Content area
In 2021, the Economic Community of West African States (ECOWAS) adopted a regional Cybersecurity Strategy with a view to promoting cybersecurity governance within the West Africa region. However, questions arise as to the prospects of the Cybersecurity Strategy in enhancing the development of norms for responsible state behavior amongst Member States of the ECOWAS. This paper discusses the prospects of the ECOWAS Cybersecurity Strategy in enhancing the development of norms for responsible State behavior amongst States in West Africa. Against the background of earlier cybersecurity governance frameworks established by the ECOWAS, the paper analyzes the Strategy and explores its prospects and limits in promoting the development of norms for responsible state behavior within the ECOWAS region. In so doing, the paper considers challenges to the development of norms for responsible State behavior within the framework of the ECOWAS Cybersecurity Strategy. In particular, the paper finds that poor implementation of Community frameworks have been a challenge in the ECOWAS and suggests that this challenge will impede the Strategy in promoting the development of norms for responsible State behavior within the region. The paper further identifies comparative examples from the European context by considering the adaptation of measures from European Union regimes to enhance the development of norms for responsible State behavior within the ECOWAS framework.
Introduction
Several regional intergovernmental organizations across the world have established cybersecurity frameworks with a view to achieving objectives that include the development of norms for responsible state behavior, the harmonization of legislations in Member States, and the promotion of cross-border cooperation. Examples include the Council of Europe Convention on Cybercrime,1 the African Union (AU) Convention on Cyber Security and Data protection,2 the European Union (EU) Directive on Attacks against Information Systems,3 the Shanghai Cooperation Organization Agreement on International Information Security,4 and the Economic Community of West African States (ECOWAS) Directive on Cybercrime.5 Aside from the adoption of treaties, regional intergovernmental organizations such as the EU have adopted Cybersecurity Strategies to promote cybersecurity governance and the development of norms for responsible behavior.6 Similarly, in 2021, the ECOWAS adopted a regional Cybersecurity Strategy (ECOWAS Directive C/DIR.1/01/2021) with a view to promoting cybersecurity governance within the West Africa region.7 However, questions arise as to the prospects of the ECOWAS Cybersecurity Strategy in enhancing the development of norms for responsible state behavior amongst Member States of the ECOWAS. This paper discusses the prospects of the Strategy in enhancing the development of norms for responsible state behavior amongst States in West Africa. Against the background of existing cybersecurity governance frameworks such as the ECOWAS Directive on Cybercrime and the ECOWAS Data Protection Act, the paper analyzes the Strategy and explores its prospects and limits in promoting the development of norms for responsible State behavior within the ECOWAS region. In this regard, the paper examines challenges to the development of norms for responsible State behavior within the framework of the Strategy. In particular, the paper finds that poor implementation of Community frameworks have been a challenge in the ECOWAS and suggests that this challenge will impede the Strategy in promoting development of norms for responsible State behavior within the region. To address this challenge, the paper considers the adaptation of measures from EU regimes to enhance the development of norms for responsible State behavior within the ECOWAS framework.
This paper comprises six sections. The first section which includes this introduction discusses the concept of norms for responsible State behavior in cyberspace. The second section considers the work of the ECOWAS in developing cybersecurity governance frameworks. The third section discusses the development of the ECOWAS Cybersecurity Strategy and analyzes its provisions while considering its similarities with the AU Convention on Cybersecurity8 and European regimes such as the European Union (EU) Cybersecurity Strategy,9 the EU Directive on Network and Information Security,10 and the EU Cybersecurity Act.11The fourth section considers the prospects of the ECOWAS Cybersecurity Strategy in promoting the development of norms for responsible State behavior within the ECOWAS region. The fifth section discusses a range of potential limitations to the implementation of the Strategy and considers measures that can be adapted from EU regimes to enhance its application as a regional instrument for the development of norms for responsible State behavior within the ECOWAS. And then the conclusion follows.
This paper appears to be the first to analyze the ECOWAS Cybersecurity Strategy and inquire its prospects and limits in promoting the development of norms for responsible State behavior within the ECOWAS region. There have been earlier works that discussed ECOWAS Community instruments on data protection,12 electronic commerce,13 submarine cable landing stations14 and cybercrime.15 However, those works pre-date the Strategy. Again, while the ECOWAS appears to have made remarkable strides in establishing cybersecurity governance frameworks, these efforts have not received robust discussion in legal and policy studies. This paper aims to contribute in bridging that knowledge gap.
Norms for responsible state behavior in cyberspace
Norms refer to models or standards of behavior accepted voluntarily or involuntarily by the society or a group against which a person or something is judged.16 The concept of norms classifies rules, regimes or socially enforced expectations that encourage positive behavior in a society or within a group. On the other hand, the concept of ‘responsible State behavior’ is regarded as vague and its definition generally dependent on the context in which it is used and therefore varies in each context.17 For example, the general concept of responsible behavior in cyberspace has been defined as “behavior by a given actor in a given set of circumstances that can be said to conform to the laws, customs and norms generally expected from that actor in those circumstances”.18 If the elements of the above definition were to be adapted to the context of State behavior in cyberspace, ‘responsible State behavior’ would simply refer to a State’s compliance with established laws, customs and norms generally expected of such State in cyberspace. Therefore, norms for responsible State behavior in cyberspace can be considered as classifying standards of behavior accepted voluntarily or involuntarily by States as governing the conduct of States in cyberspace with the aim of promoting the peaceful use of the cyberspace for economic, political and social benefits. This generally implies for example, that States are to ensure governance responsibility over cyber activities on their territory. As such, the concept of norms for responsible State behavior in cyberspace aims to promote cyber stability by requiring States to ensure that cyber activities which are conducted within their jurisdiction do not cause harm to other individuals or infrastructure located in another State.19
The concept of ‘cyber stability’ has been defined as “the ability of all countries to utilize the Internet for both national security purposes and economic, political and social benefit while refraining from activities that could cause unnecessary suffering and destruction”.20 The Report on a Framework for International Cyber Stability commissioned by the United States refers to ‘cyber stability’ as “an environment where all participants, including nation-States, non-governmental organizations, commercial enterprises, and individuals, can positively and dependably enjoy the benefits of cyberspace; where there are benefits to cooperation and to avoidance of conflict, and where there are disincentives for these actors to engage in malicious cyber activity”.21 Another, definition refers to ‘cyber stability’ as “a geostrategic condition whereby users of the cyber domain enjoy the greatest possible benefits of political, civil, social and economic life, while preventing and managing conduct that may undermine those benefits at the national, regional and international level”.22 However, despite the above definitions, the concept of cyber stability is to a large extent regarded as an emerging concept that has not been developed as an analytic category.23
The concept of responsible State behavior in cyberspace requires States to promote cyber stability by ensuring governance responsibility over cyber activities on their territory. Basically, the need to promote cyber stability through responsible State behavior arises from the interconnectedness of information networks in different countries which have ushered in a new age of network interdependence where the security of each country network is also dependent on the actions of State and non-State actors around the world.24 This creates a situation where malicious cyber activities conducted in a particular State can harm individuals or infrastructure located in another State. Thus, within the context of cyber stability, the concept of responsible State behavior can be seen as enshrining elements of the international law principle on State responsibility for trans-boundary harm. This principle has been recognized in different contexts in the Corfu Channel Case, where the International Court of Justice (ICJ) held that a State may not “allow knowingly its territory to be used for acts contrary to the rights of other States”,25 and also in the Trail Smelter Case.26 This principle has also been recognized in international law that applies to the regulation of communication networks. For example, Article 38.5 of the Constitution of the International Telecommunication Union (ITU) requires member States not to cause harm to the operation of telecommunication installations in other States.27
