice, a procurement veto over every Ministry, MMDA, statutory body, and state-owned enterprise that wants to deploy any ICT system. The veto is wielded by an unelected body whose thresholds are self-defined. There is no statutory deadline for the Authority to issue or refuse clearance. There is no appeal mechanism specified within section 52 itself. There is no provision for emergency procurement (think: a hospital needing to deploy a new patient management system after a ransomware attack).

Article 187 of the Constitution gives the Auditor-General oversight of public funds. Article 178 vests appropriations in Parliament. The Public Procurement Act, 2003 (Act 663) gives the Public Procurement Authority oversight of how contracts are awarded. Layering a technical clearance regime on top, administered by a body that is itself a market participant through the e-government ICT operator company it licenses (section 31), creates an architecture in which a single Authority can decide which projects proceed, which suppliers qualify, and which technology stack the public sector standardises on. That is too much power in one place.

3. The certification monopoly may be unconstitutional

Section 46(1) states: “A person shall not be appointed as an ICT professional in a public or private institution unless that person is certified by the Authority.”

Read literally, this provision means that no private company in Ghana – a bank, an insurance firm, a startup, a multinational subsidiary, a non-profit – can employ a software engineer, a database administrator, a network engineer, a cloud engineer, a data analyst, or a cybersecurity specialist unless that individual holds certification from the National Information Technology Authority.

The Constitution’s Article 24(1) guarantees every person the right to work under satisfactory, safe and healthy conditions. Article 17 guarantees equality before the law. A licensing regime that conditions private employment on a state certification – across an entire economic sector that employs tens of thousands of people – raises immediate questions about proportionality and necessity. There is no comparable regime for accountants in private practice, marketers, journalists, or HR professionals. Why is an ICT professional, in a private firm, materially different?

The Bill does not say. Section 46(2) merely states that “the Authority shall determine the criteria and procedure for the certification of ICT professionals.” That is, the Authority writes the rules, sets the fees, decides who passes, and decides who is denied entry to a profession on which a substantial slice of Ghana’s formal-sector employment now depends.

“A state body that can decide who is allowed to work as a software engineer in a private company is a body that can decide who is allowed to work, full stop. That power requires far more justification than this Bill provides.”

4. The independence clause is contradicted by the policy-directive clause

Section 16 declares that “the Authority shall not be subject to the direction or control of any person or authority in the exercise of its mandate and regulatory functions.”

Section 15(1), one section earlier, declares that “the Minister may give written directives to the Board of Directors on matters of policy in line with the object and functions of the Authority, and the Board of Directors shall comply.”

Section 15(2) attempts to reconcile the two by saying the Minister cannot instruct on “specific technical or operational matters.” But the line between “policy” and “operations” is not defined and, in regulatory practice, is the most contested distinction there is. Whether to grant a licence to a particular applicant: policy or operations? Whether to grant technical clearance to a particular ministry’s ICT project: policy or operations? Whether to revoke certification from a professional accused of misconduct: policy or operations?

In every case where this distinction matters, the Minister can characterise an intervention as a policy directive and the Authority must comply. Section 16, the independence clause, becomes a courtesy rather than a constraint.

Part III  ·  The Governance Absurdities

5. The Authority licenses the company it also regulates

Section 31(1) requires the Minister to ensure the incorporation of a company “to be licensed by the Authority as the Government e-government ICT infrastructure operator within six months of the coming into force of this Act.”

Section 32 sets out what this company does: it runs the government’s data centres, cloud hosting environments, national digital identity platforms, and enterprise software for the public sector.

Section 34 says this company must submit performance reports to the Authority, undergo audits by the Authority or an auditor it approves, and be subject to technical audits and performance reviews conducted by the Authority.

In other words: the Authority creates the company, licenses it, sets the standards it must meet, audits its performance, and reviews its work. The Authority is regulator, customer, accreditor, and supervisor of the same entity. There is no commercial counterparty in this arrangement. There is no independent oversight of whether the Authority’s licensing decisions favour this state-owned vehicle over private competitors. There is no mechanism for a private cloud provider, hosting provider, or data centre operator to challenge a procurement decision that routes all government workloads to this captive operator.

This is a vertical-integration problem. Competition regulators around the world spend decades unwinding these structures. The Bill creates one on day one.

6. The Authority is responsible for anti-trust enforcement in a sector it dominates

Section 3(o) gives the Authority the function to “coordinate the implementation of anti-trust policies to safeguard fair competition and prevent monopolies within the ICT ecosystem in Ghana.”

