National Information Technology Authority (Amendment) Bill

1. (1) There is established by this Act, the National Information Technology Authority as a body corporate.

(2) The Authority may, for the performance of its functions acquire and hold property, dispose of property and enter into a contract or any other related transaction.

(3) Where there is a hindrance to the acquisition of land, the land may be acquired for the Authority under the Land Act, 2020 (Act 1036) and the cost shall be borne by the Authority.

2. The object of the Authority is to regulate, coordinate, promote, and develop information and communications technology and digital services in Ghana in line with national development goals and to

   • (a) ensure the provision of quality information and communications technology,

   • (b) promote standards of efficiency and ensure high quality of service in the Information and Communications Technology ecosystem, and

   • (c) coordinate the management and development of information and communications technology personnel or practitioners in the public services

3. (1) To achieve the object under section 2, the Authority shall

      - license and regulate ICT infrastructure, products and service providers;
   
      - develop  and  enforce  standards  to  ensure  consistency  and  accountability across the  people,  technology,  and  processes  involved  in  ICT  systems, services, and architectures
   
      - provide technical clearance for ICT procurement, investments and projects undertaken by public institutions;
   
      - maintain a national repository of ICT assets, investments and public digital infrastructure;
   
      - act  as  the  exclusive  government  body  empowered  to  coordinate  the development,  capacity  building,  and  certification  of  ICT  professional serving  public  institutions  to  ensure  a  skilled  and  well-managed  ICT workforce in the public service;
   
      - advise the Minister on ICT development and regulation in Ghana and lead the review  of the national ICT policy;
   
      - regulate the use of emerging technologies;
   
      - maintain a register of ICT personnel in the public service;
   
      - regulate ICT associations and related professional bodies;
   
      - coordinate the development and enforcement of safeguards to ensure the responsible and secure use of technology in the country;
   
      - coordinate  the  implementation  of  anti-trust  policies  to  safeguard  fair competition and prevent monopolies within the ICT ecosystem in Ghana;
   
      - perform  the  functions  of  the  certifying  Agency  established  under  the Electronic Transactions Act, 2025 (Act …);
   
      - coordinate the systematic implementation and monitoring of the national information and communications technology policy;
   
      - coordinate the implementation and enforcement of the provisions of this Act, the Electronic Transactions Act, 2025 (Act …);and regulations made under this Act;
   
      - resolve  matters  that  involve  domain  names  between  the  Domain  Name Registrar under the Electronic Transactions Act 2025  (  Act….)  in accordance with the provisions of this Act;
   
      - maintain registers for approvals given for equipment under the Electronic Transactions Act 2025 ( Act….);
   
      - provide  access  to  registers  for  licences,  applications  for  licences  and approvals for equipment except where commercial confidentiality does not allow for access;
   
      - collect fees and other charges to be paid to the Authority under this Act;
   
      - investigate and  resolve disputes  between  licence  holders  under  the Electronic  Transactions  Act  2025  (  Act….)  referred  to  the  Authority  by licence holders;
   
      - investigate complaints by users who fail to obtain redress from a licence holder;
   
      - carry out investigations on the conduct of persons at the Authority's own initiative or at the request of another person to determine whether any person is engaging in acts contrary to the provisions of this Act;
   
      - establish quality of service indicators and reporting requirements that apply to licence holders under the Electronic Transactions Act 2025 ( Act….);
   
      - aa. issue and publish on its website and in the Gazette necessary guidelines and standards;
   
      - bb. obtain from persons the necessary information for the performance of its functions;
   
      - carry  out  investigations  and  determine  complaints  that  involve  anticompetitive,  price-fixing  and  unfair  trade  practices  by  persons  under  the Electronic Transactions Act 2025 ( Act….);
   
      - formulate the strategy of the Authority;
   
      - ee. ensure that the policy directions given by the Minister are implemented;
   
      - ff. ensure high standards of propriety within the Authority;
   
      - jj. perform any other function necessary to achieve its object.
   

• In discharging its functions, the Authority shall take into account the following:

      - (a) the principle that regulatory activities should be transparent, accountable, proportionate, consistent and targeted only at cases in which action is needed;
  
      - (b) any other principle that represents best regulatory practice;
  
      - (c) the  protection  of  the  interests  of  consumers  under  the  Electronic Transactions Act 2025 ( Act….) as regards the choice, price, quality of service and value for money;
  
      - (d) the  needs  of  persons  who  are  physically  challenged,  the  elderly  and those on low incomes;
  
      - (e) the opinions of consumers and of members of the public generally; and
  
      - (f) the different interests of persons living in rural and urban areas.
  

• The Authority may exercise the following powers

      - (a) enter into a contract for the supply of goods and services;
  
      - (b) invest the funds of the Authority that are not immediately required for
  
      - the performance of its functions and ensure the judicious use of the funds, with the prior  written approval of the Minister responsible for Finance;
  
      - (c) publish information that is relevant to its functions and activities in a manner that it  considers appropriate;
  
      - (d) promote  and  where  necessary  fund  the  training  of  persons  for  the information and communications technology industry;
  
      - (e) undertake research and development work related to its functions; and
  
      - (f) promote  research  and  the  development  by  other  persons  of  the  ICT industry.
  

• The Authority shall in the performance of its functions have regard to

      - (a) the principles of transparency, accountability, proportionality, innovationenablement, and consistency in ICT regulation;
  
      - (b) best  regulatory  practices relevant  to  information  and  communications technology and digital governance;
  
      - (c) the protection of the rights and interests of users of public digital services, with particular attention to user choice, data protection, quality of service, and value for money;
  
      - (d) the environmental impact of ICT infrastructure, digital devices, and e-waste management in the deployment of public ICT systems;
  
      - (e) the promotion  of  inclusive  competition  and  local  innovation,  including incentives for Ghanaian  technology  firms  and  start-ups in the  ICT ecosystem;
  
      - (h) the  interests  of  both urban  and  rural  communities in  the  planning  and deployment of ICT infrastructure;
  
      - (i) any  applicable international  ICT  standards  and  best  practices,  including those  developed  by  the  International  Organization  for  Standardization (ISO),  International  Telecommunication  Union  (ITU),  World  Wide  Web Consortium (W3C), and relevant multilateral conventions ratified by Ghana.
  

• ( 1 ) The governing body of the Authority is a Board of Directors consisting of

      - (a) a chairperson nominated by the President;
  
      - (b) one representative of the Ministry responsible for Communication, Digital Technology, and Innovations, not below the rank of Director;
  
      - (c) one representative of the Ministry of Finance, not below the rank of Director;
  
      - (d) the Director-General of the Authority;
  
      - (e) one representative from a recognised ICT professional body, nominated by the executive body of that professional association;
  
      - (f) two persons with expertise in digital innovation, ICT, governance, or law, nominated by the President;
  
      - (g) one person with expertise in digital innovation, ICT, governance, or IT law nominated by the Minister responsible for Gender or Social Protection;
  
      - (h) one lawyer with expertise in digital economy or ICT law.
  