The Economic Community of West African States and Cybersecurity Governance
Following successful national independence struggles across the African continent emerging independent States embraced regional economic and political integration28 as a major component of their development strategy.29 The pursuit of regional integration was underscored by the need to facilitate decolonization and promote regional cooperation, free trade, and the development of common markets.30 This led to the establishment of several regional intergovernmental organizations across the five geographical sub-regions that make up the African continent (Southern Africa, Central Africa, East Africa, North Africa and West Africa). One of such regional intergovernmental organization is the ECOWAS, which operates within the West African sub-region. The ECOWAS was founded by the Treaty of Lagos on 28 May, 1975, to achieve objectives which include: promoting regional cooperation and integration; raising living standards; promoting economic stability and relations amongst Member States; and promoting the development of the African continent.31 The ECOWAS currently comprise 15 sovereign West African States, namely: Benin, Burkina Faso, Cape Verde, Côte d’Ivoire, the Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mail, Niger, Nigeria, Senegal, Sierra Leone, and Togo.32 Member States of the ECOWAS comprise English speaking (Anglophone), French speaking (Francophone), and Portuguese speaking (Lusophone) States, and also constitute a population of over 407.68 million people.33
The ECOWAS Treaty recognizes that the promotion of harmonious economic development amongst Member States would require effective regional economic cooperation and integration, and that such integration requires the “pooling of national sovereignties to the Community within the context of a collective political will”.34 Article 3 (2) (a) of the ECOWAS Treaty declares that in order to achieve the aims of the Treaty, that the ECOWAS shall ensure “the harmonization and coordination of national policies and the promotion of integration programmes”35 in areas including communications, trade, information, science, technology, services, and legal matters.36 On the basis of the above mandate the ECOWAS Heads of State and Government adopted ECOWAS Supplementary Act A/SA1/01/07 on the Harmonization of Policies and Regulatory Framework for the information and communications technology (ICT) Sector (2007),37 which aims to establish a harmonized framework for ICT policy and regulation within the ECOWAS region.38 The Act also established the obligations of ECOWAS Member States and their respective national regulatory authorities and prescribed principles to govern the establishment of ICT policies and regulatory guidelines in Member States.39 In furtherance of the harmonization and integration mandates in the ECOWAS Treaty and the mandates in ECOWAS Supplementary Act A/SA1/01/07 on the Harmonization of Policies and Regulatory Framework for the ICT Sector (2007), the ECOWAS Heads of State and Government adopted a regional data protection treaty titled: the Supplementary Act A/SA.1/01/10 Personal Data Protection within the ECOWAS on 16 February, 2010,40 while the ECOWAS Council of Ministers adopted a Cybercrime treaty titled: Directive C/DIR.1/08/11 on Fighting Cybercrime within the ECOWAS on 19 August, 2011.41 All ECOWAS Member States are also Members of the African Union which adopted a Convention on Cyber Security and Data Protection in 2014.42
The ECOWAS data protection act
The ECOWAS Data Protection Act establishes a harmonized legal framework for data protection in the ECOWAS region.43 It imposes obligations on Member States to establish laws to protect personal data.44 It also establishes principles to regulate the processing of data,45 including the processing of sensitive personal data46and the regulation of the trans-border flow of personal data to non-ECOWAS Member States.47 Some provisions of the Act appear to have been adapted from the European Union Data Protection Directive (1995)48 and the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (1981).49
Article 9(3) of the Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty provides that: “Supplementary Acts adopted by the Authority [of ECOWAS Heads of State and Government] shall be binding on the Community institutions and Member States, where they shall be directly applicable …”.50 This implies that the ECOWAS Data Protection is meant to be binding on Member States and directly applicable in their domestic legal regimes. Article 9(3) of the Supplementary Protocol A/SP.1/06/06 appears to have been adapted from Article 189 of the Treaty Establishing the European Economic Community (1957), which provides that: “In order to carry out their task the Council and the Commission shall, in accordance with the provisions of this Treaty, make regulations, issue directives, take decisions, make recommendations or deliver opinions. A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States …”.51 However, despite the binding nature of the obligations established in the ECOWAS Data Protection Act, some ECOWAS States are yet to establish data protection laws and national data protection authorities.52 Challenges that have been identified as impeding the implementation of the Act by Member States include the existence of different domestic procedures for receiving international laws in the domestic regimes of Anglophone and Francophone Member States of the ECOWAS; the absence of absence of capacity in terms of expert personnel that will facilitate the development and implementation of national legal frameworks on data protection; the slow pace of legal responses in many ECOWAS Member States;53 lack awareness amongst policy makers and legislators; and the challenge of the inapplicability of sanctions against ECOWAS Member States that fail to fulfill their obligations under the ECOWAS Data Protection Act.54
The ECOWAS Cybercrime Directive
The ECOWAS Cybercrime Directive establishes substantive criminal and procedural law provisions for the control of cybercrime in Member States.55 Some provisions of the Directive were adapted from the Council of Europe Convention on Cybercrime.56 The Directive imposes obligations on Member States to criminalize cybercrime offences57 and establish procedural rules to govern the search of computer systems,58 and also creates a framework to facilitate international cooperation on the control of cybercrime.59 More importantly, the Directive explicitly required ECOWAS Member States to adopt necessary legislative, regulatory and administrative measures in order to comply with the Directive “not later than 1st January, 2014”.60 However, many ECOWAS States were yet to establish cybercrime laws and other regulatory/administrative measures after the prescribed deadline.61 Apparently, the implementation of the ECOWAS Cybercrime Directive in Member States was impeded by challenges such as the absence of absence of capacity in terms of expert personnel that will facilitate the development and implementation of legislative, regulatory and administrative measures on cybercrime control,62 resulting often on much reliance on technical assistance from international organizations63 and slow paced responses on the development of national legislative and regulatory measures on cybercrime control.64 Other challenges include national budget constraints65 and the absence of a dedicated regional institutional follow-up mechanism to promote the implementation of the Directive’s objectives in Member States.66
The ECOWAS Regional Cybersecurity Strategy
The ECOWAS Regional Cybersecurity and Cybercrime Strategy was adopted by Members of the ECOWAS Parliament on 18th January, 2021,67 and later adopted as a Community Directive by the ECOWAS Council of Ministers on 21st January, 2021.68 The Strategy seeks to improve national cybercrime and cybersecurity governance mechanisms in Member States, and also enhance international cooperation and mutual assistance between Member States.69 It recognizes the need for Member States to respect fundamental freedoms and human rights contained in regional and international human right instruments while promoting cybersecurity.70 The Strategy basically aims to establish a strategic regional community framework that will guide Member States in the development and implementation of national strategies and action plans on cybersecurity governance and cybercrime control “before the end of 2022”.71
Overview of member state obligations under the strategy
The Strategy requires Member States to adopt a risk management approach to cybersecurity governance72 and comply with a range of obligations. Each Member State is required to take measures that include: establishing a national cybersecurity and cybercrime policy and strategy;73 establishing a national cybersecurity authority;74 establishing cyber incident alert and response capabilities;75 promoting cybersecurity skills development;76 establishing penal and procedural provisions on cybercrime;77 establishing operational cybercrime units, investigative laboratories and training investigators, prosecutors and members of the judiciary;78 promoting regional and international cooperation;79 promoting the ratification of international conventions on cybersecurity;80 and promoting a cybersecurity culture.81 These obligations are discussed below.
