Bank of Ghana launches revised Cyber and Information Security Directive 2026 tightening AI governance cloud security and board accountability

The Bank of Ghana has launched its revised Cyber and Information Security Directive (CISD) 2026, replacing the 2018 framework and setting updated cyber and information security expectations for banks and other participants in Ghana’s digital financial ecosystem. In the Governor’s launch remarks, the Directive was positioned as part of the Bank’s role under the Cybersecurity Act, 2020, which designates the Financial Industry Command Security Operations Centre (FICSOC) as the Sectoral Computer Emergency Response Team for the financial industry. CISD 2026 introduces new requirements and frameworks covering AI and machine learning governance, including expectations for fair, transparent and secure deployment of such systems in financial services. It also sets cloud computing security parameters anchored in data sovereignty requirements, stating that databases containing personal and financial information must remain within Ghana, while only non-sensitive front-end services may be hosted in the cloud under a risk-based, approved and tightly controlled approach. Other elements include a proportionality framework to scale requirements by institution size and risk profile, a mandate for board-level cyber risk expertise with at least one board member required to have verifiable competence in cyber risk management, and expanded FICSOC coverage to onboard other financial institutions such as savings and loans and microfinance firms, fintechs, and partner regulators. The Bank of Ghana also signalled further work on a sustainable shared services model for FICSOC, moving from Bank-funded start-up costs toward shared responsibility to support continuous upgrades and 24/7 operations.