      - (i) one representative of the National Security Council; and
  
      - (j) three other persons with knowledge or expertise in electronic engineering, law, economics, business or public administration and at least one of whom is a woman.
  

• At least three (3) members of the Board of Directors shall be women.

• The President shall, in accordance with article 70 of the Constitution, appoint the chairperson and other members of the Board of Directors.

• The Board of Directors shall

      - (a) exercise general oversight responsibility for the strategic direction of the Authority;
  
      - (b) ensure the achievement of the object of the Authority; and
  
      - (c) ensure  the  effective  and  efficient  performance  of  the  functions  of  the Authority.
  

• 8 (1) A member of the Board of Directors has the same fiduciary relationship with the Authority and the same duty to act with loyalty and in good faith as a director of a company incorporated under the Companies Act, 2019 (Act 992).

  • Without limiting subsection (1), a member of the Board of Directors has a duty (a) to act honestly and in the best interest of the Authority in the performance of the functions of the Authority;

    - (c) not to disclose information acquired in the capacity of the member as a member of the Board of Directors to any person or make use of that information, except in the performance of functions;
    
    - (d) not to abuse the position of the office; and
    
    - (e) not to pursue personal interests at the expense of the Authority.
    

(3) A member of the Board of Directors, other than the Director General, shall not participate in the day-to-day running of the Authority.

(4) Where a court determines that the Authority has suffered a loss or damage as a result of the act or omission of a member of the Board of Directors, the court may, in addition to imposing a fine, order the member to pay appropriate compensation to the Authority.

• 9 (1) A member of the Board of Directors shall hold office for a period of four years and is eligible for reappointment for another term only.

  • Subsection (1) does not apply to the Director General.

  • A member of the Board of Directors may, at any time, resign from office in writing, addressed to the President through the Minister.

  • A member of the Board of Directors, other than the Director General, who is absent from three consecutive meetings of the Board of Directors without sufficient cause ceases to be a member of the Board of Directors.

  • The President may, by letter addressed to a member, revoke the appointment of that member.

  • Where a member of the Board of Directors is, for a sufficient reason unable to act as a member, the Minister shall determine whether the inability of the member to act would result in the declaration of a vacancy.

  • Where there is a vacancy

    - (a) under subsection (3), (4), (5), or subsection (2) of section 11,
    
    - (b) as a result of a declaration under subsection (6),
    
    - (c) under subsection (3) of section 12; or
    
    - (d) by reason of the death of a member,
    

  • 10 (1) The Board of Directors shall meet at least once every three months for the conduct of business at a time and place determined by the chairperson.

(2) The chairperson shall, at the request in writing of not less than one-third of the membership of the Board of Directors, convene an extraordinary meeting of the Board of Directors at a time and place determined by the chairperson.

(3) The quorum for a meeting of the Board of Directors is seven members.

(4) The chairperson shall preside at meetings of the Board of Directors and in the absence of the chairperson, a member of the Board of Directors elected by the members present from among their number shall preside.

(5) Matters before the Board of Directors shall be decided by a majority of the members present and voting and in the event of an equality of votes, the person presiding shall have a casting vote.

(6) The Board of Directors may co-opt a person to attend a meeting of the Board of Directors but that person shall not vote on a matter for decision at the meeting.

(7) The proceedings of the Board of Directors shall not be invalidated by reason of a vacancy among the members or a defect in the appointment or qualification of a member

(8) Subject to this section, the Board of Directors may determine the procedure for the meeting of the Board of Directors.

11.(1) A member of the Board of Directors who has an interest in a matter for consideration by the Board

        - (a) shall disclose in writing the nature of that interest and the disclosure shall form part of the record of the consideration of the matter; and

        - (b) is disqualified from being present at or participating in the deliberations of the Board of Directors in respect of that matter.

(2) A member ceases to be a member of the Board of Directors if that member has an interest in a matter before the Board of Directors and

(a) fails to disclose that interest; or

(b) is present at or participates in the deliberations of the Board of Directors in respect of that matter.

(3) Without limiting any further cause of action that may be instituted against the member, the Board of Directors shall recover any benefit derived by a member who

contravenes subsection (1), in addition to the revocation of the appointment of the member.

12. (1) Each member of the Board shall, prior to taking office, submit to the Authority a written declaration of that member's registrable interest whether directly or indirectly owned by the member.

(2) A member of the Board shall inform the Authority of any change in respect of that member's registrable interest from the date of the change.

(3) A member who without reasonable excuse fails to declare a registrable interest, or knowingly makes a false declaration, contravenes subsections (1) and (2), ceases to be a member of the Board and the appointment of the member to the Board shall be revoked by the President

13. (1) The Board of Directors may establish committees or advisory bodies consisting of members of the Board of Directors, non-members, or both, to perform a function of the Board of Directors.

(2) A committee composed of members and non-members of the Board of Directors shall be chaired by a member of the Board of Directors.

(3) A committee composed exclusively of non-members may only advise the Board

- Without limiting subsection (1), the Board of Directors shall establish the following committees:

          - (a) Technical Committee;

          - (b) Audit Committee; and

          - (c) Risk Committee.

(5) The Board of Directors shall determine the composition and functions of the committees established under subsection (3).

- Section 11 applies to a member of a committee of the Board of Directors

14.A member of the Board of Directors and members of a committee of the Board of Directors shall be paid allowances and benefits approved by the Minister in consultation with the Minister responsible for Finance.

15.(1) The Minister may give written directives to the Board of Directors on matters of policy in line with the object and functions of the Authority, and the Board of Directors shall comply in a manner consistent with the effective performance of the functions of the Authority.

(2) Subsection (1) shall not be construed to confer on the Minister the power to instruct the Authority on specific technical or operational mattera in relation to the object and functions of the Authority.

16.Except as otherwise provided in this Act, the Authority shall not be subject to the direction or control of any person or authority in the exercise of its mandate and regulatory functions.

Administrative Provisions

17.(1) The President shall, in accordance with article 195 of the Constitution, appoint a Director-General and one Deputy Director-General for the Authority.

(2) The Director-General and the Deputy Director-General shall hold office on the terms and conditions specified in the letters of appointment

(3) The Director-General shall hold office for a period of not more than four years and is eligible for re-appointment.

18.(1) The Director General

(a) is responsible for the day-to-day administration of the affairs of the Authority and is answerable to the Board in the performance of the functions under this Act; and

(b) shall ensure the implementation of the decisions of the Board of Directors.