Establishment of a national cybersecurity policy and strategy
The Strategy imposes obligations on Member States to adopt national cybersecurity policies and strategies which will be updated at least every five years.82 A Member State’s national cybersecurity policy and strategy is required establish a national cybersecurity governance framework with the roles and responsibilities of stakeholders.83 The obligations of Member States to establish a national cybersecurity framework appears to mirror the provisions of Article 24 the AU Convention on Cybersecurity which requires Member States to establish a national cybersecurity framework that comprises a national cybersecurity policy and a national cybersecurity strategy.84 The Lome Declaration on Cybersecurity and Fight Against Cybercrime which was recently adopted by African States in March, 2022, also requires African States (including ECOWAS States) to develop national cybersecurity strategies and policies.85 Again, the Digital Transformation Strategy for Africa (2020–2030) requires African States to develop and adopt national cybersecurity strategies.86 Similar obligations also exist under Article 7(1) of the EU Directive on Network and Information Security (2022),87 which requires Member States to adopt “a national cybersecurity strategy that provides for the strategic objectives, the resources required to achieve those objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity”.88 To ensure the effective implementation of national cybersecurity and cybercrime policy and strategies in ECOWAS Member States, the Strategy imposes obligations on Member States to define monitoring and evaluation mechanisms for actions planed by their national cybersecurity and cybercrime strategies and ensure the implementation of such actions annually.89
Establishment of a national cybersecurity authority and incident response capabilities
Under the Strategy, Member States are required to establish a national cybersecurity authority with powers to perform functions such as defining national and sectoral cybersecurity policies and regulatory texts.90 A national cybersecurity authority is responsible for undertaking the management of incident prevention and response mechanisms and serving as the main point of contact for regional and international cooperation.91 The Strategy further requires Member States to establish alert and incident response capabilities,92 including a National Computer Security Incident Response Team (CSIRT) which will be responsible for protecting critical infrastructures and disseminating alerts on cyber threats and vulnerabilities.93 The above obligations mirror the AU Convention on Cybersecurity which impose obligations on Member States to establish appropriate structures or institutions as well as regulatory powers that are necessary for cybersecurity governance,94 such as a national cybersecurity agency and a national computer emergency response team (CERT).95 The 2022 Lome Declaration on Cybersecurity and Fight Against Cybercrime and the Digital Transformation Strategy for Africa (2020–2030) also requires African States to establish institutions for the coordination of cybersecurity incidents such as national CERTs.96 Similar obligations also exist under Article 8(1) of the EU Directive on Network and Information Security (2022), which requires Member States to “designate one or more national competent authorities responsible for cybersecurity …”.97
Strengthening the cybersecurity protection of critical infrastructure and the adoption of information security policies
The Strategy requires each Member State to identify networks, information systems and digital data essential for the operation of critical infrastructure and provision of essential services.98 Under the Strategy ‘Critical infrastructure’ is defined as “a public or private infrastructure or process whose destruction, standstill, illegitimate exploitation or disruption for a defined period of time will cause either loss of lives or significant loss to the economy or damage significantly the reputation of the Member State or its symbols of governance”.99 Within this context, the concept of ‘infrastructure’ is classified to include networks, systems, and the physical or digital data for providing essential services and also refers to “a certain system or process whose functioning is critical within the organization”.100 The Strategy defines ‘Critical infrastructure protection’ as “a set of safeguards and actions to protect critical infrastructures from any risks and threats that could cause the total or partial interruption of the essential services they provide”.101
With respect to the protection of critical infrastructure, the Strategy requires Member States to impose measures on public and private operators of critical infrastructures and essential services to adopt information security policies102 and ensure the security of such systems, including ensuring compliance with ‘cyber hygiene’103 measures and conducting security audit of critical information systems at a frequency not exceeding 2 years.104 Member States are also required to establish measures that demand the operators of critical infrastructures to report cybersecurity incidents to the national cybersecurity authority or to the national CSIRT.105 Although the Strategy does not use the term critical information infrastructure, its obligations on the protection of critical infrastructure appears to mirror Article 25:4 of the AU Convention on Cybersecurity which requires Member States to adopt necessary legislative and regulatory measures to identify sectors that are “sensitive” to their national security and economic wellbeing, and also classify the ICT systems that are designed to function in those sectors as elements of critical information infrastructure.106
Reducing cybercrime incidents and creating an enabling environment to bring perpetrators to justice
The Strategy requires Member States to adopt penal and procedural provisions which are prescribed or recommended at regional, continental and global levels with respect to control of cybercrime and protection of critical information infrastructure.107 This obligation appears to mirror the provisions of the AU Convention on Cybersecurity which requires Member States to criminalize substantive criminal acts that affect the confidentiality, integrity, and availability of ICT systems and data, and also establish procedural mechanisms for the prosecution of such acts.108
Member States are also required to build institutional capacities to fight cybercrime by establishing operational cybercrime units, investigative laboratories, digital evidence collection and handling capabilities, and training police officers and judicial officers on issues relating to the investigation and adjudication of cybercrime cases.109 Member States are further required to promote cybersecurity skills development by introducing cybersecurity courses in universities and promoting training and research on cybersecurity.110 The Strategy’s obligation to promote cybersecurity skills development appears similar to the provisions of the Cybersecurity Strategy of the EU (2013) which invited Member States to promote education and training national efforts on Network and Information Security (NIS), by introducing training on NIS in schools by 2014 and providing basic NIS training for staff working in public administrations.111
Under the ECOWAS Cybersecurity Strategy, Member States also have obligations to promote a culture of cybersecurity by raising awareness of the general public on cyber threats by taking measures such as promoting digital hygiene amongst the general public, raising public awareness on the penalties applicable to cybercrime offences, and raising awareness amongst public and private stakeholders regarding their roles and responsibilities in cybersecurity governance.112 The 2022 Lome Declaration on Cybersecurity and Fight Against Cybercrime and the Digital Transformation Strategy for Africa (2020–2030) also establishes requirements for African States to promote a culture of cybersecurity and raise awareness on cyber threats.113 The ECOWAS Cybersecurity Strategy’s obligation to raise public awareness on cyber threats mirrors the provisions of the Cybersecurity Strategy of the European Union (2013) which invites Member States and industry stakeholders to raise cybersecurity awareness amongst end-users of ICT products.114 The need to promote cybersecurity awareness is further highlighted in the EU’s Cybersecurity Act (2019)115 and in EU’s Cybersecurity Strategy for the Digital Decade (2020) which emphasize that “cybersecurity awareness and hygiene must underpin the digital transformation of everyday activities”.116 Similarly, the obligations to promote a culture of cybersecurity under the ECOWAS Cybersecurity Strategy also mirror Article 26 of the AU Convention on Cybersecurity which requires Member States to develop a cybersecurity culture within their territories by promoting public awareness and providing education and training on cybersecurity.117
Promoting national coordination and international cooperation in cybersecurity and cybercrime control
The Strategy requires Member States ensure the national coordination of cybersecurity governance activities,118 including governance dialogue and synergies amongst public and private actors responsible for cybersecurity and cybercrime control, critical infrastructure operators, cybersecurity service providers, research and training institutions, civil society, and media organizations.119 In order to promote international and regional cooperation on cybersecurity and cybercrime control, the Strategy requires Member States to ratify necessary regional and international conventions on cybersecurity and cybercrime.120 The need for African States to promote cross-border cooperation by ratifying regional and international agreements on cybersecurity and cybercrime is also emphasized in the 2022 Lome Declaration on Cybersecurity and Fight Against Cybercrime and the Digital Transformation Strategy for Africa (2020–2030).121 Similarly, the EU’s Cybersecurity Strategy for the Digital Decade (2020) emphasizes that “international cooperation is essential to keeping cyberspace global, open, stable and secure”,122 while the EU Cybersecurity Strategy (2013) urges all Member States to ratify and implement the provisions of the Council of Europe’s Budapest Convention on Cybercrime as early as possible.123 In addition, the ECOWAS Cybersecurity Strategy requires the ECOWAS Commission and Member States to promote regional and international cooperation124 in areas including capacity building, the sharing of best practices and information on cyber threats, the harmonization of strategies for the control of cybercrime, the protection of transnational critical infrastructure, judicial cooperation in cybercrime, and transnational access to digital evidence.125 This also appears to mirror the provisions of the AU Convention on Cybersecurity which requires Member States to establish measures to promote international cooperation and the harmonization of legal regimes on cybercrime control.126
Establishing regional cybersecurity governance mechanisms
To facilitate the implementation of the Strategy in Member States, the ECOWAS Commission is required to establish a regional assistance plan for its implementation.127 The Strategy also provides for the establishment of a regional Strategymonitoring system within the framework of the ECOWAS Commission to oversee the implementation of the Strategy.128 In addition, the Strategy provides for the establishment of a regional ECOWAS Cybersecurity Coordination Centre by the ECOWAS Commission.129 The proposed Center has a responsibility to coordinate capacity-building initiatives on cybersecurity governance and cybercrime control in Member States.130 This provision also mirrors the EU Cybersecurity Strategy (2013) which emphasizes the need for a coordinated and collaborative approach to cybersecurity governance in the EU and beyond.131 The ECOWAS Cybersecurity Strategy further proposes that in the long term the ECOWAS Commission may consider setting up a regional agency to promote regional cooperation on cybersecurity and cybercrime control.132 Here also the provision of the Strategy mirrors developments in the EU where the European Union Agency for Cybersecurity (ENISA) has been established as a regional cybersecurity agency for the EU.133
Prospects of the ECOWAS Cybersecurity Strategy
Notwithstanding the existence of the AU Convention on Cybersecurity and the ECOWAS Cybercrime Directive, the ECOWAS Cybersecurity Strategy still holds prospects to promote the development of norms for responsible State behavior within the ECOWAS region. Firstly, the adoption of the Strategy indicates a sustained and increasing regional interest in promoting cybersecurity governance within the ECOWAS. The ECOWAS has maintained a lead amongst African regional organizations in developing cybersecurity governance frameworks, having being the first regional organization to establish legal frameworks on cybercrime and data protection in Africa.134 With the adoption of the Strategy, the ECOWAS has also become the first Africa regional organization to adopt a cybersecurity strategy that sets out governance measures to be implemented by Member States.
Secondly, with the adoption of the Strategy, ECOWAS Member States and the ECOWAS Commission now has a more detailed picture of the minimum standards and best practices that are to be implemented in their national regimes to promote cybersecurity and cybercrime control. The existence of such minimum cybersecurity governance standards within the ECOWAS framework creates a template under which non-ECOWAS Member States and international organizations can engage ECOWAS Member States on issues such as capacity building and international cooperation on cybersecurity and cybercrime control.
Thirdly, the adoption of the ECOWAS Cybersecurity Strategy has the prospect of increasing the awareness of Member States on issues relating to cybersecurity governance and cybercrime control. To a large extent, such increased awareness is needed to facilitate the establishment of cybersecurity governance frameworks such as cybercrime laws, national cybersecurity policies and strategies, national cybersecurity authorities, and CERTs in Member States that are yet to establish such frameworks. For example, as of November, 2023, out of the 15 Member States of the ECOWAS, 13 had established cybercrime laws, while 10 had established national cybersecurity policies, nine had established national CERTS, while four had established a national cybersecurity authority (see Table 1).
