SWIFTINFRA
← Back to Home

Bank of Ghana CISD 2026: What Financial Institutions Need to Know About Data Residency

The Bank of Ghana's Cyber and Information Security Directive 2026 draws a hard line on where sensitive financial data can live. Here is what it means for every bank, fintech, and payment provider operating in Ghana — and what a compliant infrastructure path looks like.

On March 25, 2026, the Bank of Ghana officially launched the Cyber and Information Security Directive — CISD 2026 — at the Bank Square in Accra. It replaces the 2018 framework that regulators had openly acknowledged was no longer adequate for the current threat environment.

Delivering the welcome address, First Deputy Governor Dr. Zakari Mumuni set the tone immediately:

"Cybersecurity is no longer a technical issue. It is a matter of national and economic security."

Governor Dr. Johnson Pandit Asiama, who chaired the event, was equally direct on the urgency:

"A framework designed for the challenges of 2018 cannot adequately solve the problems of 2026."

This is not a minor update. It is a comprehensive regulatory overhaul covering every licensed financial institution in Ghana — commercial banks, rural and community banks, microfinance companies, fintechs, and payment service providers — and it contains one requirement that has significant infrastructure implications for organisations currently running workloads on public cloud.

This article focuses on that requirement.

The CISD 2026 launch event at the Bank Square, Accra, March 25 2026 The official launch of CISD 2026 at the Bank Square, Accra. Photo: Bank of Ghana

Who CISD 2026 Covers

The directive applies to every institution licensed or registered under Ghanaian law by the Bank of Ghana — specifically:

  • Banks and Specialised Deposit-Taking Institutions (Act 930)
  • Development Finance Institutions (Act 1032)
  • Non-Bank Financial Institutions (Act 774)
  • Payment Systems and Services providers (Act 987)
  • Virtual Service Providers (Act 1154, 2025)
  • Any other institution licensed or regulated by the Bank of Ghana

In practice, this means the entire Ghanaian financial ecosystem — from the largest commercial banks to the smallest microfinance companies, and every licensed fintech and payment service provider. CISD 2026 also significantly expands the mandate of FICSOC (the Financial Industry Command Security Operations Centre), bringing non-bank financial institutions under its oversight for the first time.

If you hold a BoG licence, this directive applies to you. Non-compliance attracts sanctions under applicable law.

The Six Pillars

CISD 2026 is structured around six strategic areas designed to move institutions beyond basic compliance toward what the Bank of Ghana describes as "active and collective cyber resilience":

  1. AI and Machine Learning Governance — institutions using AI in fraud detection, credit scoring, or customer service must demonstrate these systems are transparent, fair, and secure.
  2. Cloud Computing Security — strict rules on where sensitive data can live. Only non-sensitive, front-end operations may be hosted externally. Core systems and critical customer data must remain within Ghana.
  3. Board-Level Accountability — cybersecurity responsibility now sits at board level. Institutions must include expertise in cyber risk management in their leadership structures, with a dedicated Board Committee on Cyber and Information Security.
  4. Proportional Implementation — requirements scale with the size, complexity, and risk profile of the institution. A rural bank and a Tier 1 commercial bank operate under different tiers of obligation.
  5. Proactive Defence Posture — institutions must move from reactive incident response to active threat detection, with mandatory quarterly and annual cyber exercises.
  6. Inclusive Oversight — all financial institutions, including fintechs and payment providers, are now under the FICSOC national defence framework for the first time.

Governor Dr. Johnson Pandit Asiama speaking at the CISD 2026 launch Governor Dr. Johnson Pandit Asiama addressing attendees at the CISD 2026 launch. Photo: Bank of Ghana

The Data Residency Requirement — What the Directive Actually Says

CISD 2026 draws a hard line on cloud computing. The Governor was explicit at the launch:

"This Directive does not endorse the wholesale migration of core systems or sensitive data to the cloud."

— Governor Dr. Johnson Pandit Asiama, CISD 2026 Launch, March 25, 2026

The directive allows only non-sensitive, front-end operations to be hosted on external cloud platforms. Core systems and critical customer data must remain within Ghana's borders, grounded in both the Cybersecurity Act 2020 (Act 1038) and the Data Protection Act 2012.

The directive also requires that any SIEM (Security Information and Event Management) system subscribed to by a regulated institution must be operated by a CSA-accredited entity with Ghanaian majority shareholding — further reinforcing the data sovereignty posture across the entire security stack.

In practical terms:

  • Core banking systems must run on infrastructure physically located in Ghana
  • Critical customer data — account records, transaction history, identity data — cannot be stored on foreign cloud servers
  • Non-sensitive, front-end services may remain on external cloud
  • AI systems used in regulated operations must meet governance standards that are easier to demonstrate when infrastructure is locally controlled and auditable
  • SIEM providers must be CSA-accredited and Ghanaian majority-owned

AWS, Microsoft Azure, and Google Cloud do not currently operate data centres in Ghana. Institutions running core workloads on these platforms are in active non-compliance with CISD 2026.