(2) The Director General may delegate a function to an officer of the Authority but shall not be relieved of the ultimate responsibility for the performance of the delegated function.

• The Deputy Director-General shall act in the absence of the Director-General.

• The Deputy Director-General shall be assigned other responsibilities as the Board may determine.

19.(1) The President shall, on the recommendation of the Board of Directors, and in accordance with article 195 of the Constitution appoint an employee, not below the rank of a Deputy Director of the Authority, as Secretary of the Board of Directors.

(2) The Secretary shall hold office on the terms and conditions specified in the letter of appointment.

(3) The Secretary shall be responsible for -

        - (a) recording and keeping minutes of meetings of the Board;

        - (b) maintaining records and correspondence of the Board;

        - (e) formulating  agenda  for  meetings  with  the  chairperson  and  the Director-General;

        - (f) advising the Board on

            - (i) content,

            - (ii) organisation of memoranda, or

            - (iii) presentations for Board meetings.

(4) The Secretary shall attend all meetings of the Board but shall not have a right to vote on any matter before the Board.

20.(1) The President shall, in accordance with article 195 of the Constitution, appoint other staff of the Authority that are necessary for the effective and efficient performance of the functions of the Authority.

(2) Other public officers may be transferred or seconded to the Authority or may otherwise give assistance to the Authority.

(3) The Authority may, for the effective and efficient performance of the functions of the Authority, engage the services of advisors and consultants on the recommendations of the Board of Directors.

21.The Authority may establish offices, divisions, directorates, departments and units of the Authority as determined by the Board of Directors for the effective and efficient performance of the functions of the Authority.

22.(1) The Authority shall have an Internal Audit Unit in accordance with section 83 of the Public Financial Management Act, 2016 (Act 921).

(2) The Internal Audit Unit shall be headed by an Internal Auditor who shall be appointed in accordance with the Internal Audit Agency Act, 2003 (Act 658).

(3) The Internal Auditor is responsible for the internal audit of the Authority.

(4) The Internal Auditor shall, subject to subsections (3) and (4) of section 16 of the Internal Audit Agency Act, 2003 (Act 658), at intervals of three months

(a) prepare and submit to the Board of Directors a report on the internal audit carried out during the period of three months immediately preceding the preparation of the report; and

(b) make recommendations in each report with respect to matters necessary for the conduct of the affairs of the Authority.

(5) The Internal Auditor shall, in accordance with subsection (4) of section 16 of the Internal Audit Agency Act, 2003 (Act 658), submit a copy of each report prepared under this section to the Director General and the chairperson of the Board of Directors.

Financial Provisions

23. The funds of the Authority include -

(a) moneys approved by Parliament;

(b) a percentage of customs duties paid on imported ICT equipment, as approved by Parliament;

(c) fees and charges that accrue to the Authority in the performance of its functions under this Act;

(d) administrative penalties imposed and collected under this Act;

(e) a portion of the communications service tax, as approved by Parliament;

(f) a portion of the funds of the Ghana Infrastructure Investment Fund, as approved by Parliament;

(g) a portion of fees generated from the use of the government.gov portal, as approved by Parliament;

(h) one percent (1%) of regulatory fees on gross revenue of all ICT businesses;

(i) loans, grants, and donations;

(j) fees and charges payable under this Act or the Electronic Transactions Act, 2025(Act …); and

(k) income derived from the investment of the funds of the Authority.

• Moneys for the Authority shall be paid into a bank account opened for the purpose with the approval of the Controller and Accountant-General.

25.(1) The expenses of the Authority shall be charged on the funds of the Authority.

(2) Where after having defrayed the outstanding expenses, the Authority has an excess amount, the Authority shall transfer that amount to the Consolidated Fund unless the Minister for Finance in consultation with the Minister approves the retention by the Authority of a part or the whole of that excess amount.

26.Subject to article 174 of the Constitution and the Exemptions Act, 2022 (Act 1083), the Authority is exempt from the payment of taxes that the Minister responsible for Finance may, in writing, determine with the prior approval of Parliament.

27.(1) Subject to article 181 of the Constitution and section 76 of the Public Financial Management Act, 2016 (Act 921), and with the prior consent in writing of the Minister, the Authority may borrow money from a body corporate or any other person.

(2) For the purposes of securing the money borrowed, the Authority may, with the prior consent in writing of the Minister mortgage, charge or pledge a right, title or an interest in any of the properties of the Authority.

28. (1) The Authority shall keep books, records, returns of account and other documents relevant to the accounts in the form approved by the Auditor-General.

(2) The Board of Directors shall submit the accounts of the Authority to the AuditorGeneral for audit within six months at the end of the financial year.

(3) The Auditor-General shall, within six months after the end of the immediately preceding financial year, audit the accounts of the Authority and forward a copy of the report to the Minister and the Board of Directors.

(4) The financial year of the Authority shall be the same as the financial year of the Government.

29. (1) The Board of Directors shall, within thirty days after the receipt of the audit report, submit an annual report to the Minister, covering the activities and operations of the Authority for the year to which the report relates.

(2) The annual report shall include -

      - (a) the report of the Auditor-General;

      - (b) an assessment of the targets of the Authority; and

      - (c) a summary of challenges and feedback from stakeholders and recommendations to improve the efficiency and effectiveness of the Authority.

(3) The annual report shall be prepared in accordance with the format and content set out in the Schedule to this Act.

(4) The Minister shall, within thirty days after the receipt of the annual report, submit the report to Parliament with a statement that the Minister considers necessary. (5) The Board of Directors shall submit to the Minister any other report that the Minister or the Minister responsible for Communication, Digital Technology, and Innovations may require in writing

30. The Board shall submit a budget for the operations of the Authority for the following year to Parliament for approval through the Minister within three months after the commencement of the financial year.

e-government ICT infrastructure operator

31. (1) The Minister shall ensure the incorporation of a company to be licensed by the Authority as the Government e-government ICT infrastructure operator within six months of the coming into force of this Act.

(2) The company shall be governed by an independent board consisting of representatives from:

      - (a) the Ministry,

      - (b) the Authority,

      - (c) the private sector, and

      - (d) civil society and academia with expertise in digital infrastructure.

32 (1) The object of the Company is to deploy, maintain, and manage e-government infrastructure and platforms for the public sector, including -

      - (a) government data centers;

      - (b) cloud hosting environments for public institutions;

      - (c) platforms for national digital identity services;

      - (d) shared government systems and digital services; and

      - (e) enterprise software solutions deployed solely for e-government purposes.

33 (1) The Company shall apply its funds to

(a) develop and maintain secure and interoperable digital infrastructure for government use,

(b) invest in cloud computing, cybersecurity systems, and business continuity solutions,

(c) reduce dependence on external contractors for critical ICT systems, and

(d)provide services to public institutions under agreed service level agreements (SLAs).