Table 1. Summary of cybersecurity governance measures in ECOWAS member states
S/N | Country | Cybercrime law | Cybersecurity policy/strategy | National CERT | National cybersecurity authority |
|---|---|---|---|---|---|
1 | Benin | √ | √ | √ | – |
2 | Burkina Faso | √ | √ | √ | – |
3 | Cape Verde | √ | √ | In progress | In progress |
4 | Côte d’Ivoire | √ | √ | √ | – |
5 | Gambia | √ | √ | √ | – |
6 | Ghana | √ | √ | √ | √ |
7 | Guinea | – | – | – | – |
8 | Guinea–Bissau | – | – | – | – |
9 | Liberia | In progress | – | – | √ |
10 | Mali | √ | In progress | √ | – |
11 | Niger | √ | √ | – | – |
12 | Nigeria | √ | √ | √ | – |
13 | Senegal | √ | √ | √ | – |
14 | Sierra Leone | √ | √ | – | √ |
15 | Togo | √ | In progress | √ | √ |
Fourthly, the adoption of the ECOWAS Cybersecurity Strategy has the prospect of increasing the harmonization of legal and policy frameworks on cybersecurity governance in ECOWAS Member States. Within this context, harmonization implies the process of creating common legal and policy standards within Member States that belong to a common regional or international intergovernmental body with a view to promoting uniformity in national laws and policies and thereby minimizing major differences that may hinder cross-border cooperation amongst such Member States.135 As such, the minimum cybersecurity governance requirements that exist under the Strategy and which Member States have obligations to implement in their national cybersecurity regimes will go a long way to enhancing legal and policy harmonization by minimizing differences in the cybersecurity regimes of Member States, while also promoting regional cybersecurity cooperation within the ECOWAS.
Fifthly, with the proposed establishment of a Regional Monitoring mechanism to monitor the implementation of the Strategy in Member States,136 there is potential for the existence of a viable follow-up mechanism which will facilitate the national implementation of regional cybersecurity governance measures within the ECOWAS region, while also promoting harmonization and dissemination of best practices across the region. Such follow-up mechanisms did not exist under ECOWAS instruments such as the ECOWAS Cybercrime Directive and ECOWAS Data Protection Act and apparently resulted in the poor implementation of those frameworks as the compliance of Member States was not monitored and neither were reasons for non–compliance by Member States identified by the ECOWAS Commission.
Sixthly, it is important to note that the Strategy is classified as a legal instrument within the ECOWAS Community by virtue of Article 9(1) of the Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty. Article 9(1) of the Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty provides that “Community Acts shall henceforth be known as Supplementary Acts, Regulations, Directives, Decisions, and Opinions”.137 Thus, while the ECOWAS Treaty does not recognize or classify a “Strategy” as part of the legal instruments of ECOWAS Community, it is important to note that the ECOWAS Council of Ministers adopted the Strategy as ECOWAS Directive C/DIR.1/01/2021 on 21st January, 2021.138 Therefore, following its adoption as a Directive the Strategy is now contained in a legal instrument of the ECOWAS and has legal status within the ECOWAS Community regime. Article 9(5) of the Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty provides that: “Directives shall be binding on all the Member States in terms of the objectives to be realized. However, Member States shall be free to adopt modalities they deem appropriate for the realization of such objectives”.139 Flowing from the above, it is submitted that the adoption of the ECOWAS Cybersecurity Strategy through Directive C/DIR.1/01/2021 binds Member States to comply with the obligations established therein. The establishment of the Strategy as a binding Community legal instrument also creates certainty regarding its enforcement and application in the domestic regimes of Member States.
Finally, the adoption of the ECOWAS Cybersecurity Strategy imposes positive obligations on Member States to establish legal, policy, regulatory, and institutional frameworks on cybersecurity governance and cybercrime control which will fulfill the commitments set out in the Strategy. Those positive obligations create a legitimate expectation by citizens of ECOWAS Member States that their national governments will implement measures that will mitigate cyber threats which affect individuals and organizations in the information society.140 The existence of those positive obligations provide a basis for holding a Member State accountable where its failure to implement the commitments under the Strategy has resulted in the violation of the fundamental rights of citizens. For example, a Member State’s failure to adopt penal and procedural provisions on cybercrime can result in the proliferation of cybercrimes which can infringe the exercise of the right to privacy.141 This can provide a basis for an affected person to approach the ECOWAS Community Court for relief against that Member State under Article 10 (d) of ECOWAS Supplementary Protocol A/SP.1/01/05.142
Potential limitations to the implementation of the ECOWAS Cybersecurity Strategy
There are potential limitations that may hinder the implementation of the Strategy as a framework for promoting the development of norms for responsible State behavior within the ECOWAS region. These limitations include the non-application of sanction mechanisms against Member States and the slow pace of responses in the domestic implementation of regional cybersecurity governance measures.
Thus, a potential limitation that could hinder the implementation of the ECOWAS Cybersecurity Strategy as a framework for promoting the development of norms for responsible State behavior within the ECOWAS region is the non-application of sanction mechanisms against ECOWAS Member States that fail comply with regional obligations. For example, no sanctions were imposed against Member States that failed to establish cybercrime laws by January, 2014 as mandated by Article 35 of the ECOWAS Cybercrime Directive.143 Article 5(3) of the ECOWAS Treaty declares that “Each Member State undertakes to honour its obligations under this Treaty and to abide by the Decisions and Regulations of the Community”,144 while Article 77(1) of the Treaty provides for the imposition of sanctions on Member States that fail to fulfill their obligations to the ECOWAS Community.145 However, while there is the probability that the adoption of the ECOWAS Cybersecurity Strategy may create a basis upon which sanctions can be invoked against any Member State that fails to implement its provisions,146 the sanctions mechanisms have not been used by the ECOWAS in compelling Member States to implement any Community instrument. In practice, the ECOWAS has imposed sanctions on Member States in situations requiring responses to humanitarian issues, and in order to restore democratic governments in situations of unconstitutional overthrow of governments;147 however, the sanctions mechanisms have not been invoked against any Member State that failed to implement its obligations under an ECOWAS Community instrument.148 Hence, it appears that the sanctions mechanisms have not been utilized for the purpose of promoting the national implementation of ECOWAS instruments, or for the purpose of facilitating the transposition of such instruments in order to promote legal harmonization amongst Member States.149 Therefore, to facilitate the implementation of the Strategy in Member States, the ECOWAS Commission may have consider the option of imposing sanctions on Member States that fail to implement its provisions.
