Cybersecurity - Nigeria

The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 is Nigeria's central cybersecurity/cybercrime statute, amended in 2024 (signed 28 February 2024) to revise 12 sections, strengthen ngCERT's role, increase penalties and expand surveillance/interception powers.

Section 21 requires any person/institution that observes an attack, intrusion or disruption to report it to the National CERT (ngCERT). The 2024 amendment cut the reporting window from 7 days to 72 hours; the prior regime carried a fine and possible denial of internet service for failure to report.

Part II of the Act empowers designation of CNII and prescribes minimum standards, guidelines and procedures for its protection, preservation and management, with audit and inspection powers.

The National Cybersecurity Policy and Strategy 2021 sets governance direction; the ONSA Directorate of Cybersecurity is the lead agency, and ngCERT is the national coordination centre managing incidents and overseeing sectoral CSIRTs.

Section 44 of the Act establishes a National Cybersecurity Fund; to implement it the Central Bank issued a circular requiring banks/financial institutions to apply a 0.5% levy on electronic transactions.

The Central Bank of Nigeria's Risk-Based Cybersecurity Framework and Guidelines (for Deposit Money Banks/Payment Service Banks and, since 2022, Other Financial Institutions) mandate governance, monitoring and reporting of all cyber incidents to the Director of Banking Supervision within 24 hours of detection.

Under the Nigeria Data Protection Act 2023, controllers must notify the Nigeria Data Protection Commission of personal-data breaches (within 72 hours where feasible) and affected individuals where risk is high; processors must promptly notify the engaging controller.