34The Company shall:

(a) submit quarterly financial and operational performance reports to the Authority;

(b) undergo annual audits by the Auditor-General or an auditor approved by the Authority, and

(c) be subject to technical audits and performance reviews conducted by the Authority.

Licensing Provisions

35. (1) A person shall not engage in a business or a related activity in the ICT sector unless that person has been granted a licence by the Authority.

(2) For the purpose of subsection (1), a business or a related activity in the information and communications technology sector includes

      - (a) the installation of ICT infrastructure;

      - (b) the development or provision of ICT products and services; and

      - (c) all activities requiring licensing or certification under this Act.

(3) The Authority shall determine the mode of operations for the activities permitted under this section.

(4) A person who engages in a business or other related activity under this Act or Regulations made under this Act without a licence commits an offence and is liable on summary conviction to a fine of not less than two thousand penalty units and not more than five thousand penalty units or to a term of imprisonment of not less than six months and not more than two years, or to both.

36. (1) The Authority may issue the following categories of licences to a person engaged in a business or related activity in ICT sector

      - (a) Public/commercial ICT Infrastructure Licence;
    
      - (b) Cloud Hosting Service Licence;
    
      - (c) Software as a Service (SaaS) Provider Licence;
    
      - (d) Government Digital Services Partnership Licence;
    
      - (e) National Digital Platform Operator Licence;
    
      - (f) Data Centre Operator Licence;
    
      - (g) Any other categories of licences as determined by the Authority.
    

(2) The Authority shall publish the terms and conditions of each licence category in the Gazette.

- The Authority may, by regulations, expand, modify or repeal any category of licence as may be necessary.

- (1) A person qualifies to apply for a licence under this Act if that person is

      - (a) a citizen of eighteen years or above; or

(b) a company, a partnership, an association or other body, whether incorporated or unincorporated, which is wholly owned by a citizen.

38.(1) A person who qualifies under section 37 shall

      - (a) apply for a licence to the Authority in the prescribed form; and

      - (b) comply with the prescribed requirements.

- An application under subsection (1) shall be accompanied with the prescribed fee.

• The Authority shall, within ten days of receipt of an application, consider the application.

• 40.(1) Where the Authority is satisfied that an applicant has met the requirements for the grant of a licence, the Authority shall

      - (a)  approve  the  application  and  issue  the  applicant  with  a  licence  in  the prescribed form; and
  
      - (b) within sixty days, communicate the decision in writing to the applicant.
  

• Despite subsection (1), the Authority may refuse an application for a licence where

      - (a) it is against the public interest, public safety or public security; or
  
      - (b) the applicant fails to comply with a directive of the Authority
  

  • The Authority shall communicate the reason for the refusal of an application to the applicant.

41.(1) A licence issued under this Act is valid for the period specified in the licence and may be renewed.

(2) An application for renewal of a licence shall

      - (a) be made to the Authority in the prescribed manner;

(3) The Authority may refuse to renew a licence where

(a) the ICT service provider fails to comply with the terms and conditions of the licence;

(b) the ICT service provider fails to pay in full the prescribed fee for the renewal of the licence;

(c) the ICT service provider fails to use the licence for the intended purpose one year after issuance;

(d) the ICT service provider uses falsified documents in an application for the licence;

(e) the ICT service provider fails to comply with the provisions of this Act or Regulations made under this Act;

(f) the continued operation of the business or related activity in the ICT sector poses a risk to public health, public safety or public security;

(g) the services provided by the ICT service provider have deteriorated below the required standards;

(h) an offence under this Act or Regulations made under this Act is being investigated in relation to the ICT service provider;

(i) the ICT service provider fails to honour a financial obligation to the Authority or another public institution regarding sanctions, penalties, levies and taxes; or

(j) the ICT service provider fails to comply with a directive of the Authority.

42. (1) A licence granted under this Act is not transferable except with the prior written approval of the Authority.

(2) A person who transfers a licence contrary to subsection (1) commits an offence and is liable on summary conviction to a fine of not less than fifty thousand penalty units and not more than two hundred thousand penalty units or to a term of imprisonment of not less than five years and not more than ten years or to both and in addition the Authority shall revoke the licence of that person.

43. (1) The Authority may suspend a licence issued under this Act where

(a) the ICT service provider fails to comply with the terms and conditions of the licence;

(b) the ICT service provider fails to use the licence for the intended purpose one year after the issuance of the licence;

c) the ICT service provider uses a falsified document in an application for the licence;

(d)the ICT service provider fails to comply with the provisions of this Act or Regulations made under this Act;

(f) the services provided by the ICT service provider have deteriorated below the required standards;

(g) an offence under this Act or Regulations made under this Act in relation to the ICT service provider is being investigated;

(h) the ICT service provider fails to honour a financial obligation to the Authority or another public institution regarding sanctions, penalties, levies and taxes;

(i) the ICT service provider fails to comply with a directive of the Authority; or

          - (i) the ICT service provider

            - (i) becomes insolvent or bankrupt;

(ii) enters into an arrangement or scheme of composition with the creditors of the ICT service provider; or

(iii) takes advantage of an enactment for the benefit of the debtors of the ICT service provider or goes into liquidation, except as part of a scheme for an arrangement or amalgamation.

(2) The Authority shall, before suspending a licence,

(a) give the ICT service provider fifteen days' notice in writing of the intention to suspend the licence;

(b) specify in the notice the reasons for the intended suspension; and

(c) give an opportunity to the ICT service provider to make a written representation within ten days of receipt of the notice or remedy the breach if the breach is capable of remedy.

44. (1) The Authority may restore a suspended licence if the ICT service provider remedies the breach in the manner specified by the Authority.

(2) The Authority shall restore a licence of a ICT service provider within sixty days of the ICT service provider remedying the breach that resulted in the suspension.

(3) Where the Authority restores the licence of a ICT service provider, the Authority shall reinstate the name of the ICT products and service provider in the register of ICT products and service providers.

45. (1) The Authority may revoke the licence of a ICT service provider, where the licence of the ICT service provider has been suspended and the ICT service provider fails to remedy the breach that resulted in the suspension.

(2) The Authority shall, before revoking a licence,

(a)give the ICT service provider fifteen days' notice in writing of the intention to revoke the licence;

46.(1) A person shall not be appointed as an ICT professional in a public or private institution unless that person is certified by the Authority.

(2) The Authority shall determine the criteria and procedure for the certification of ICT professionals.

47.(1) The Authority shall establish and maintain a register of ICT products and service providers in which the Authority shall record

(a) the names and particulars of ICT products and service providers issued with licences under this Act;

(b) the categories of licences issued to ICT products and service providers;

(c) licence applications;

(d) equipment approvals;

(e) infrastructure service providers; and

(f) any other information that the Authority may determine.