The ECOWAS Commission may also consider the option of using the instrument of the ECOWAS Court of Justice to compel Member States to implement the provisions of the Strategy. In this regard, Article 9(1) (d) of the ECOWAS Supplementary Protocol A/SP.1/01/05 establishes the jurisdiction of the ECOWAS Court to adjudicate disputes arising from the failure of Member States to honor their obligations under the ECOWAS Treaty and other Community instruments,150 while Article 10 (a)of the ECOWAS Supplementary Protocol A/SP.1/01/05 allows the Executive Secretary of the ECOWAS Commission to access the ECOWAS Court for the purpose of instituting an action where a Member State has failed to fulfill a Community obligation.151 The option of using the instrument of a Community court to compel Member States to implement the provisions of a Community instrument has been applied with some measure of success in the European Union152 and may therefore provide a useful example for the ECOWAS. For example, in European Commission v. Portuguese Republic,153 the European Commission brought an action before the European Court of Justice, requesting the Court to impose fines on Portugal for failing to designate telecommunications providers as universal service providers in accordance with the EU Universal Service Directive (2002/22/EC). The Court declared in its judgment (Case C-154/09) of 7 October 2010 that Portugal had failed to fulfill its obligations under the Directive, as it had not transposed the obligations into national law and failed to ensure their application in practice.154 In February 2013, the European Commission also brought another action requesting the Court to impose financial sanctions on Portugal for failing to fulfill its obligations under the Directive in compliance with the Court’s judgment in Case C-154/09. The Court of Justice confirmed its decision in June, 2014, and ordered Portugal to pay a fine of € 3 million and a penalty payment of € 10,000 for every day of delay in complying with the Court judgment of 7 October, 2010.155
The absence of an already established regional follow-up mechanism is another potential limitation that may hinder the timely implementation of the Strategy within the ECOWAS. Although the Strategy proposes the establishment of a Cybersecurity Coordination Center and a Regional Strategy Monitoring System, these mechanisms have not been established at the time of writing and there is no indication or timelines as to when they will be established. The existence of a dedicated and effective ECOWAS regional follow-up mechanism on cybersecurity governance will help in promoting awareness amongst Member States and further help to address the slow pace that has usually characterized the development of legal responses on cybersecurity and cybercrime control issues in ECOWAS Member States.156 Follow-up mechanisms have been used by the European Commission to monitor the implementation Community measures on cybersecurity governance. For example, under Article 17 of the European Union the Directive on Attacks against Information Systems (2013)157 the European Commission acts as a follow-up mechanism for the purpose of assessing and monitoring the implementation of the Directive in Member States.158 After the Directive entered into force, the European Commission exercised the follow-up provisions under Article 17 of the Directive in 2017 and produced a report which assessed the extent to which the Member States have complied with the Directive. The Report indicated that by the Directive’s transposition date of 4 September, 2015, 22 Member States of the EU had notified the European Commission of their full transposition of the Directive’s obligations.159 The report also observed that the European Commission commenced infringement procedures for non-communication of national transposition measures against the remaining five Member States in November, 2015.160 It can therefore be argued that the existence of the EU Commission’s follow-up mechanism had the effect of promoting the implementation of the Directive’s obligations in Member States, while also making it easier to identify non-compliant Member States so that appropriate measures can be applied by the Commission.161
Concluding remarks
With the adoption of the ECOWAS Cybersecurity Strategy, the ECOWAS has now become the first regional organization in Africa to establish a distinct cybersecurity strategy which Member States are required to comply with. While several provisions of the Strategy mirror obligations under the AU Convention on Cybersecurity, it does not appear that the adoption of the Strategy will result in the fragmentation of cybersecurity governance frameworks in Africa. This is because provisions of the Strategy do not conflict with the obligations under the AU Convention on Cybersecurity; rather, the Strategy compliments the Convention in many respects. With the adoption of the Strategy, the most important issue now remains its implementation by Member States. The Strategy holds prospects to promote norms for responsible State behavior as it classifies the minimum cybersecurity governance measures that should be implemented by Member States. Nevertheless, there are several challenges that could impede it implementation. This paper has attempted to highlight those challenges while also proposing a range of responses. The ECOWAS Community framework appears to model the EU Community framework. However, while EU Community regimes are more timely implemented in Member States, the same situation does not exist in the ECOWAS. Therefore, the EU may provide some examples that could be adapted to promote the implementation of ECOWAS Community regimes in Member States. In particular, as highlighted in the paper, the ECOWAS Commission should consider the timely establishment of a monitoring and follow-up mechanism and the use of sanctions mechanisms to facilitate the timely implementation of the Strategy.
See The Council of Europe Convention on Cybercrime, 41 I.L.M. 282 (Budapest, 23 November, 2001).
2See The African Union (AU) Convention on Cyber Security and Personal Data Protection, (EX.CL/846(XXV)). (Malabo, 27 June, 2014).
3See Directive 2013/40/EU of 12 August 2013 on Attacks against Information Systems, Official Journal of the European Union, 218/8 (14 August, 2013).
4See Agreement between the Governments of Member States of the Shanghai Cooperation Organization on Cooperation in the Field of international Information Security (16 June, 2009).
5See ECOWAS Directive C/DIR.1/08/11 on Fighting Cybercrime, adopted at the Sixty Sixth Ordinary Session of the ECOWAS Council of Ministers at Abuja, Nigeria (19 August, 2011).
6See Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7.2.2013), and Joint Communication to the European Parliament and the Council, The European Union Cybersecurity Strategy for the Digital Decade (Brussels, 16.12.2020).
7See ECOWAS Directive C/DIR.1/01/2021 Relating to the Adoption of the Regional Cybersecurity and Cybercrime Strategy, adopted 85th Ordinary Session of the ECOWAS Council of Ministers (21st January, 2021), available at <https://tit.comm.ecowas.int/wp-content/uploads/2022/03/DIRECTIVE-CYBERSECURITY-STRATEGY-ENG.pdf> last accessed on 12 November, 2023.
8See The Council of Europe Convention on Cybercrime, 41 I.L.M. 282 (Budapest, 23 November, 2001).
9See Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7.2.2013).
10See Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December, 2022 on Measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), Official Journal of the European Union, 333/80 (27 December, 2022).
11See Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April, 2019 on ENISA (the European Union Agency for Cybersecurity) on Information and Communications Technology Cybersecurity Certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act).
12See Uchenna Jerome Orji, “Regionalizing Data Protection Law: A Discourse on the Status and Implementation of the ECOWAS Data Protection Act”, International Data Privacy Law 7, no.3, (2017), 179–189.
13See Uchenna Jerome Orji, “Towards the Harmonization of E‑commerce Laws in West Africa: A Comparative Analysis of the ECOWAS Electronic Transactions Act”, International Company and Commercial Law Review 29, no. 6, (2018), 373–391.
14See Uchenna Jerome Orji, “Harmonizing the Regulation of Access to Submarine Cable Landing Stations in the ECOWAS: A Review of Regulation C/REG/06/06/12154”, Computer and Telecommunications Law Review 23 no. 6, (2017), 154–163.
15See Uchenna Jerome Orji, “An Inquiry into the Legal Status of the ECOWAS Cybercrime Directive and the Implications of its Obligations for Member States”, Computer Law & Security Review, 35, no. 6, (2019), 1–16.
16The Black’s Law Dictionary 9th Edition (United States, West Group, 2004), 1159–1160.
17See Andrijana Gavrilovic, ‘What is Responsible Behavior in Cyberspace’, Diplo (30 October, 2018), available at <https://www.diplomacy.edu/blog/webinar-%E2%80%98what-responsible-behaviour-cyberspace%E2%80%99> last accessed on 12 November, 2023.
18Ibid.
19See Uchenna Jerome Orji, “The African Union Convention on Cybersecurity: a Regional Response towards Cyber Stability”, Masaryk University Journal of Law and Technology 12 no. 2, (2018), 95.
20See Jody R. Westby, “Cyber War v. Cyber Stability”, A paper presented at the 42nd session of the World Federation of Scientists International Seminars on Planetary Emergencies (Italy, 19–22, August, 2009), 1.
21See International Security Advisory Board, Report on a Framework for International Cyber Stability (US Department of State, 2014) Appendix B.1, at 33.
22See Lisa Rudnick, et al, Towards Cyber Stability: A User Centered Tool for Policy Makers (Geneva: UNIDR, 2015), 7.
23Ibid.
24See Harry D. Raduege, “Fighting Weapons of Mass Disruption: Why America Needs a Cyber Triad”, in Andrew Nagorski, (ed.), Global Cyber Deterrence: Views from China, U.S., Russia, India, and Norway (New York: East West Institute, 2010), 13.
25See The Corfu Channel Case (United Kingdom v. Albania), Merits, [1949] ICJ Reports 4, at paragraph 22.
26See The Trail Smelter Arbitration Case (United States of America v. Canada), (1938) 3R.I.A.A 1905; Editorial, ‘The Trail Smelter Arbitral Decision’, American Journal of International Law 35 (1941), 684.
27See Article 38.5 Constitution of the ITU (2010).
28See Malebakeng Forere, “Is Discussion of the ‘United States of Africa’ Premature?: Analysis of ECOWAS and SADC Integration efforts”, Journal of African Law, 56, no. 1, (2012), 33.
29See Trudi Hartzenberg, Regional Integration in Africa (Working Paper ERSD—2011-14) (Geneva: World Trade Organization, 2011) p. 2.
30See Uchenna Jerome Orji, International Telecommunications Law and Policy (United Kingdom: Cambridge Scholars Publishing, 2018), 301.
31See Article 3, Treaty of ECOWAS (28 May, 1975) 14 ILM 1200; Revised 24 July, 1993, 35 ILM 660, (1996) [Hereafter, ECOWAS Treaty]. See also, ECOWAS Commission, ECOWAS Common Investment Market Vision (Abuja: ECOWAS Commission, 2009).
32For further details see <http://www.ecowas.int>.
33See Worlddata.info, “Economic Community of West Africa States”, available at <https:// www.worlddata.info/ trade-agreements/ecowas-west-africa.php> last accessed on 12 November, 2023.
34See Preamble to the ECOWAS Treaty (1996).
35See Article 3(2) (a) ibid.
36See Article 57(1) ibid.
37See ECOWAS Supplementary Act on the Harmonization of Policies and the Regulatory Framework for the ICT Sector (A/SA.1/07) adopted at the Thirty First Session of the Authority of ECOWAS Heads of State and Government Quagadaugou, 19 January 2007,
38See Article 2:1 ibid.
39Ibid.
