Do Not Build a Digital Wall: The NITA Bill and Ghana’s AfCFTA Digital Trade Test

A strict law-policy analysis of why Ghana can modernise ICT regulation without undermining continental digital trade

The task is not to kill regulation. It is to stop Ghana from building a national digital wall in the same season Africa is trying to build a continental digital market.

Opening thesis

Ghana needs a modern ICT regulator. That should not be controversial. A 2008 institutional framework cannot carry the weight of cloud services, artificial intelligence, digital platforms, cybersecurity-sensitive infrastructure, electronic trust services, data-driven public administration and cross-border digital commerce in 2026. Updating the National Information Technology Agency framework is therefore sensible. The problem is not the desire to regulate. The problem is the apparent choice to regulate by overbreadth.

The draft National Information Technology Authority Bill, 2025, if passed substantially in its current published form, risks sending the wrong message at the wrong continental moment. Ghana hosts the AfCFTA Secretariat. Ghana wants to be seen as a digital trade gateway. Yet the AfCFTA Protocol on Digital Trade now speaks the language of the future: predictable rules, interoperability, non-discrimination, cross-border data flows, digital innovation, MSME participation and mutual recognition. A national digital law that appears to build a licensing wall around the digital economy is therefore not merely a domestic drafting problem. It is a continental trade policy problem.

Strictly, the Bill does not automatically create a present treaty breach merely because it is inconsistent with the Protocol. Ratification, entry into force and domestic implementation matter. The more accurate position is that the Bill creates material incompatibility and future breach risk if enacted and applied to digital products, cloud services, SaaS, ICT professionals, data-centre operations, digital platforms or service providers from other AfCFTA State Parties. That caveat matters. It separates legal analysis from noise. But after the caveat, the conclusion remains firm: the Bill, as drafted, is not AfCFTA-ready.

The Protocol is not anti-regulation

A serious critique must first concede Ghana’s regulatory space. Article 4 of the Digital Trade Protocol preserves the right of State Parties to regulate within their territories to safeguard public welfare, sustainable development, essential security interests and legitimate public policy objectives. Ghana may therefore regulate critical ICT infrastructure, cybersecurity-sensitive services, public-sector systems, trust services, data-centre assurance, consumer protection and value-for-money in public technology procurement.

But that right is not a blank cheque. The Protocol also requires predictable and transparent harmonised rules, common and open standards, interoperability, responsible regulation of emerging technologies, digital skills development, digital innovation and entrepreneurship. It is not a deregulation charter. It is a good-regulation charter.

That is where the draft Bill begins to wobble. It contains several positive clauses. Sections 5, 60, 61, 64 and 65 speak of best regulatory practice, proportionality, innovation, stakeholder engagement, sandboxes and periodic review. Those provisions should be retained and strengthened. But they are undermined by provisions that impose broad licensing, broad certification, Ghana-only ownership, wide seizure powers and heavy flat penalties. A Bill cannot praise risk-based regulation in one clause and practise blanket control in another. That is not coherence. That is legislative mood swing.

Section 37 and the 100 percent Ghanaian ownership problem

The sharpest AfCFTA problem is section 37. Read with sections 35 and 36, it appears to allow a person to apply for a licence only if the person is a Ghanaian citizen or an entity wholly owned by a Ghanaian citizen. If applied broadly to ICT businesses, cloud hosting, SaaS providers, data-centre operators, platform operators and other ICT service providers, this is a continental red flag.

Article 7 of the Digital Trade Protocol requires no less favourable treatment for digital products from another State Party, including where the author, producer, developer, distributor or owner is a person of another State Party. The Protocol’s logic is not that African digital trade should be fenced into 55 national silos. Its logic is that African firms, platforms, innovators and digital products should scale across the continent under predictable rules. A 100 percent Ghanaian ownership condition does the opposite.

This is not an argument against Ghanaian participation. Local participation, technology transfer, beneficial ownership disclosure, local support obligations, tax compliance, national security screening and targeted preferential support for Ghanaian MSMEs are all legitimate tools. But a blanket ownership wall is a blunt instrument. It treats a Ghanaian-African joint venture, a Nigerian or Kenyan cloud operator with substantial African operations, and a Ghanaian subsidiary with foreign shareholders as automatically suspect. That is not industrial policy. It is a digital barricade wearing a policy suit.

