Undefined Directive Power Creates Compliance Chaos

The Authority gains sweeping power to issue directives to critical infrastructure owners, service providers, cybersecurity providers, innovators, and developers—but the provision never defines what "directives" are, what they can require, or what penalties apply for non-compliance. Businesses face regulatory uncertainty as they cannot predict what compliance obligations may be imposed, when, or through what process. With no notice, hearing, or appeal rights specified, the Authority can unilaterally impose operational requirements, technology mandates, or reporting obligations without demonstrating necessity or considering business impact, creating unpredictable compliance costs across Ghana's technology sector.