Ghana's cybersecurity enforcement within EOCO, police statutory remit, not CSA-Lom Nuku Ahlijah writes

Ghana’s rapid digital transformation has brought with it a rise in cyber-enabled crimes: mobile money fraud, business email compromise, online impersonation, identity theft, ransomware attacks and other sophisticated schemes targeting individuals, businesses and state institutions. 

As these threats evolve, it is essential that the country maintains a clear and coherent institutional framework for combating them. My position is simple: cybercrime enforcement is the statutory remit of EOCO and the Police, not the Cyber Security Authority (CSA). The CSA must remain a regulator and coordinator not a security or investigative agency.

EOCO’s mandate under its establishing Act is unambiguous. It is responsible for investigating serious economic and organised crimes, including complex fraud, financial malfeasance and transnational offences. Almost all cybercrimes in Ghana are fundamentally economic crimes committed through digital platforms. Whether it is SIM swap fraud, mobile money scams, business email compromise, extortion, or online impersonation, these acts fall squarely within EOCO’s investigative and prosecutorial architecture. EOCO also has the operational relationships with INTERPOL, FBI and international financial intelligence networks required to pursue cross-border digital crimes.

The Cyber Security Authority, on the other hand, is not a law enforcement body. The Cybersecurity Act, 2020 (Act 1038) gives the CSA a regulatory mandate, setting standards, licensing cybersecurity service providers, protecting critical information infrastructure and coordinating incident response. It was never designed to function as a security or intelligence organisation that arrests suspects or conducts criminal investigations. Its strength lies in regulation, technical assurance and coordination. That is where international best practice consistently places cyber regulators.

Around the world, cybersecurity authorities do not investigate or prosecute crimes. They set standards, enforce compliance, provide technical support and act as national coordinating bodies. Enforcement remains with the police, specialised criminal investigation bureaus or economic crime agencies. Ghana should not deviate from this model.

When a regulator begins drifting into enforcement, three problems arise. First, it creates institutional confusion and overlaps, with multiple bodies pursuing the same suspects or issuing conflicting directives. Second, it dilutes accountability because no single institution is clearly responsible for outcomes. Third, it leads to “mandate inflation,” where a regulator begins assuming powers that Parliament never intended it to have. This is not only inefficient; it is dangerous for governance.

There is another practical implication. If the CSA continues to behave like a security institution, then its placement under the Ministry of Communications and Digitalisation becomes inappropriate. Security agencies cannot sit under a communications ministry. They traditionally fall under the Ministry of Interior, the Attorney-General, or National Security. The fact that the CSA is situated under Communications is evidence of Parliament’s intention: it is a regulator, not a security enforcement organisation.

The CSA must therefore focus on where it adds the most value: supporting EOCO, the Police and National Security with technical intelligence; issuing cybersecurity standards; coordinating incident reporting; licensing cybersecurity professionals; and leading national awareness campaigns. Those are essential and powerful functions. They strengthen Ghana’s security ecosystem without blurring institutional boundaries.

Cybercrime enforcement should remain with EOCO and the Police. That is the law, and it is also the most efficient and internationally recognised structure for protecting the public. The CSA’s legitimacy and long-term effectiveness depend on it remaining in its regulatory lane while empowering the institutions with the constitutional authority to investigate and prosecute crime. For Ghana to build a resilient cybersecurity framework, clarity of mandate is not optional, it is fundamental.