Ghana’s general competition framework currently rests with the Competition and Fair Trade Practices Authority (where established under sectoral law) and the broader administrative architecture. Granting sectoral anti-trust functions to the same regulator that has just created a state-owned monopoly platform (section 31), that controls licensing in the same sector (section 35), and that has a financial interest in the gross revenue of every ICT business (section 23(d)) is conceptually incoherent.

If the e-government ICT operator company becomes dominant in the public-sector cloud market — a near-certainty given the procurement structure of section 55 — the body responsible for declaring that dominance an anti-competitive problem is the same body that licensed it, set its standards, and audited its performance. The enforcement is captured before it begins.

7. The Board composition over-weights political appointments

Section 6(1) sets out a Board of Directors with at least eleven specified seats. Of those, seven are directly appointed by the President or nominated through political channels: the chairperson (President), two persons with ICT expertise (President), the lawyer with digital-economy expertise (presidentially appointed in practice through Article 70), the representative of the Ministry of Communications, the representative of the Ministry of Finance, the representative of National Security, and the three “other persons” under section 6(1)(j) who are appointed by the President under article 70.

The Director-General – also a presidential appointee under section 17 – sits on the Board. The only seats not under direct presidential or ministerial control are the representative of an ICT professional body and the representative nominated by the Minister responsible for Gender or Social Protection (who is also a political appointee, just from a different Ministry).

This is not a politically independent regulator. It is a regulator with a Board majority drawn from the appointing authority, with no fixed term protection from removal beyond “the President may, by letter addressed to a member, revoke the appointment” (section 9(5)). The President can dissolve the Board at will.

“Independence on paper, dismissal on letter. The Board exists at the pleasure of the appointing authority – a structure that has historically not survived a change of government in Ghana, and there is no reason to believe it will here.”

8. The Tribunal lacks the indicia of judicial independence

Section 79 establishes a Tribunal to hear appeals from the Authority’s decisions and the Dispute Resolution Committee’s findings. Section 86(3) gives Tribunal decisions “the same effect as a judgment of the High Court.”

Under section 80(2), the Minister appoints the chairperson and members of the Tribunal. Under section 82(1), the Tribunal’s expenses are charged on the funds of the Authority. Under section 82(2), the Tribunal’s annual budget is approved by the Board of Directors of the Authority. Under section 82(3), the Authority’s Board controls when funds are released to the Tribunal.

Reduced to its essence: the Authority funds the body that hears appeals against the Authority. The Board of the Authority approves the Tribunal’s budget. The Minister, who issues policy directives to the Authority, appoints the Tribunal’s members.

That is not how appellate independence works in any functioning legal system. The minimum standards established by international tribunals – financial autonomy, security of tenure, separation of appointing authority from the body whose decisions are being reviewed – are all absent here.

Part IV  ·  The Procedural Defects

9. Repeated references to a non-existent Act

The Bill makes more than fifteen separate references to “the Electronic Transactions Act, 2025 (Act …).” The ellipsis where the Act number should be is not a typographical error. It is the Bill’s acknowledgement that the legislation it depends on does not yet exist.

Material provisions of this Bill are unworkable without that companion Act. Section 3(p) makes the Authority the “certifying Agency established under the Electronic Transactions Act, 2025 (Act …).” Section 3(s) gives the Authority the function of resolving domain-name disputes “under the Electronic Transactions Act 2025 (Act….).” Section 3(t) tasks it with maintaining “registers for approvals given for equipment under the Electronic Transactions Act 2025 (Act….).”

Passing primary legislation that defines its own functional scope by reference to a yet-to-be-drafted parallel statute is poor drafting practice. It also creates a serious accountability gap: the public and Parliament cannot evaluate the full picture of what they are being asked to approve, because half the picture exists only in a draft we have not seen.

10. The seven-day post-seizure validation window inverts due process

Section 69 grants inspectors of the Authority broad powers to enter premises, search, seize equipment, and detain ICT products. Section 69(4) then provides: “Upon the seizure and detention of ICT products or equipment by an inspector of the Authority, the Authority shall within seven (7) days after the seizure and detention, apply to the Tribunal under section 77 of this Act for validation or otherwise of the seizure and detention.”

Read carefully, this provision authorises seizure first and judicial validation second. The inspector seizes; the Authority then has a week to ask a Tribunal it funds and whose members were appointed by the Minister to bless the seizure after the fact. The person whose equipment has been taken has no pre-seizure hearing, no warrant requirement save under the separate enforcement power in section 71(1)(b), and no statutory remedy if the seizure is later invalidated.