40See Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS, adopted at the 37th session of the Authority of ECOWAS Heads of State and Government, (Abuja, 16 February, 2010). [Hereafter, ECOWAS Data Protection Act].
41See ECOWAS Directive C/DIR.1/08/11 on Fighting Cybercrime, adopted at the Sixty Sixth Ordinary Session of the ECOWAS Council of Ministers at Abuja, Nigeria (19 August, 2011). [Hereafter, ECOWAS Directive on Cybercrime].
42See The AU Convention on Cyber Security and Personal Data Protection, (EX.CL/846(XXV)). (Malabo, 27 June, 2014). [Hereafter, AU Convention on Cybersecurity].
43See Preamble to the ECOWAS Data Protection Act.
44See Article 2 ibid.
45See Articles 23–29, ibid.
46See Article 30 ibid.
47See Article 36 ibid.
48See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Data Protection Directive 95/46), [1995] OJ L281/31. For example compare: Articles 2(a) and 2(b) of the EU Data Protection Directive to Article 1 of the ECOWAS Data Protection Act.
49See Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature on 28 January 1981, in force 1 October 1985, ETS 108. For a comparative analysis of the ECOWAS Data Protection Act and EU data protection regimes, see: Uchenna Jerome Orji, “A Comparative Review of the ECOWAS Data Protection Act”, Computer Law Review International, 17, no. 4, (2016), 108–118; Uchenna Jerome Orji, “Regionalizing Data Protection Law: A Discourse on the Status and Implementation of the ECOWAS Data Protection Act”, International Data Privacy Law, 7 no. 3, (2017), 179–189.
50See Article 9(3), Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty (Abuja, 14 June, 2006).
51See Treaty Establishing the European Economic Community (Treaty of Rome) adopted on 25 March 1957, 298 UNTS 3, in force 1 January 1958.
52ECOWAS Member States such as Guinea, Guinea–Bissau, Liberia and Sierra Leone have not established data protection laws and data protection authorities.
53See Uchenna Jerome Orji, “Examining Missing Cybersecurity Governance Mechanisms in the African Union Convention on Cybersecurity and Personal Data Protection”, Computer Law Review International, 5 (2014), 133.
54See Uchenna Jerome Orji, “Regionalizing Data Protection Law: A Discourse on the Status and Implementation of the ECOWAS Data Protection Act”, International Data Privacy Law, 7, no. 3, (2017), 188.
55See Article 2 ECOWAS Cybercrime Directive.
56For a comparative analysis of the ECOWAS Cybercrime Directive and the Council of Europe Convention on Cybercrime, see: Uchenna Jerome Orji, “A Review of the ECOWAS Cybercrime Directive: Analysis of ICT Offences with the Budapest Convention”, Computer Law Review International, 20, no. 2, (2019), 40–53.
57See Articles 4–23 ECOWAS Cybercrime Directive.
58See Articles 30 and 31 ibid.
59See Article 33(1) ibid.
60See Article 35(1) ibid.
61See African Union and Symantec Corporation, Cybercrime & Cybersecurity Trends in Africa (Symantec Corporation and African Union, November, 2016), 53–55.
62Ibid, pp. 60, 61,63,66,70, and 83.
63See UNODC (2013) Comprehensive Study on Cybercrime (New York: United Nations, 2013), 178.
64See Uchenna Jerome Orji “The African Union Convention on Cybersecurity: A Regional Response Towards Cyber Stability?”, Masaryk University Journal of Law and Technology, 12 no. 2, (2018), 121.
65See Uchenna Jerome Orji, International Telecommunications Law and Policy (United Kingdom: Cambridge Scholars Publishing, 2018), 369.
66See Uchenna Jerome Orji, “An Inquiry into the Legal Status of the ECOWAS Cybercrime Directive and the Implications of its Obligations for Member States”, Computer Law & Security Review, 35, No. 6, (2019), 14–15.
67See ECOWAS Parliament, “ECOWAS adopts a Regional Strategy for Cybersecurity and the fight against Cybercrime”, (18 January, 2021), available at <https://parl.ecowas.int/information-and-communication-technology-ecowas-adopts-a-regional-strategy-for-cybersecurity-and-the-fight-aganist-cybercrime/>last accessed on 12 November, 2023.
68See ECOWAS Directive C/DIR.1/01/2021 Relating to the Adoption of the Regional Cybersecurity and Cybercrime Strategy, adopted 85th Ordinary Session of the ECOWAS Council of Ministers (21st January, 2021).
See Section I, ECOWAS Cybersecurity Strategy (2021).
69See Section I, ECOWAS Cybersecurity Strategy (2021).
70Ibid.
71See Section II.A, ECOWAS Cybersecurity Strategy (2021).
72See Section IV: Paragraph 2.3, ECOWAS Cybersecurity Strategy (2021).
73See Section III, ECOWAS Cybersecurity Strategy (2021).
74See Section IV, ECOWAS Cybersecurity Strategy (2021).
75See Section IV, ECOWAS Cybersecurity Strategy (2021).
76Ibid.
77See Section V, ECOWAS Cybersecurity Strategy (2021).
78Ibid.
79See Section VI, ECOWAS Cybersecurity Strategy (2021).
80Ibid.
81Ibid.
82See Section III, ECOWAS Cybersecurity Strategy (2021).
83Ibid.
84See Article 24 AU Convention on Cybersecurity.
85See Paragraph 3, The Lome Declaration on Cybersecurity and Fight Against Cybercrime (March, 2022), available at <https://www.uneca.org/sites/default/files/SROs/West-Africa/20220223-D%C3%A9claration%20de%20 Lom%C3%A9%20sur%20 la%20cybers%C3%A9curit%C3%A9%20et%20 la%20lutte%20contre%20 la%20cybercriminalit%C3%A9-EN%20%282%29.pdf>. Last accessed on 12 November, 2023.
86See African Union, The Digital Transformation Strategy (2020–2030) (African Union: Addis Ababa, 2020), p. 46, available at <https://au.int/sites/default/files/documents/38507-doc-dts-english.pdf>. Last accessed on 12 November, 2023.
87See Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December, 2022 on Measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), Official Journal of the European Union, 333/80 (27 December, 2022).
88See Article 7.1 ibid.
89See Section III, ECOWAS Cybersecurity Strategy (2021).
90See Section IV: Paragraph 2.1 ECOWAS Cybersecurity Strategy (2021).
91Ibid.
92See Section IV: Paragraph 2.2 ECOWAS Cybersecurity Strategy (2021).
93Ibid.
94See Articles 25:2 and 27:1(a) AU Convention on Cybersecurity.
95See Article 28:3 ibid.
96See Paragraph 4(c), The Lome Declaration on Cybersecurity and Fight Against Cybercrime (March, 2022); African Union, The Digital Transformation Strategy (2020–2030) (African Union: Addis Ababa, 2020), p. 46.
97See Article 8(1) EU Directive on Network and Information Security (2022).
98See Section IV: Paragraph 2.4 ECOWAS Cybersecurity Strategy (2021).
99See Section II. B, ibid.
100Ibid.
101Ibid.
102See Section IV: Paragraph 2.5, ECOWAS Cybersecurity Strategy (2021).
103‘Cyber hygiene’ refers to “all the good practices that each digital player should respect in order to preserve the security of the information system that he uses or for which he acts as an administrator”. See Section II. B, ECOWAS Cybersecurity Strategy (2021).
104See Section IV: Paragraph 2.4, ECOWAS Cybersecurity and Cybercrime Strategy (2021).
105Ibid.
106See Article 25:4 AU Convention on Cybersecurity.
107See Section V: Paragraph 3.1, ECOWAS Cybersecurity Strategy (2021).
108See Articles 25:1 and 29:1, AU Convention on Cybersecurity.
109See Section V: Paragraph 3.2, ECOWAS Cybersecurity Strategy (2021).
110See Section IV: Paragraph 2.7, ECOWAS Cybersecurity Strategy (2021).
111See Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7.2.2013), 8.
112See Section VI: Paragraph 4.2, ECOWAS Cybersecurity Strategy (2021).
113See Paragraph 3(a), The Lome Declaration on Cybersecurity and Fight Against Cybercrime (March, 2022); African Union, The Digital Transformation Strategy (2020–2030) (African Union: Addis Ababa, 2020), pp. 3 and 46.
114See Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7.2.2013), 8–9.
115See Article 10 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April, 2019 on ENISA (the European Union Agency for Cybersecurity) on Information and Communications Technology Cybersecurity Certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act).
116See Joint Communication to the European Parliament and the Council, The European Union Cybersecurity Strategy for the Digital Decade (Brussels, 16.12.2020), 4.
117See Article 26:2 AU Convention on Cybersecurity.
