Ghana’s banks, fintech firms and payment service providers face a significant operational overhaul under the Bank of Ghana’s newly launched Cyber and Information Security Directive (CISD) 2026, with a data sovereignty mandate that requires all sensitive financial information to be stored physically within Ghana’s borders.
Under the directive, only non-sensitive front-end services may be hosted in the cloud, and even then only through a risk-based, approved and tightly controlled framework, while core systems and critical data must remain within national borders.
The requirement, grounded in the Cybersecurity Act, 2020 (Act 1038) and the Data Protection Act, 2012 (Act 843), marks one of the most consequential operational mandates in the directive for institutions that have in recent years migrated core infrastructure to international cloud providers including AWS, Microsoft Azure and Google Cloud, all of which host their nearest data centres outside Ghana.
Governor Johnson Asiama, speaking at the directive’s launch in Accra on Wednesday, was direct about the rationale. “We are no longer just supervising capital adequacy ratios or liquidity positions; we are now, more than ever, safeguarding the confidentiality, integrity, and availability of the data that powers our economy,” he said.
The CISD 2026 replaces the 2018 framework, which the central bank described as no longer adequate for the current threat environment. Beyond data localisation, the directive introduces a governance framework for artificial intelligence and machine learning systems deployed by banks for fraud detection, credit scoring and customer service, with requirements for transparency, security and fairness.
A proportionality framework scales compliance requirements to the size and risk profile of each institution, ensuring that rural banks and microfinance companies face obligations commensurate with their operations rather than the same burden as tier-one commercial banks.
The directive also mandates that at least one board member at every regulated financial institution must possess verifiable expertise in cyber risk management, a requirement that will force governance changes at many institutions where cybersecurity has historically been handled below board level.
The Financial Industry Command Security Operations Centre (FICSOC), designated as the sectoral Computer Emergency Response Team (CERT) under the Cybersecurity Act, is being expanded to cover savings and loans companies, fintech firms and other non-bank institutions. Governor Asiama acknowledged that building and maintaining a world-class defence capability of this scale requires significant investment in infrastructure, advanced technology and skilled personnel, and that the Bank of Ghana has borne the initial cost of the infrastructure to get it off the ground, signalling that participating institutions will be expected to contribute to its ongoing costs.
First Deputy Governor Zakari Mumuni said the directive responds to rapid digital transformation, growing reliance on third-party technology, and emerging risks tied to artificial intelligence and interconnected data systems, describing cybersecurity as a matter of national and economic security rather than a technical concern.