Compare this to the standard under the Criminal and Other Offences (Procedure) Act, 1960 (Act 30), which generally requires a warrant before search and seizure absent narrowly defined emergency circumstances. The Bill, in section 71(3), borrows the powers of a police officer under Act 30 for its inspectors, but does not import the same constraints. That is selective borrowing.

11. The penalty regime is wildly disproportionate at the upper end

Section 94 imposes administrative penalties between twenty thousand and fifty thousand penalty units for failure to comply with a directive of the Authority. Section 89 imposes a fine between five thousand and ten thousand penalty units, plus imprisonment between five and twenty years, for the embezzlement, misappropriation, or diversion of funds meant for the Authority. Section 95(d) imposes up to five thousand penalty units or ten years imprisonment for “engag[ing] in fraudulent ICT practices, including but not limited to cryptocurrency scams.”

A penalty unit in Ghana is currently GHS 12 (per section 2 of the Fines (Penalty Units) Act, 2000 (Act 572), as updated). Twenty thousand penalty units is therefore GHS 240,000. Fifty thousand penalty units is GHS 600,000. For a small ICT firm that fails to file a directive response on time, the floor of the administrative penalty alone could be more than the firm earns in a year.

More concerning, section 95(k) provides that for “gross negligence [that] leads to data breaches or system failures,” the penalty is up to ten thousand penalty units (GHS 120,000) “or ten percent of annual turnover (whichever is higher), plus mandatory third-party audits.” Ten per cent of annual turnover is GDPR-level. The European Union’s Article 83 applies that ceiling for the most serious systemic violations of fundamental rights protections, with extensive procedural safeguards. The Bill applies it to “gross negligence” without defining that term, without a layered tier of escalation, and without a clear standard of proof.

“Ten per cent of annual turnover for ‘gross negligence’ – a term the Bill does not define – is a corporate death penalty available on terms set entirely by the regulator that benefits from the fine.”

12. The licensing regime applies a ten-day timeline to a sixty-day decision

Section 39 requires the Authority to “consider” a licence application within ten days of receipt. Section 40(1)(b) gives the Authority sixty days to communicate the decision in writing.

If considered together, the provisions are workable: ten days to begin reviewing, sixty days to decide. Read literally, however, the gap between section 39 and section 40 means an applicant has no statutory clarity about when a decision is actually due, and section 40(2) gives the Authority broad refusal grounds (“against the public interest, public safety or public security”) without an obligation to particularise the reasons in any detail beyond section 40(3)’s requirement to “communicate the reason.”

The category of licences in section 36(1) includes seven categories explicitly named, plus “any other categories of licences as determined by the Authority” – a power the Authority can, under section 36(3), “by regulations expand, modify or repeal.” An applicant therefore cannot know, on the date they file, what licence category applies, what fees apply, what conditions apply, or what “public interest” considerations might justify refusal.

Part V  ·  The Practical Absurdities

13. The fifteen-day annual reporting window is shorter than any audit cycle

Section 67(2)(a) requires ICT service providers to submit annual reports “within fifteen days after the end of month ending December 31 in any year.”

Fifteen days after 31 December is 15 January. No audited annual report – from any company, of any size, in any sector – is ready by 15 January for a year that ended fifteen days earlier. Ghana’s Companies Act, 2019 (Act 992) recognises this reality: it allows up to nine months after the end of the financial year for the filing of audited accounts. The Income Tax Act, 2015 (Act 896) allows up to four months. Even unaudited management accounts typically take thirty to sixty days to close.

The fifteen-day timeline is either a drafting error or the result of someone confusing “end of month” with “within fifteen days after the financial year end.” Either way, every licensee subject to this requirement will be in technical breach on the day the Bill commences. And technical breach, under section 41(3)(e), is grounds for refusal of licence renewal.

14. The Sandbox is overridden by the obligations the Sandbox is meant to relax

Section 60 establishes a Regulatory Sandbox Framework – a familiar tool from financial-services regulation in the UK, Singapore, and elsewhere. Innovators are admitted to a controlled environment, given temporary regulatory reliefs, and allowed to test products that might not yet fit existing regulatory categories.

Section 60(4) then provides: “Participation in the sandbox shall not exempt a person from obligations under data protection, consumer protection, and anti-money laundering laws, unless explicitly provided for by the Authority.”

