The Bank of Ghana has directed all financial institutions to keep sensitive customer and financial data within the country, as part of its newly launched Cyber and Information Security Directive (CISD) 2026.
Speaking at the official launch in Accra, Governor Johnson Pandit Asiama said the move is aimed at strengthening national control over critical financial data and protecting the integrity of Ghana’s digital financial ecosystem.
He stressed that while financial institutions may adopt cloud technologies, strict limits have been imposed on what data can be hosted outside the country.
“The Cybersecurity Act, 2020 and the Data Protection Act, 2012 mandate data sovereignty. This means that the physical location of databases containing personal and financial information must remain within the territorial boundaries of Ghana,” he stated.
The directive allows only non-sensitive, front-end services to be hosted in the cloud under a tightly regulated, risk-based framework. According to the central bank, this approach ensures institutions can leverage innovation without compromising national security or customer trust.
Dr. Asiama warned that cyber threats have evolved significantly in recent years, transforming from isolated IT incidents into broader national security concerns.
“From ransomware attacks that can paralyse a bank for days, to systemic data breaches that can shatter public trust in an instant, the threats we face are no longer just isolated IT incidents; they are national security concerns,” he said.
The new rules form part of broader efforts by the Bank of Ghana to transition from a compliance-based approach to a more proactive and resilient cybersecurity posture across the financial sector.
Industry analysts say the directive could have far-reaching implications for banks, fintech firms, and international technology partners, particularly those relying on offshore data infrastructure. While the policy is expected to boost consumer confidence and regulatory control, it may also require significant adjustments in IT architecture and operations.
The central bank insists the directive is essential to safeguarding Ghana’s rapidly digitising financial system and ensuring that innovation does not outpace security.