Section 37 should be rewritten. Licence eligibility should be category-specific and risk-based. Ghana can reserve genuinely sovereign-sensitive functions where strictly justified, but the default rule should permit citizens, Ghanaian companies, companies registered in Ghana, joint ventures and persons of AfCFTA State Parties with substantial business operations in a State Party. Conditions should then address security, data protection, local support, technology transfer and service quality.

A permit-first digital economy

Sections 35 and 36 create the second major difficulty. Section 35 broadly prohibits a person from engaging in a business or related activity in the ICT sector unless licensed by the Authority. Section 36 then lists public or commercial ICT infrastructure, cloud hosting, SaaS provision, government digital services partnership, national digital platform operation, data-centre operation and any other category determined by the Authority.

Licensing is not inherently unlawful. High-risk technology activity deserves oversight. But a licensing trigger this broad risks converting ordinary digital enterprise into a permission economy. It may capture software developers, SaaS providers, cloud operators, platform businesses, integration firms, digital product distributors and cross-border service providers. That sits uneasily with a Protocol designed to eliminate unnecessary digital trade barriers.

The Bill should distinguish high-risk ICT activity from ordinary digital activity. Public-sector digital infrastructure, critical information infrastructure-facing services, trust services, sensitive data infrastructure and major public procurement systems may justify mandatory licensing. Ordinary software development, low-risk SaaS, digital creative products, internal enterprise ICT functions, freelance digital services and non-resident cross-border digital trade should not be forced into a licence-first model unless there is a clear Ghana nexus and demonstrable risk. If everything is licensable, nothing is intelligently regulated.

Certification must not become labour-market gatekeeping

Section 46 provides that a person shall not be appointed as an ICT professional in a public or private institution unless certified by the Authority. That is not merely public-sector workforce assurance. It enters the private labour market and affects startups, fintechs, universities, consultancies, software firms, NGOs, freelancers, data analysts, cloud engineers, cybersecurity practitioners, AI trainers and self-taught builders.

The defect is worsened by the absence of a precise definition of “ICT professional”. In today’s digital economy, one person may be a developer, product manager, automation consultant, designer, cloud administrator and AI workflow builder in the same month. A vague certification gate can easily become an administrative tollbooth across the digital labour market.

The Digital Trade Protocol encourages digital skills development, MSME participation, digital innovation, entrepreneurship and collaboration between foreign and domestic firms. A blanket certification requirement moves in the wrong direction unless narrowed. Ghana can require certification for high-risk roles, including public-sector ICT leadership, critical infrastructure roles, trust-service roles, cybersecurity-sensitive roles, data-centre assurance roles and roles linked to national digital identity or public platforms. But private-sector ICT employment generally should not be subject to universal administrative pre-clearance.

The amendment is simple: define the regulated roles, make certification mandatory only for high-risk categories, create voluntary certification for general practitioners, recognise equivalent African, international, vendor, academic and professional credentials, and provide grandfathering for experienced practitioners. The goal should be competence assurance, not professional enclosure.

Data, cloud, source code and enforcement powers

The Protocol’s data provisions are especially relevant. Article 20 requires State Parties, subject to the relevant annex, to allow cross-border transfer of data for digital trade by persons of a State Party. Restrictions may be maintained for legitimate public policy or essential security objectives, but they must not be arbitrary, unjustifiably discriminatory, disguised restrictions on trade, or greater than necessary. Article 22 similarly prohibits requiring persons of another State Party to locate computing facilities locally as a condition for conducting digital trade, subject to constrained exceptions.

This matters for sections 55, 95(f), 101 and related provisions. Public-sector shared services and public data infrastructure may be legitimate, especially because the Protocol treats government procurement and State-held information differently. But Ghana must avoid a spill-over effect where public-sector digital governance becomes de facto private-sector localisation. If “critical data” is undefined, if hosting accreditation becomes a disguised local-hosting mandate, or if data-centre regulation blocks qualified African providers, the Bill risks colliding with the Protocol’s data and computing-facilities disciplines.

Enforcement also needs tightening. Sections 48, 69, 71 and 73 allow closure, seizure, inspection, search, confiscation and broad compliance action. These powers may be necessary against serious bad actors. But technology enforcement is not like seizing a crate of unlabelled goods. Servers contain customer data. Devices may hold privileged records. Source code may embody trade secrets. A service interruption may affect thousands. Article 24 protects source code and algorithms from compelled access as a condition for import, distribution, sale or use, subject to specific investigations and safeguards against unauthorised disclosure.