The substantive obligations from which most ICT innovators need temporary relief are exactly the data-protection, consumer-protection, and AML obligations enumerated. A sandbox that does not relax those rules is not meaningfully a sandbox. The Bill creates the word without creating the substance. Worse, the conditional “unless explicitly provided for by the Authority” means the Authority can override the Data Protection Commission, the consumer-protection framework, or the Financial Intelligence Centre’s AML regime by administrative fiat. That is a much bigger problem than the sandbox is worth.

15. The duty to register every public-sector ICT project is unworkable at scale

Section 54(2) requires every public institution to “register a project before initiating procurement or implementation.” Section 54(1) defines the project registry as covering “all public sector ICT projects.” Section 102 defines “public institution” as “a Ministry, Department, Agency, Metropolitan, Municipal or District Assembly, a statutory or constitutional body, or any entity owned wholly or partly by the Republic.”

Ghana has 261 MMDAs. There are over 100 MDAs at the central level. There are dozens of state-owned enterprises and constitutional bodies. If each of these entities initiates even three small ICT projects a year — a website upgrade, a server replacement, a new accounting module — that is over a thousand registrations annually for the Authority to receive and review. The Bill does not provide for the technical infrastructure of the registry. It does not specify decision timelines for registry review. It does not exempt routine maintenance, sub-threshold purchases, or emergency replacements. As drafted, the section is an aspiration disguised as a duty, and on the day a court is asked to enforce it, the registry will not exist.

16. The Authority is the ‘exclusive’ trainer of public ICT workforce

Section 3(e) makes the Authority “the exclusive government body empowered to coordinate the development, capacity building, and certification of ICT professionals serving public institutions to ensure a skilled and well-managed ICT workforce in the public service.”

Read alongside section 46(1)’s blanket certification requirement for every ICT professional, this provision creates a monopoly over public-sector ICT training. The Ghana Institute of Management and Public Administration, KNUST’s College of Engineering, Ashesi’s computer science programme, and every private training provider – from Codetrain to Soronko Academy – are excluded from the public-sector pipeline unless they coordinate with the Authority. The Authority becomes a gatekeeper not only of who can be employed, but of who can train. The chilling effect on private investment in ICT education is foreseeable.

17. The same Authority both establishes performance standards and audits compliance with them

Section 50 makes the Authority the body that develops, publishes, and enforces performance standards. Section 56 then makes the Authority the body that audits public ICT systems against those standards. Section 58 makes the Authority the body that prescribes certification tiers and enforces them. Section 57 makes the Authority the body that compiles and publishes the annual Public Sector Digital Index Report.

A regulator that writes the rules, marks the homework, and publishes the league table is a regulator without a counter-check. In well-functioning systems, the standards body, the audit body, and the certification body are separate. Sometimes the standards body is even external (an ISO accreditation body, for example). This Bill consolidates all four functions in one office, with no statutory peer review and no provision for independent re-certification.

18. The body-corporate offences clause reverses the burden of proof

Section 93 provides that where a body corporate commits an offence under the Act, “every director, manager, officer and shareholder responsible for the operations of the body corporate is considered to have committed the offence unless the director, manager, officer or shareholder proves that the director, manager, officer or shareholder exercised due diligence to prevent the commission of the offence.”

The plain reading: every shareholder is automatically guilty unless they prove their innocence. That formulation is constitutionally suspect under Article 19(2)(c), which guarantees the presumption of innocence. Comparable provisions in other Ghanaian statutes are usually qualified to “every director or officer with responsibility for the conduct giving rise to the offence,” not extended to every shareholder regardless of their role. As drafted, a passive minority shareholder in an ICT company could be criminally liable for an offence committed by management without their knowledge – and would carry the burden of disproving fault.

“Section 93 makes every shareholder of every ICT company in Ghana presumptively criminally liable for the company’s breaches. There is no comparable provision in Ghanaian law that goes this far.”

Part VI  ·  The Pattern

Read individually, several of these provisions could be defended as drafting choices. The fifteen-day reporting window is probably a typo. The references to a yet-to-be-passed Electronic Transactions Act may resolve themselves when that companion legislation is finalised. The sandbox provision could be cleaned up in committee.

Read together, however, a pattern emerges. In every place where this Bill makes a choice between concentration and dispersal of power, it chooses concentration. In every place where it chooses between rule-bound discretion and open-ended administrative discretion, it chooses open-ended. In every place where it could either constrain the regulator or constrain the regulated, it constrains the regulated. And in every place where it could either bind the Minister or empower the Minister, it empowers the Minister.

That pattern is not accidental. Bills that produce it tend to be drafted by people who have decided in advance what outcome they want from regulation, and who treat procedural safeguards as friction to be minimised. The result, in practice, is regulators that work brilliantly for as long as the leadership is technically excellent and politically aligned with the public interest — and disastrously the moment those conditions fail.