118See Section VI: Paragraph 4.3, ECOWAS Cybersecurity Strategy (2021).
119Ibid.
120See Section VI: Paragraph 4.1, ECOWAS Cybersecurity and Cybercrime Strategy (2021).
121See Paragraphs 1 and 5(a), The Lome Declaration on Cybersecurity and Fight Against Cybercrime (March, 2022); African Union, The Digital Transformation Strategy (2020–2030) (African Union: Addis Ababa, 2020), pp. 47 and 50.
122See Joint Communication to the European Parliament and the Council, The European Union Cybersecurity Strategy for the Digital Decade (Brussels, 16.12.2020), 19.
123See Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7.2.2013), p. 9.
124See Section VI: Paragraph 4.4, ECOWAS Cybersecurity Strategy (2021).
125Ibid.
126See Article 28 AU Convention on Cybersecurity.
127See Section VII: Paragraph 5.1, ECOWAS Cybersecurity Strategy (2021).
128See Section VII: Paragraph 5.2, ECOWAS Cybersecurity Strategy (2021).
129See Section VII: Paragraph 5.3, ibid.
130Ibid.
131See Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7.2.2013), 10.
132See Section VII: Paragraph 5.3, ECOWAS Cybersecurity Strategy (2021).
133See Regulation (EU) 2019/881 of the European Parliament and the Council of 17 April, 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act). Official Journal of the European Union (7.6.2019).
134See Uchenna Jerome Orji, Cybersecurity Law and Regulation (The Netherlands Wolf Legal Publishers: 2012), 397–398.
135See Uchenna Jerome Orji, International Telecommunications Law and Policy (United Kingdom: Cambridge Scholars Publishing, 2018), 26, 301–347.
136See Section VII: Paragraph 5.2, ECOWAS Cybersecurity Strategy (2021).
137See Article 9(1), Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty (Abuja, 14 June, 2006). Emphasis added.
138See ECOWAS Directive C/DIR.1/01/2021 Relating to the Adoption of the Regional Cybersecurity and Cybercrime Strategy, adopted 85th Ordinary Session of the ECOWAS Council of Ministers (21st January, 2021), available at <https://tit.comm.ecowas.int/wp-content/uploads/2022/03/DIRECTIVE-CYBERSECURITY-STRATEGY-ENG.pdf> last accessed on 12 November, 2023.
139See Article 9(5), Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty (Abuja, 14 June, 2006).
140See Uchenna Jerome Orji, “An Inquiry into the Legal Status of the ECOWAS Cybercrime Directive and the Implications of its Obligations for Member States”, Computer Law & Security Review, 35 No. 6 (2019), 12.
141The right to privacy is guaranteed in the Constitutions of most ECOWAS Member States. See for e.g., Section 37 Constitution of the Federal Republic of Nigeria (1999); Section 18(2) of the Constitution of the Republic of Ghana (1992); Articles 20 and 21 Constitution of the Republic of Benin (1990); Article 41 Constitution of the Republic of Cape Verde (1992); Articles 13 and 16 Constitution of the Republic of Senegal (2001); Section 23 Constitution of the Republic of Gambia (1997); Article 16 Constitution of the Republic of Liberia (1986); and, Section 22 Constitution of Sierra Leone (1991).
142See Article 10(d) of the ECOWAS Supplementary Protocol A/SP.1/01/05, provides that “access to the [ECOWAS Community Court] is open to … individuals on application for violation of their human rights”.
143See Article 35(1) ECOWAS Cybercrime Directive.
144See Article 5(3) ECOWAS Treaty.
145See Article 77(1) ECOWAS Treaty.
146Sanctions that can be imposed on a Member State that fails to fulfill its obligations under ECOWAS legal instruments, include: the suspension of a non-compliant Member State’s voting rights in the activities of the ECOWAS Community; or the suspension of such Member from participating in the activities of the Community; or the suspension of new Community loans or assistance to such Member; or the suspension of ongoing Community projects or assistance programmes meant for such Member. See Article 77(2), ECOWAS Treaty (1996).
147See Chidebe M. Nwankwo (Jr), Legitimation of the Economic Community of West African States (ECOWAS): A Normative and Institutional Inquiry (A PhD Thesis submitted to the Brunel University of London, College of Business, Arts and Social Sciences; June, 2014), 191.
148Ibid.
149See Uchenna Jerome Orji, “An Inquiry into the Legal Status of the ECOWAS Cybercrime Directive and the Implications of its Obligations for Member States”, Computer Law & Security Review, 35 no. 6 (2019), 13–14.
150Article 9 (1) (d) of ECOWAS Supplementary Protocol A/SP.1/01/05 Amending the Preamble and Articles 1, 2, 9 and 30 of Protocol A/P.1/7/91 Relating to the Community Court of Justice (2005) provides that “the Court [ECOWAS Community Court] has competence to adjudicate disputes relating to … the failure by Member States to honour their obligations under the Treaty, Conventions and Protocols, Regulations, Directives, or Decisions of ECOWAS”.
151Article 10(a) of ECOWAS Supplementary Protocol A/SP.1/01/05 Amending the Preamble and Articles 1, 2, 9 and 30 of Protocol A/P.1/7/91 Relating to the Community Court of Justice (2005) provides that “access to the Court is open to Member States, and unless otherwise provided in a Protocol, the Executive Secretary [of the ECOWAS Commission], where action is brought for failure by a Member State to fulfill an obligation”.
152See for e.g., Joined Cases C‑6/90 and C‑9/90 Andrea Francovich and Danila Bonifaci v. Italy (Judgment of the Europe Court of Justice, 19 November, 1991) [1991] ECR I‑5357, [1993] 2 C.M.L.R. 66, where the European Court of Justice found the Government of Italy liable for losses and damages that were caused to its citizens as a result of its failure to transpose a Community Directive. See also, James E. Hanft, “Francovich and Bonifaci v. Italy: EEC Member State Liability for Failure to Implement Community Directives”, Fordham International Law Journal, 15, no. 4, (1991), 1237–1274.
153See Case C-154/09, European Commission v. Portuguese Republic, ECR [2010] I‑00127.
154See Uchenna Jerome Orji, International Telecommunications Law and Policy (United Kingdom: Cambridge Scholars Publishing, 2018), 277.
155See Case C-76/13, European Commission v. Portuguese Republic (2013/C 123/17) Official Journal of the European Union C 123/11 (27.4.2013).
156See UNTACD, Harmonizing Cyberlaw and Regulations: The Experience of the East Africa (UNTACD: New York/Geneva, 2012) pp.8–9; Uchenna Jerome Orji, “Regionalizing Data Protection Law: A Discourse on the Status and Implementation of the ECOWAS Data Protection Act”, International Data Privacy Law, 7, no. 3, (2017), 188.
157See Directive 2013/40/EU of the European Parliament and of the Council of 12 August, 2013 on Attacks Against Information Systems and Replacing Council Framework Decision 2005/222/JHA [Hereafter, EU Directive on Attacks against Information Systems, 2013].
158See Article 17 EU Directive on Attacks against Information Systems (2013).
159See European Commission, Report From the Commission to the European Parliament and the Council Assessing the Extent to Which the Member States Have Taken the Necessary Measures in Order to Comply With Directive 2013/40/EU On Attacks Against Information Systems And Replacing Council Framework Decision 2005/222/JHA, COM(2017) 474 final (European Commission: Brussels, 13 September, 2017), 5.
160Ibid. See also, European Commission, Report From the Commission Monitoring the Application of European Union Law—2016 Annual Report, COM (2017) 370 final (European Commission: Brussels, 1 July, 2017), 13.
161See Uchenna Jerome Orji, “An Inquiry into the Legal Status of the ECOWAS Cybercrime Directive and the Implications of its Obligations for Member States”, Computer Law & Security Review, 35, no 6, (2019), 15.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
Legislations and Conventions
1. African Union (AU). Convention on cyber security and personal data protection; 2014; EX.CL/846(XXV
2. Agreement between the Governments of Member States of the Shanghai Cooperation Organization on Cooperation in the Field of international Information Security (16 June, 2009).
3. Constitution of Sierra Leone (1991)
4. Constitution of the Federal Republic of Nigeria (1999)
5. Constitution of the ITU (2010)
6. Constitution of the Republic of Benin (1990)
7. Constitution of the Republic of Cape Verde (1992)
8. Constitution of the Republic of Gambia (1997)
9. Constitution of the Republic of Ghana (1992)
10. Constitution of the Republic of Liberia (1986)
11. Constitution of the Republic of Senegal (2001)
12. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature on 28 January 1981, in force 1 October 1985, ETS 108.
13. Council of Europe Convention on Cybercrime. 41 I.L.M. 282; 2001;
14. Directive 2013/40/EU of 12 August 2013on Attacks against Information Systems, Official Journal of the European Union, 218/8 (14 August, 2013).
