The Bank of Ghana (BoG) has launched a landmark cybersecurity framework that replaces its 2018 rulebook with a far broader regime covering every layer of the country’s financial sector, from the largest commercial banks to mobile money operators and rural microfinance institutions.
The new Cyber and Information Security Directive (CISD) 2026, unveiled in Accra under the theme “Safer and More Resilient Digital Financial Industry,” signals a shift from traditional financial supervision to a broader mandate prioritising the protection of data confidentiality, integrity, and availability. Governor Dr. Johnson Pandit Asiama described the launch as a major milestone in safeguarding the country’s financial ecosystem, saying the new directive reflected the central pillar of the bank’s regulatory philosophy and its commitment to every Ghanaian who entrusts their accounts and transactions to the banking system.
Asiama acknowledged that the 2018 framework had become insufficient, saying a framework designed for the challenges of 2018 cannot adequately solve the problems of 2026. He warned that the threats now facing the sector, from ransomware attacks capable of paralysing a bank for days to systemic data breaches that can shatter public trust, are no longer isolated information technology incidents but national security concerns.
The directive is anchored on six pillars: governance for artificial intelligence (AI) and machine learning, cloud computing security with data sovereignty requirements, a proportionality framework that tailors obligations to the size and risk profile of each institution, inclusive oversight extending to microfinance companies and fintechs, proactive defence and preparedness, and strengthened cross-sector collaboration.
On data sovereignty, the BoG directed all financial institutions to keep sensitive customer and financial data within the country’s borders. While cloud adoption is permitted under a risk-based framework, the directive draws a clear line, allowing only non-sensitive, front-end services to be hosted offshore.
All institutions from rural banks to fintechs will be integrated into a unified defence through the Financial Industry Command Security Operations Centre (FIXOC), which the central bank has funded as sectoral infrastructure to get the system off the ground.
Chief of Staff Julius Debrah, speaking at the launch, described cybersecurity as a critical pillar of economic stability, warning that increasing reliance on digital systems exposes financial institutions to evolving risks that must be managed through embedding cyber resilience at the core of financial sector operations.