Minister of Communications Samuel Nartey George at the CISD 2026 launch Minister of Communications, Digital Technology and Innovations Samuel Nartey George at the CISD 2026 launch. Photo: Bank of Ghana

The Infrastructure Problem This Creates

Most Ghanaian financial institutions fall into one of three categories right now:

On public cloud (AWS, Azure, GCP) Core systems and customer data are sitting on servers outside Ghana. The directive is in effect. Every month of delay is a month of non-compliance exposure.

On legacy on-premise infrastructure (VMware, Hyper-V) Data-resident by default. But CISD 2026 also requires operational resilience controls, monitoring, incident response, documented access policies, quarterly penetration testing, and board-level reporting. Being on-premise is not the same as being compliant.

Mixed or fragmented Some systems on-premise, some on public cloud, some on end-of-life hardware. The compliance picture is unclear and the operational risk is real.

None of these categories is comfortable. All of them require action.

The Additional Cost Pressure

CISD 2026 arrives alongside two other financial pressures that make infrastructure action more urgent.

The AWS surcharge on Ghanaian customers. In March 2025, AWS implemented a 21% effective tax on cloud services for Ghanaian customers — comprising 15% VAT plus 6% in additional levies. A financial institution paying $10,000 per month on AWS is now paying $12,100. Every month.

The Broadcom/VMware licensing shock. Following Broadcom's 2023 acquisition of VMware, most customers have faced renewal cost increases of two to ten times their previous bills. Institutions running VMware for on-premise virtualisation are now facing a pricing environment that makes migration financially urgent, not just technically desirable.

Between regulatory pressure and cost pressure, the direction is clear: local infrastructure, owned by the institution, operated by people who are accountable and reachable.

What a Compliant Infrastructure Path Looks Like

Meeting CISD 2026's data residency requirement is not simply a matter of moving servers. The directive requires demonstrable operational controls — continuous monitoring, incident response, documented access policies, audit evidence, penetration testing on a defined schedule, and board-level reporting. Infrastructure must be both locally located and properly governed.

A compliant private cloud deployment on the institution's own hardware, within their premises in Ghana, addresses the core requirements directly:

Data residency — all compute, storage, and networking runs on hardware physically in Ghana. The institution can show the BoG exactly where their data lives.

Operational controls — a properly deployed private cloud includes continuous monitoring, automated alerting, documented incident response procedures, patch management, and regular reporting — the evidence artefacts that a compliance review requires.

Audit readiness — access logs, configuration records, and operational history are under the institution's direct control. No dependency on a foreign provider's audit export tools.

Board-level reporting — with proper monitoring in place, IT leadership can produce the infrastructure health and incident reports that CISD 2026 requires at board level.

SIEM compliance — monitoring infrastructure deployed locally and integrated with a CSA-accredited Ghanaian SIEM provider meets the directive's data sovereignty requirements for security event management.

What SwiftInfra Does

SwiftInfra is a Private Cloud Engineering company based in Accra. We deploy and manage private cloud infrastructure on our clients' own hardware — compute, storage, networking, monitoring, and operational controls — so that financial institutions can meet their data residency obligations without building an internal platform engineering team from scratch.

We work with banks, fintechs, and payment providers. Our deployments use open-source infrastructure — no proprietary licensing, no foreign cloud dependency, no renewal exposure. Every engagement produces a compliant, documented, monitored environment that a risk and compliance team can demonstrate to the BoG.

For institutions currently running on VMware, we manage migration using Conduit, our in-house live migration platform, which moves workloads from VMware to an open private cloud without requiring downtime on source systems.

For institutions currently on public cloud, we design the migration path and build the on-premise environment before any workload moves — no gap in service during transition.

For institutions on fragmented legacy infrastructure, we start with an assessment: what exists, what the compliance gaps are, and what a realistic modernisation roadmap looks like before any capital is committed.

The Honest Summary

CISD 2026 launched on March 25, 2026. It is in effect now. Every Ghanaian financial institution with core systems or customer data on foreign cloud infrastructure has a compliance gap. Every institution with legacy on-premise infrastructure that cannot demonstrate the operational controls the directive requires has a compliance gap.

The institutions that move earliest will have the smoothest path. The institutions that wait will face more compressed timelines, higher migration costs, and a harder conversation with the regulator.

If you want to understand what a private cloud path would look like for your institution specifically — the hardware requirements, the migration approach, the timeline, and the cost — we are ready to have that conversation.

Talk to SwiftInfra →

References

  • Bank of Ghana, Cyber and Information Security Directive 2026, March 2026 — bog.gov.gh
  • Governor Dr. Johnson Pandit Asiama, Speech at the Launch of CISD 2026, March 2026 — bog.gov.gh
  • Bank of Ghana, Official launch post, Facebook, March 25, 2026 — facebook.com/thebankofghana

SwiftInfra is a Private Cloud Engineering company based in Accra, Ghana. We deploy and manage private cloud infrastructure for financial institutions, fintechs, and enterprises across West Africa. To discuss your infrastructure and compliance requirements, contact us at hello@swiftinfra.com.