Cybersecurity regulation in Nigeria (2026)

The Nigeria Data Protection Commission published the GAID to operationalise the NDPA 2023, introducing mandatory registration, DPO appointments, DPIA obligations, 72-hour breach notification templates, and cross-border transfer rules; the directive became effective 19 September 2025 and supersedes the NDPR 2019 as the operative compliance instrument.

Nigeria's Economic and Financial Crimes Commission conducted its largest single cyber-enforcement sweep, detaining nearly 800 people and subsequently arraigning 42 Chinese and Filipino nationals in February 2025 on charges of cryptocurrency investment fraud and romance scams — signalling intensified cross-border enforcement cooperation.

The Central Bank of Nigeria published a binding framework applicable to all commercial, merchant, non-interest, and payment service banks, setting minimum requirements for cybersecurity governance, annual risk assessments, third-party risk management, AI and cloud-technology controls, and mandatory incident reporting — with a compliance deadline of 1 July 2024.

President Tinubu signed the Amendment Act, revising 12 sections of the 2015 statute: reducing incident reporting to 72 hours, mandating sectoral CERTs and SOCs, raising the cybersecurity levy on electronic transactions from 0.005% to 0.5% (subsequently suspended by presidential directive in May 2024 after public outcry), and adding offences covering technology-facilitated gender-based violence.

President Tinubu signed the NDPA 2023 — Nigeria's first statutory data-protection law — replacing the NDPR 2019 regulatory instrument and creating the Nigeria Data Protection Commission (NDPC) as an independent supervisory body with powers to investigate, sanction, and enforce against data controllers and processors.

The CBN extended mandatory cybersecurity governance to microfinance banks, mortgage institutions, finance companies, and other non-bank financial institutions, requiring formal cybersecurity programmes, incident monitoring and reporting, and compliance by 1 January 2023 — closing a major gap in sectoral coverage left by the banks-focused 2021 framework.

Nigeria's Office of the National Security Adviser published the NCPS 2021, designating 13 critical information infrastructure sectors, confirming ONSA as the national cybersecurity coordinator, mandating ngCERT as the central incident response body, and setting a five-year strategic roadmap covering cyber governance, defence capability, legal reform, and international cooperation.

NITDA issued the NDPR Implementation Framework to operationalise the 2019 data-protection regulation, introducing mandatory annual compliance audits, the Data Protection Compliance Organisation (DPCO) accreditation scheme for third-party auditors, and standardised breach-notification and cross-border transfer procedures.

NITDA issued Nigeria's first comprehensive data-protection framework under the NITDA Act 2007, imposing consent requirements, mandatory breach notification, annual compliance audits, and restrictions on cross-border data transfers on all data controllers — directly tying data governance to cybersecurity incident-response obligations.

Nigeria enacted its first comprehensive cybercrime statute, criminalising hacking, identity theft, cyberstalking, computer fraud, and phishing; requiring financial institutions and service providers to implement baseline cybersecurity measures; establishing ngCERT; and introducing a 0.005% cybersecurity levy on electronic transactions to fund the National Cybersecurity Fund.

The National Information Technology Development Agency Act created NITDA with authority to develop standards, guidelines, and regulations for IT systems, data governance, and cybersecurity — the statutory foundation that later empowered NITDA to issue the NDPR 2019 and the entire data-protection compliance regime.