(2) The Authority shall update the register of ICT products and service providers every six months.

Closure of Premises or Facility by the Authority

48.(1) The Authority may close down the operations of any premises or a facility used for a business or related activity in the ICT sector where

(a) the continued operation of the business or related activity poses a risk to public health, public safety, public security or the environment;

(b) the services provided by the ICT provider have deteriorated below the required standard;

(c) the ICT service provider fails to comply with any of the terms and conditions of the licence; or

(d) the provisions of this Act or Regulations made under this Act are not being complied with.

(2) The Authority shall, before closing down the operations of any premises or facility

(a) give the ICT service provider fifteen days' notice in writing of the intention to close down the operations of the premises or facility; and

(b) specify in the notice the reason for the intended closure.

(3) Despite subsection (2), where the operation of premises or a facility poses imminent danger to public health, public safety, public security or is injurious to the public interest, the Authority may take necessary interim measures including

(a) the immediate seizure of ICT products or equipment;

(b) the suspension of the business or related activities; or

(c) the closure of the premises or facility.

(4) The Authority shall issue guidelines to govern the exercise of the powers of the Authority under this section.

Sale, Merger, Amalgamation and Alteration of the Nature of Business

(c) the alteration of the business of the ICT service provider, except with the prior written approval of the Authority.

(2) Despite the provisions specified in the Companies Act, 2019 (Act 992) a sale, merger, amalgamation or the alteration of the nature of a business which involves an ICT service provider shall not take effect unless approved by the Authority.

(3) A person who acquires shares of a ICT service provider in connection with a sale, merger, or amalgamation shall meet the requirements of this Act before applying for approval under the Securities Industry Act, 2016 (Act 929).

(4) An agreement or arrangement entered into in contravention of subsection (1) is null and void.

Performance Standards and Specifications

• 50.The Authority shall

• (a) develop performance standards in the ICT sector;

• (b) publish the performance standards in the Gazette; and

• (c) enforce the performance standards in the ICT sector.

• The Authority shall

• (a) set specifications for ICT products and services; and

• (b) publish the specifications in the Gazette.

52. (1) The Authority shall monitor the activities of licensees and certified persons to ensure compliance with this Act.

(2) A public institution shall obtain technical clearance from the Authority before undertaking any major ICT procurement or deployment.

(3) The Authority may issue guidelines to define the thresholds for what constitutes a major ICT project requiring technical clearance.

53(1) The Authority shall develop and maintain a National Digital Architecture to guide the deployment and integration of ICT systems across the public sector.

(2) The architecture shall include standards for data exchange, interoperability, cybersecurity, user authentication, and shared platforms.

54.(1) The Authority shall establish and maintain an ICT Project Registry to record all public sector ICT projects.

(2) A public institution shall register a project before initiating procurement or implementation.

(3) The Authority may review registered projects to ensure alignment with national priorities and standards.

(3) A public institution shall use shared services designated by the Authority unless otherwise exempted in writing.

56. (1) The Authority shall conduct periodic audits of public ICT systems to assess compliance with prescribed standards.

(2) The Authority may issue improvement plans to public institutions based on audit findings. (3) An institution that fails to implement an improvement plan commits an administrative breach and shall pay to the Authority an administrative penalty of not less than five thousand and not more than ten thousand penalty units.

57.(1) The Authority shall develop a framework for monitoring performance indicators for digital governance.

(2) Each public institution shall submit periodic ICT performance reports in a manner directed by the Authority.

(3) The Authority shall compile an annual Public Sector Digital Index Report for submission to the Minister and publication.

(4) The Authority shall maintain a register of certified professionals and may suspend or revoke certification for misconduct or breach of standards.

58. (1) The Authority shall prescribe and enforce ICT performance standards and certification tiers for infrastructure, services, and professionals.

(2) Certification tiers shall reflect levels of security, interoperability, reliability, and user accessibility.

(3) A public institution shall procure ICT services and systems only from providers certified by the Authority at a prescribed tier.

59. (1) The Authority shall implement programmes for the training and professional development of ICT officers in the public sector.

(2) The Authority shall promote partnerships with technology firms, start-ups, and academia to support indigenous ICT innovation.

60.(1) The Authority shall establish a Regulatory Sandbox Framework to allow eligible innovators to test new ICT products, services, business models, or delivery mechanisms in a controlled environment, subject to defined parameters and duration.

(2) A person or entity that qualifies for participation in the sandbox shall receive temporary regulatory reliefs as determined by the Authority.

(3) The Authority shall issue guidelines governing the eligibility, application, monitoring, exit, and evaluation criteria for participation in the Regulatory Sandbox.

61.(1) The Authority shall exercise its regulatory functions using a risk-based and principlesoriented approach, focusing on the outcomes of compliance, consumer protection, security, and innovation facilitation.

(2) The Authority shall develop a risk categorisation model to differentiate regulatory oversight based on the scale, nature, and impact of the ICT activity or service.

(3) In applying this Act or Regulations, the Authority shall adopt regulatory measures that are proportionate to the risks posed and shall promote flexibility and innovation within the ICT ecosystem.

62.(1) The Authority shall ensure that regulatory instruments under this Act are technologyneutral and do not unduly constrain innovation.

(2) The Authority shall periodically review its rules, standards, and procedures to accommodate emerging technologies, including but not limited to artificial intelligence, blockchain, the Internet of Things, cryptocurrency and cross-border cloud services.

63.(1) The Authority shall promote universal and inclusive access to ICT services, with particular focus on persons with disabilities, women, rural populations, and marginalized groups.

(2) The Authority shall develop and implement national standards for ICT accessibility based on international best practices, including the Web Content Accessibility Guidelines (WCAG).

(3) The Authority shall collaborate with relevant agencies and civil society organizations to implement digital literacy programs and gender-responsive digital empowerment initiatives.

64.(1) There is established by this Act a Multi-Stakeholder Advisory Forum to provide policy and strategic advice to the Authority.

(2) The Forum shall comprise representatives from:

(a) the private ICT sector;

(b) civil society organizations;

• (c) academic and research institutions;

• (d) certified ICT professionals;

(e) international development partners; and

(f) any other stakeholder the Authority may determine.

(3) The Forum shall meet at least once a year and submit recommendations to the Board of Directors.

(4) The Authority shall publish a summary of the Forum's deliberations and responses in its annual report.

65. (1) The Authority shall undertake a comprehensive review of all regulatory instruments made under this Act at least once every five (5) years.

66. The Authority shall collaborate with public sector institutions, regulatory bodies, private sector actors, and international development partners and organisations in the discharge of its mandate.