Ghana has had this experience before. The history of state regulators that began with good intentions and ended captured – by politics, by industry, by inertia – is not short. The constitutional drafters of 1992 understood this risk; the proliferation of constitutional commissions, the independence of the Auditor-General, the Article 195 process for appointments to the public services were all attempts to insulate critical functions from short-term political pressure. This Bill, in section after section, undoes that insulation.

Part VII  ·  What a Better Bill Would Look Like

Constructive criticism requires alternatives. Without prescribing a final version – that is for Parliament and the drafting team to work through – a serviceable version of this Bill would make at least the following changes.

  • Split the levy from the regulatory fee. If Ghana wants a sectoral levy on ICT businesses to fund a regulator, Parliament should impose that levy directly in primary legislation, with a defined scope, a defined rate, and a defined ring-fence for the proceeds.

  • Define “major” ICT procurement in the statute, not delegate it to the Authority. Set a statutory deadline for the issuance of technical clearance, with deemed approval if the deadline lapses.

  • Limit professional certification to the public sector. Private-sector employment of ICT professionals should not be conditional on state certification, save for narrowly defined safety-critical roles (medical-device software engineers, critical infrastructure operators) that the statute itself enumerates.

  • Separate the Tribunal from the Authority. The Tribunal should be funded directly by Parliament, with members appointed by an independent body, with security of tenure that survives any change of Minister.

  • Separate the e-government ICT operator from the regulator. If the state wants to operate a captive cloud provider, that company should be subject to the same competition rules as any private provider, regulated by a body independent of the Ministry that owns it.

  • Move anti-trust functions out of the Authority. Section 3(o) belongs with a competition regulator that does not have a financial stake in the businesses it monitors.

  • Fix the body-corporate offences clause. Restrict criminal liability to directors and officers with operational responsibility for the conduct in question, and preserve the presumption of innocence.

  • Reduce the upper-bound penalties to proportionate levels. Ten per cent of turnover requires the procedural safeguards that the Bill does not contain. Either add the safeguards or reduce the ceiling.

  • Fix the reporting timeline. Annual reports should be due within six months of the financial year end, not fifteen days.

  • Finalise the Electronic Transactions Act, 2025 first. Or, at minimum, table both Bills together so Parliament can see the full picture.

In Closing

Ghana needs an ICT regulator. The 2008 Act is dated. The country’s digital economy has expanded faster than the legal framework around it. The case for new primary legislation is real.

But the answer to fragmentation is not concentration without check. The answer to outdated rules is not new rules that fail their own internal-consistency test. The answer to under-regulation is not over-regulation paired with regulatory capture risk that the drafters seem not to have noticed.

This Bill, in its current form, would create a regulator with revenue rights over an entire sector, prosecutorial powers over its participants, certification monopoly over its workforce, vertical integration with a state-owned operator, and judicial review by a Tribunal it funds. The fact that some of its provisions are also poorly drafted – the fifteen-day report, the missing Electronic Transactions Act number, the contradictory independence and policy-directive clauses – is the least of its problems.

The deeper problem is structural. A regulator built on this design will work well for the brief windows when the leadership is exceptional and the politics are aligned. It will fail badly when, as eventually happens, one of those conditions changes. Ghana cannot afford that failure in a sector this central to its economic future.

Parliament should not pass this Bill in its current form. It should send it back for substantial redrafting, with public consultation that involves not just the ICT industry but the constitutional law academy, the competition law community, the procurement specialists, and the civil society organisations that monitor regulatory capture. The country has the technical talent to draft a better Bill. The political will to do so is the only missing ingredient.

“The question is not whether Ghana needs an ICT regulator. The question is whether this regulator, with these powers, on these terms, is the one we want.”


About this analysis

Ardent Lens is an independent editorial platform. We do not carry advertising. We are funded by readers. We have no commercial relationship with any party named or implied in this analysis, and no financial interest in the outcome of the parliamentary process discussed. This piece reflects our editorial assessment of the National Information Technology Authority Bill, 2025 in its publicly circulated form. Section numbering follows the Bill itself. Quotations are drawn directly from the Bill. Constitutional references are to the 1992 Constitution of the Republic of Ghana. Where we have characterised a provision as dangerous, disproportionate, or absurd, that characterisation is our own — not the Bill’s, not Parliament’s, and not the government’s. Corrections to any factual claim can be sent to our editorial desk; we publish corrections promptly and visibly, in line with our published corrections policy.