The Bill should include proportionality tests, warrant requirements, chain-of-custody rules, confidentiality safeguards, business-continuity duties, data-protection protocols and express source-code protections. The state may inspect where necessary. It should not rummage through the engine room of digital commerce with tools designed for another century.

Penalties, reporting and startups

Section 94 creates administrative penalties of not less than 20,000 and not more than 50,000 penalty units for failure to comply with a directive or refusal or neglect to provide required information. At Ghana’s present penalty-unit value, that range is severe. For a multinational, it may be irritating. For a five-person startup, it may be terminal. That is the defect of flat penalties: they are simultaneously too harsh for small actors and too weak for large actors.

The Protocol specifically calls for meaningful MSME participation in digital trade, support for startups, collaboration between foreign and domestic firms, technology transfer, digital innovation and entrepreneurship. A penalty regime that does not distinguish first breach from repeated breach, negligence from wilful misconduct, micro-enterprise from platform giant, and low-risk delay from high-risk public harm is not aligned with that objective.

The same concern applies to section 67 reporting. Reporting is legitimate; regulators need information. But a fifteen-day deadline after year-end, combined with broad information powers over conduct, practices, management, transactions and compliance, may become bureaucratic punishment if applied without risk tiers. Regulatory paperwork can kill as efficiently as regulatory prohibition, only more politely.

The fix is graduated regulation. Warnings and cure periods should apply to first non-critical breaches. Penalties should be tiered by turnover, risk category, harm, intent, cooperation, recurrence and remedial conduct. Micro and early-stage firms should have simplified reporting. High-risk actors should face stronger duties. That is not softness. It is precision.

Transparency and regulation by portal

Section 101 gives the Minister broad powers to make regulations defining, expanding or modifying ICT business activities, licensing procedures, Ghanaian content rules, fees, data-centre regulation and other implementation matters. In digital regulation, this is where danger often hides. The most restrictive rules are not always in the principal Act. They arrive later as regulations, guidelines, portal requirements, forms, circulars, temporary directives and administrative practice.

Articles 38 and 40 of the Digital Trade Protocol require publication and notification of laws, regulations, procedures, fees, charges and measures affecting digital trade. A credible Ghanaian Bill should therefore build transparency into the regulatory pipeline. New licence categories, certification rules, fee schedules, data-centre obligations, cross-border data measures and Ghanaian participation requirements should require public consultation, regulatory impact assessment, publication of a response matrix and, where applicable, notification through AfCFTA processes.

The Bill should include an AfCFTA conformity clause requiring the Act and subsidiary instruments to be interpreted and applied consistently with Ghana’s AfCFTA Digital Trade obligations, subject to Ghana’s constitutional treaty implementation requirements. It should also require every major digital-trade measure to pass a proportionality and trade-impact test. Without that discipline, the Bill may say “innovation” on the front page and practise protectionism at the back office.

Conclusion

The answer is not to abandon the NITA Bill. The answer is to repair it before it becomes a source of avoidable legal, commercial and diplomatic friction. Ghana needs a competent digital regulator, enforceable ICT standards, public-sector technology assurance, cybersecurity-aware infrastructure governance, data-centre oversight and consumer trust. It also needs technology laws that are not trapped in 2008.

But Ghana must remember where it sits. It is not merely another national market trying to control its digital borders. It hosts the AfCFTA Secretariat and should be helping to build African digital integration. A Bill that imposes broad licensing, 100 percent Ghanaian ownership for licence eligibility, universal ICT professional certification, expansive enforcement powers, heavy flat penalties and open-ended delegated regulation risks building a national digital wall in the same season Africa is trying to build a continental digital market.

The proper position is firm and balanced: modernise the law, but do not overreach; protect Ghanaian capacity, but do not exclude African participation; regulate high-risk technology, but do not license curiosity; enforce standards, but do not punish startups like multinationals; secure data, but do not disguise localisation as governance; and create a regulator, not a tollbooth.

If Ghana wants to lead African digital trade, the NITA Bill must be rewritten to reflect that ambition. Anything less would be a missed opportunity dressed up as reform.

Author:
Desmond Israel, Esq. is a Lecturer and Head of Department of Public Law And Governance at the GIMPA Law School, He is also a Partner in charge of Cyberlaw & Technology Practice at AGNOS Legal Company, a Lead Consultant at Information Security Architects Ltd and a Senior Policy Analyst with Institute for Liberty and Policy Innovation (ILAPI)