67. (1) A ICT service provider shall submit annual reports on the business and related activities of the ICT service provider to the Authority.

• A report under subsection (1) shall be submitted within

• (a) fifteen days after the end of month ending December 31 in any year; or

• (b) a period specified in guidelines issued by the Authority.

• The Authority may request additional information from a ICT service provider on the following

• (a) the conduct, practices and management of the business of the ICT service provider;

• (b) the transactions related to the operations of the ICT service provider; and

• (c) financial and operational compliance with applicable enactments.

(4) The Authority shall, within thirty days after receipt of the report, consider the report and take necessary action.

Investigation and Enforcement

68. (1) The Director General, in consultation with the Board of Directors, may for the purpose of this Act, designate an officer as an inspector to, subject to strict ethical guidelines, inspect premises or a facility engaged in a business or related activity in the ICT sector to ensure compliance with this Act.

(2) An inspector shall, before conducting an inspection, obtain prior written authorisation from the Director General, and if required, produce the authorisation to the person in charge of the premises or facility.

(3) An inspector shall be subject to a code of conduct with penalties for misconduct.

69. (1) An inspector may, at any reasonable time, enter premises or a facility to investigate activities if there is reason to believe the premises or facility is being used for an unlicensed business or related activity in the ICT sector.

• The inspector shall, upon entry into the premises or facility, inspect

• (a) the licence of the ICT service provider;

• (b) the premises of the ICT service provider; and

• (c) any records relevant to compliance with this Act.

(3) An inspector may, at any reasonable time, enter premises, a vehicle, a vessel or an aircraft to

• (a) examine records or documents related to ICT transactions;

• (b) search for evidence of illegal ICT transactions or unlicensed operations;

(4) Upon the seizure and detention of ICT products or equipment by an inspector of the Authority, the Authority shall within seven (7) days after the seizure and detention, apply to the Tribunal under section 77 of this Act for validation or otherwise of the seizure and detention.

(5) An inspector may be accompanied by a police officer or any other security personnel in the exercise of powers under this section.

(6) An inspector who conducts an inspection under this section shall, within forty-eight (48) hours of the conduct of the inspection, submit a written report of the inspection to the Director General.

70. A person who obstructs an inspector in the exercise of a power under section 67 commits an offence and is liable on summary conviction to a fine of not less than two thousand penalty units and not more than five thousand penalty units or to a term of imprisonment of not less than six months and not more than two years or to both.

71. (1) The Authority may

(a) require an applicant for a licence or a ICT service provider to produce a document or other relevant information;

• (b) apply to a court of competent jurisdiction for a warrant to

• (i) search premises and seize evidence; or

• (ii) seize any materials related to a contravention of this Act·

• (c) require the attendance of a witness for investigation;

• (d) restrain a ICT service provider who has breached a condition of the licence from engaging

• in a business or a related activity in the ICT sector; and

(e) assess and award damages against a ICT service provider in favour of an injured third party.

• The Authority shall have custody of all confiscated ICT products and equipment.

(3) For the purpose of subsection (1), an officer authorised by the Authority may exercise the power of search or investigation conferred on a police officer under the Criminal and Other Offences (Procedure) Act, 1960 (Act 30).

72.Without limiting section 69, where a person contravenes a provision of this Act or Regulations made under this Act, the Authority may

• (a) issue a warning to the violator;

(b) order the forfeiture of ICT products or equipment obtained illegally;

• (c) issue a cease-and-desist order;

• (d) suspend or revoke a licence in accordance with this Act; and

(e) take any other action necessary to ensure compliance with this Act.

73(1) The Authority shall, in collaboration with relevant institutions conduct a random ICT audit of a public/commercial ICT infrastructure or an ICT service provider.

74.(1) Where a dispute arises between ICT service providers regarding licensed activities, the ICT service providers shall resolve the dispute amicably through negotiation.

(2) Where the parties are unable to resolve the dispute through negotiations, either party to the dispute may refer the dispute to the Dispute Resolution Committee established under section 75.

• (l) There is established by this Act a Dispute Resolution Committee.

• The Dispute Resolution Committee shall

• (a) investigate and hear disputes between ICT service providers without delay;

• (b) conduct proceedings fairly and transparently; and

• (c) deliver decisions within thirty days from the date of receipt of a dispute.

• (1) The Board of Directors shall determine the composition and the rules of procedure of the Dispute Resolution Committee.

(2) Despite subsection (1), the Dispute Resolution Committee shall be chaired by a lawyer with at least ten years' experience in the practice of alternative dispute resolution.

• The Authority shall publish the rules of procedure of the Dispute Resolution Committee in the Gazette.

• The Dispute Resolution Committee may, in resolving a dispute

• (a) declare the rights and obligations of the parties;

• (b) make a provisional order or an interim order;

• (c) provide directions to facilitate the proceedings;

• (d) dismiss a frivolous or a vexatious claim;

• (e) award costs against a party, where appropriate; and

• (f) issue any other directive necessary to resolve the matter.

79. A person who is aggrieved by a decision of the Dispute Resolution Committee may appeal to the National Information Technology Tribunal established under this Act.

National Information Technology Tribunal

• 80.(1) There is established by this Act, the National Information Technology Tribunal.

• The Tribunal shall be constituted to consider appeals regarding

• (a) a decision made by the Authority;

• (a) a chairperson, who is

• (i) a retired Justice of the Superior Courts of Judicature, or

• (ii) a lawyer with at least fifteen years' experience in the regulation of the ICT sector or the practice of alternative dispute resolution; and

• (b) two other members with expertise in ICT.

• The Minister shall appoint the chairperson and other members of the Tribunal

• Sections 9 and 11 on disclosure of interest and allowances apply to a member of the Tribunal.

• 82.(1) The Minister shall appoint

• (a) a Registrar to manage the administrative affairs of the Tribunal; and

• (b) other staff necessary for the efficient and effective operation of the Tribunal.

• The Registrar shall oversee the day-to-day operations of the Tribunal.

• (1) The expenses of the Tribunal shall be a charge on the funds of the Authority.

• The chairperson of the Tribunal shall submit an annual budget for approval by the Board of Directors.

• The Board of Directors shall release funds for the operations of the Tribunal no later than the first quarter of the financial year.

• The members and staff of the Tribunal shall be paid such allowances determined by the Minister in consultation with the Minister responsible for Finance as and when the Tribunal hears cases.

• (1) The Board of Directors shall, within ninety days of the coming into force of this Act, prescribe rules of procedure for the Tribunal.

• (2)The Board of Directors shall publish the rules in the Gazette.

• (1) A person aggrieved by a decision of the Authority or the Dispute Resolution Committee may, within twenty-one days of the date of the decision, appeal to the Tribunal.