15. Directive 2013/40/EU of the European Parliament and of the Council of 12 August, 2013on Attacks Against Information Systems and Replacing Council Framework Decision 2005/222/JHA.
16. Directive 2016/1148of the European Parliament and of the Council of 6 July, 2016 concerning Measures for a High Common Level of Security of Network and Information Systems across the Union, Official Journal of the European Union (19 July 2016) L 194.
17. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Data Protection Directive 95/46), [1995] OJ L281/31.
18. Directive (EU) 2022/2555of the European Parliament and of the Council of 14 December, 2022on Measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), Official Journal of the European Union, 333/80 (27 December, 2022).
19. ECOWAS Directive C/DIR.1/08/11 on Fighting Cybercrime, adopted at the Sixty Sixth Ordinary Session of the ECOWAS Council of Ministers at Abuja, Nigeria (19 August, 2011).
20. ECOWAS Directive C/DIR.1/01/2021 Relating to the Adoption of the Regional Cybersecurity and Cybercrime Strategy, adopted 85th Ordinary Session of the ECOWAS Council of Ministers (21st January, 2021).
21. ECOWAS Supplementary Act on the Harmonization of Policies and the Regulatory Framework for the ICT Sector (A/SA.1/07) adopted at the Thirty First Session of the Authority of ECOWAS Heads of State and Government Quagadaugou, 19 January 2007.
22. ECOWAS Supplementary Protocol A/SP.1/01/05 Amending the Preamble and Articles 1,2,9 and 30 of Protocol A/P.1/7/91 Relating to the Community Court of Justice (2005).
23. EU Directive on Attacks against Information Systems (2013).
24. EU Directive on Network and Information Security (2016).
25. Joint Communication to the European Parliament and the Council, The European Union Cybersecurity Strategy for the Digital Decade (Brussels, 16 Dec 2020), 4.
26. Joint Communication to the European Parliament and the Council, The European Union Cybersecurity Strategy for the Digital Decade (Brussels, 16 Dec 2020).
27. Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 7 Feb 2013), and Joint Communication to the European Parliament and the Council, The European Union Cybersecurity Strategy for the Digital Decade (Brussels, 16 Dec 2020).
28. Regulation (EU) 2019/881 of the European Parliament and the Council of 17 April, 2019on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act). Official Journal of the European Union (7 June 2019).
29. Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS, adopted at the 37th session of the Authority of ECOWAS Heads of State and Government, (Abuja, 16 February, 2010).
30. Supplementary Protocol A/SP.1/06/06 Amending the Revised ECOWAS Treaty (Abuja, 14 June, 2006).
31. The Council of Europe Convention on Cybercrime. 41 I.L.M. 282; 2001;
32. Treaty Establishing the European Economic Community (Treaty of Rome) adopted on 25 March 1957, 298 UNTS 3.
33. Treaty of ECOWAS (28 May, 1975) 14 ILM 1200; Revised 24 July, 1993, 35 ILM 660, (1996).
Case Law
34. Case C-154/09, European Commission v. Portuguese Republic, ECR [2010] I‑00127,
35. Case C-76/13, European Commission v. Portuguese Republic (2013/C 123/17) Official Journal of the European Union C 123/11 (27 Apr 2013).
36. Joined Cases C‑6/90 and C‑9/90 Andrea Francovich and Danila Bonifaci v. Italy (Judgment of the Europe Court of Justice, 19 November, 1991) [1991] ECR I‑5357, [1993] 2 C.M.L.R. 66.
37. The Corfu Channel Case (United Kingdom v. Albania), Merits, [1949] ICJ Reports 4.
38. The Trail Smelter Arbitration Case (United States of America v. Canada), (1938) 3R.I.A.A 1905.
Books, Journals, Papers and Reports
39. African Union and Symantec Corporation Cybercrime & Cybersecurity Trends in Africa (Symantec Corporation and African Union, November, 2016)
40. Gavrilovic A What is Responsible Behavior in Cyberspace’, Diplo. https://www.diplomacy.edu/blog/webinar-what-responsible-behaviour-cyberspace/ (Created 30 Oct 2018) Accessed 6 Jan. 2024
41. United States, West Group. Black’s law dictionary; 2004; 9
42. Chidebe M. Nwankwo (Jr), Legitimation of the Economic Community of West African States (ECOWAS): A Normative and Institutional Inquiry (A PhD Thesis submitted to the Brunel University of London, College of Business, Arts and Social Sciences; June, 2014).
43. ECOWAS Commission. ECOWAS Common Investment Market Vision; 2009; Abuja, ECOWAS Commission:
44. Parliament ECOWAS ECOWAS adopts a Regional Strategy for Cybersecurity and the fight against Cybercrime. https://parl.ecowas.int/information-and-communication-technology-ecowas-adopts-a-regional-strategy-for-cybersecurity-and-the-fight-aganist-cybercrime/ (Created 18 Jan 2021). Accessed 12 Dec 2022
45. (2021) ECOWAS Regional Cybersecurity and Cybercrime Strategy. https://www.ocwarc.eu/wp-content/uploads/2021/02/ECOWAS-Regional-Cybersecurity-Cybercrime-Strategy-EN.pdf. Accessed 12 Dec 2022
46. Editorial, ‘The Trail Smelter Arbitral Decision’, American Journal of International Law 35 (1941).
47. European Commission. Report From the Commission Monitoring the Application of European Union Law—2016 Annual Report; 2017; Brussels, European Commission: 370.
48. European Commission, Report From the Commission to the European Parliament and the Council Assessing the Extent to Which the Member States Have Taken the Necessary Measures in Order to Comply With Directive 2013/40/EU On Attacks Against Information Systems And Replacing Council Framework Decision 2005/222/JHA, COM(2017) 474 final (European Commission: Brussels, 13 September, 2017).
49. Raduege, HD. Nagorski, A. Fighting weapons of mass disruption: why america needs a cyber triad. Global cyber deterrence: views from China, U.S., Russia, India, and Norway; 2010; New York, East West Institute:
50. International Security Advisory Board Report on a framework for international Cyber stability (US department of state, 2014) (Appendix B.1.)
51. Hanft JE (1991) Francovich and Bonifaci v. Italy: EEC member state liability for failure to implement community directives. Fordham Int Law J 15(4)
52. Westby, JR. Cyber war v. Cyber stability; 2009;
53. Rudnick, L et al. Towards cyber stability: a user centered tool for policy makers; 2015; Geneva, UNIDR:
54. Malebakeng F (2012) Is discussion of the ‘United States of africa’ premature?: analysis of ECOWAS and SADC integration efforts. J Afr law 56(1)
55. Hartzenberg, T. Regional Integration in Africa; 2011; Geneva, World Trade Organization:
56. Orji UJ (2016) A comparative review of the ECOWAS data protection act. Comput Law Rev Int 17(4)
57. Orji UJ (2019) A review of the ECOWAS cybercrime directive: analysis of ICT offences with the budapest convention. Comput Law Rev Int 20(2)
58. Orji UJ (2019) An inquiry into the legal status of the ECOWAS cybercrime directive and the implications of its obligations for member states. Comput Law Secur Rev 35(6)
59. Orji UJ (2014) Examining missing cybersecurity governance mechanisms in the African union convention on cybersecurity and personal data protection. Comput Law Rev Int 5:
60. Orji UJ (2017) Harmonizing the regulation of access to submarine cable landing stations in the ECOWAS: a review of regulation C/REG/06/06/12154. Comput Telecommun Law Rev 23(6)
61. Orji UJ (2017) Regionalizing data protection law: a discourse on the status and implementation of the ECOWAS data protection act. Int Data Priv Law 7(3)
62. Orji UJ (2018) The African union convention on Cybersecurity: a regional response towards Cyber stability? Masaryk Univ J Law Technol 12(2)
63. Orji UJ (2018) Towards the harmonization of E‑commerce laws in West Africa: a comparative analysis of the ECOWAS electronic transactions act. Int Co Commer Law Rev 29(6)
64. Orji, UJ. Cybersecurity law and regulation; 2012; Wolf Legal Publishers:
65. Orji, UJ. International telecommunications law and policy; 2018; Cambridge Scholars Publishing:
66. UNODC. Comprehensive study on cybercrime; 2013; New York, United Nations:
67. UNTACD. Harmonizing cyberlaw and regulations: the experience of the east africa; 2012; New York, Geneva, UNTACD:
68. Worlddata.info Economic community of West Africa states. https:// www.worlddata.info/ trade-agreements/ecowas-west-africa.php
© The Author(s), under exclusive licence to Springer Fachmedien Wiesbaden GmbH 2024.