• A notice of appeal under subsection (1) shall specify

• (a) the decision being appealed against;

• (b) the legal provisions under which the decision was made; and

• (c) the grounds for appeal.

• The Tribunal shall convene to hear the appeal within thirty days of receipt of the notice of appeal.

• 87(1) The Tribunal may, after hearing an appeal,

• (a) overturn the decision being appealed;

(3) The decision of the Tribunal shall have the same effect as a judgment of the High Court.

• (1) A party who is dissatisfied with a decision of the Tribunal on a matter may appeal to the Court of Appeal.

• An appeal under subsection (1) shall be

• (a) on a point of law only; and

(b) filed within thirty days of the decision of the Tribunal.

Offence, Penalties and Administrative Penalty

89. (1) A person shall not

(a) unlawfully destroy, damage, or interfere with equipment, installations, or facilities used in the ICT sector ;

(b) provide false information or fraudulent documentation related to ICT transactions;

(c) fail or neglect to comply with the terms and conditions of a licence;

(d) offer a bribe or incentive to an officer of the Authority to circumvent this Act or Regulations made under this Act;

(e) front or connive to acquire a licence under this Act or Regulations made under this Act.

(2) A person who contravenes a provision of subsection (1) commits an offence and is liable on summary conviction to a fine of not less than two thousand penalty units and not more than five thousand penalty units or to a term of imprisonment of not less than six months years and not more than two years or to both.

90.(1) A person shall not embezzle, misappropriate or divert funds meant for the Authority or the Republic under this Act.

(2)A person who contravenes subsection (1) commits an offence and is liable on summary conviction to a fine of not less than five thousand penalty units and not more than ten thousand penalty units or to a term of imprisonment of not less than five years and not more than twenty years or to both.

91.(1) A person who

(a) provides ICT services or operates ICT infrastructure without a valid licence,

(b) falsely represents themselves as a certified ICT professional, or

(c) submits false information to obtain a licence or certification, commits an offence and is liable on summary conviction to a fine of not less than one thousand penalty units and not more than two thousand penalty units or to a term of imprisonment of not less than six months years and not more than two years, or to both.

93. A person who

(a) refuses to provide information lawfully requested by a Compliance Inspector of the Authority,

(b) prevents or delays access to ICT systems or facilities during an inspection, or

(c) conceals, alters, or destroys relevant documentation, commits an offence and is liable on summary conviction to a fine of not less than two thousand penalty units and not more than five thousand penalty units or to imprisonment for a term of not less that twelve months and not more than two years, or to both.

94.Where a body corporate commits an offence under this Act, every director, manager, officer and shareholder responsible for the operations of the body corporate is considered to have committed the offence unless the director, manager, officer or shareholder proves that the director, manager, officer or shareholder exercised due diligence to prevent the commission of the offence.

95.(1) A ICT service provider or any other entity regulated under this Act or Regulations made under this Act who

(a) fails to comply with a directive issued by the Authority, or

(b) refuses or neglects to provide required information to the Authority, is liable to pay to the Authority an administrative penalty of not less than twenty thousand penalty units and not more than fifty thousand penalty units.

(2) Where a person fails to pay an administrative penalty imposed under subsection (1), the Authority may

(a) suspend or revoke the licence of the person; or

(b) prohibit the person from engaging in a business or related activity in the ICT sector within the country.

96. A person who

(a)makes a false declaration in an application for a licence,

(b)makes a false declaration in an application for registration of a licence, wilfully destroys or damages a register kept under this Act commits an offence and is liable on summary conviction to a fine of not more than five hundred penalty units or co a term of imprisonment of not more than two years or to both and in the case of a continuing offence to a further fine of ten penalty units for each day during which the offence continues after written notice has been served on the offender by the Authority .

97.(1) A person who negligently causes a cybersecurity breach commits an offence and is liable on conviction to a fine of up to two thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

(4) A person who hosts critical data without accreditation as required by the Authority commits an offence and is liable on conviction to a fine of five thousand penalty units or to imprisonment for a term not exceeding seven years, or to both.

(5) A person who fails to conduct and submit an audit report as required by the Authority commits an offence and is liable to a fine of one thousand penalty units for each month of delay.

(6) A person who submits a false report to the Authority commits an offence and is liable on conviction to a fine of five thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

(7). A person who obstructs Compliance Officers by rejecting, interfering with, or evading their lawful duties commits an offence and is liable to immediate suspension of ICT operations until compliance is achieved.

(8)A person who repeatedly violates multiple provisions of this Act or Regulations commits an offence and is liable on conviction to a fine of five thousand penalty units and permanent revocation of operating licences.

(9) A person whose gross negligence leads to data breaches or system failures commits an offence and is liable on conviction to a fine of up to ten thousand penalty units or ten percent of annual turnover (whichever is higher), plus mandatory third-party audits.

(10) A person who retaliates against a whistleblower in connection with any offence under this Act commits an offence and is liable on conviction to double the maximum penalty prescribed for the underlying offence.

98.(1) In the exercise of its function under this Act and the Electronic Transactions Act, 2025 (Act …) , the Board shall

  - (a) observe reasonable standards of procedural fairness,

  - (b) act timeously, and

  - (c) observe the rules of natural justice.

when making decisions that affect a person.

(2) Without limiting subsection (1), the Board shall

• (a) publish a matter for decision in the Gazette as considered necessary or as required by the Electronic Transactions Act, 2025 (Act …) prior to making a decision;

• (b) grant a person who is or is likely to be affected by a decision of the Board, an opportunity;

• (i) to make a submission to the Board,

• (ii) to be heard by the Board, or

• (iii) to consult with the Board in good faith, 'and

          - (  c)  have  regard  to  evidence  adduced  and  matters  contained  in  a submission made or received in the course of any  consultation.
  

(3) Where the Board makes a decision, it shall

- The Board may, on application or on its own motion, review,  rescind or vary a decision made by it or hear a matter again before  rendering a decision.

99.(1) The Director-General shall cause to be kept and maintained a Register in which shall be recorded details of

  - (a) any share or debenture owned by a member of the Board;

  - (b) other financial interests a member of the Board has in a  corporate body;

  - (c) any public or charitable appointment or directorship held  by a member; and

  - (d) any other matter required to be registered.

(2)The Register shall be publicly accessible, in both physical and electronic form.

(3) The Register shall be open to the public for physical inspection during normal working hours and subject to the payment of a fee determined by the Authority.

(4) A person may

(a) make a copy of the content of the Register, or

(b) take an extract from the Register, at the fee that the Authority may determine.

100.(1) The Board shall establish within one year of the commencement of this Act, a code of conduct for members of the Board, staff and persons whose services the Authority engages.

(2)The Code of Conduct shall among other provide for disciplinary and ethical matters

(3) The Board shall revise the code of conduct from time to time having regard to the changing regulatory objectives in the communications industry.

101.(1) Where a provision of this Act requires publication of a notice or a directive in the Gazette, the Authority may, in addition to publication in the Gazette, publish the notice or directive

(a) in a daily newspaper of national circulation;

(b) on radio and television; and

(c) on the website of the Authority.

(2) The Authority shall ensure that a notice or directive is accessible to relevant stakeholders.

102. The Authority shall organise periodic public engagement on the operations of the Authority.

103. The Minister may, by legislative instrument, make Regulations to

(a) define, expand or modify the scope of activities that constitute business or related activities in the ICT sector;

(b) specify procedures for submitting, investigating and resolving complaints in the ICT sector;

(c) establish disciplinary procedures for ICT service providers;

• (i) prescribe rules for consumer protection in the ICT sector;

• (j) prescribe licensing procedures and categories;

• (k) certification standards;

• (l) compliance monitoring mechanisms;

• (m) public sector ICT governance;

• (g) prescribe for fair trade practices and anti-competition rules in the ICT sector;

• (h) regulate data centres and ICT infrastructure;

• (i) prescribe fees chargeable under this Act,

• (j) provide for forms for applications,

• (k) prescribe requirements for licences and approvals for equipment,

• (l) provide procedures for the systematic implementation of a national information communications technology policy,

(m) provide for any other matter necessary for the effective and efficient implementation of this Act.

104. (1) In this Act, unless the context otherwise requires, -

"adaptive regulation " means regulatory practices designed to evolve in response to emerging technologies and changing market dynamics;

• "Authority" means the National Information Technology Authority established under section 1;

"Board" means the Governing Board of the Authority;

• "certification tiers" means graduated levels of certification that indicate the performance, reliability, and compliance level of ICT services or professionals;

• "certified professional" means a person certified under this Act to provide ICT services in the public sector;

• "chairperson" means the chairperson of the Board;

• "cloud computing" means delivery of computing services -including servers, storage, databases, networking, software -over the internet ('the cloud') ;

• "cloud hosting environments" means virtualized computing platforms provided over the internet to host data, applications, and services;

• "compliance inspector" means an officer designated by the Authority to monitor, audit, and inspect entities for compliance with this Act;

• "data centre" means a facility used to house computer systems, servers, and associated

components such as telecommunications and storage systems for data processing and storage; "domain name" means a unique, human-readable identifier that corresponds to a numeric Internet Protocol address and is used to locate websites or digital services on the internet; "enactment" includes an Act of Parliament, a legislative instrument, or any subsidiary legislation or regulation made under statutory authority and having the force of law in Ghaba; "enterprise software solutions" means integrated digital systems designed to manage core operations of an organization, including finance, human resources, and supply chain; means a company licensed by the Authority to

"Government ICT Infrastructure Operator " manage, operate, and develop core government digital infrastructure;

• digital hardware and software systems;

• information systems and digital applications, especially within government operations;

• data centres, hosting facilities, electronic and cloud-based infrastructure;

• digital innovation, platforms, and emerging technologies deployed in the public sector; and e) associated standards, architecture, and interoperability frameworks;

"ICT infrastructure" includes physical and virtual systems such as servers, networks, data centers, cloud platforms, and related hardware or software required for digital operations;

"ICT service provider" means an individual or entity licensed by the Authority to provide ICT products, services, platforms, or infrastructure within the ICT sector;

"improvement plan" means a set of recommendations and steps issued by the Authority to guide an entity towards compliance with performance standards;

"information technology" means the application of digital systems, computing devices, software, networks, and electronic data processing tools to collect, process, store, retrieve, and disseminate information for operational, administrative, or strategic purposes;

"internet protocol address" means a unique numerical label assigned to a device or node connected to a computer network that uses the Internet Protocol for identification and communication;

• "interoperability" means the ability of different ICT systems and applications to communicate, exchange data, and use the information effectively;

• "Minister" means the Minister responsible for Communication, Digital Technology, and Innovations;

• "Ministry" means the Ministry responsible for Information Communications Technology or Digitalisation;

• "national digital identity services" means digital systems and platforms that authenticate and manage unique identities of individuals or institutions for electronic services;

• "performance standards" means formalized metrics and criteria prescribed by the Authority to evaluate the quality, efficiency, security, and user experience of ICT systems and services; "prescribed" means specified by or in accordance with this Act or Regulations, directives, notices or guidelines issued under this Act;

"principles-oriented regulation " means a regulatory approach focused on broad objectives and outcomes rather than prescriptive rules;

• "public institution" means a Ministry, Department, Agency, Metropolitan, Municipal or District Assembly, a statutory or constitutional body, or any entity owned wholly or partly by the Republic;

"registrable interest" includes any direct or indirect financial interest, shareholding, beneficial ownership, partnership, trusteeship, or fiduciary obligation held by a person, which is required to be disclosed under section 12 or section 99 of this Act;

"risk-based approach" means a method that allocates regulatory resources and scrutiny based on the potential risks posed by ICT activities or providers;

"sandbox" means a controlled regulatory environment where innovations can be tested temporarily under relaxed regulatory requirements;

"service level agreements (SLAs)" means formal contracts between service providers and clients that define expected service performance, responsibilities, and penalties for noncompliance;

"technical clearance" means approval issued by the Authority confirming that an ICT project meets prescribed technical standards and compliance requirements;

105. (1) The rights, assets and liabilities that have accrued in respect of the properties vested in the National Information Technology Agency in existence immediately before the coming into force of this Act are transferred to the National Information Technology Authority established under this Act.

(2)A person in the employment of the National Information Technology Agency immediately before the coming into force of this Act shall, on the coming into force of this Act, be deemed to have been duly employed by the National Information Technology Authority established under this Act on the terms and conditions which are not less favourable in aggregate to the terms and conditions attached to the post held by the person before the coming into force of this Act.

(3)A contract subsisting between the National Information Technology Agency and another person and in effect immediately before the coming into force of this Act shall subsist between the National Information Technology Authority established under this Act and that other person subject to modifications that are necessary to ensure compliance with this Act.

(4)A licence, permit, or certificate issued by the Ministry or any other public body for matters related to ICT before the coming into force of this Act shall remain valid for six months unless revoked earlier by the Authority.

(5) A person whose licence ceases to be valid under subsection (4) may apply to the National Information Technology Authority for a licence under this Act.

106.(1) The National Information Technology Agency Act, 2008 (Act 771) is hereby repealed. (2)Despite the repeal, any action lawfully taken under the repealed Act shall be deemed to have been taken under the corresponding provisions of this Act.

SCHEDULE (Section 29)

Form and Content of Annual Report of the National Information Technology Authority

Date of Gazette notification: