This content is for informational and educational purposes only and does not constitute legal advice.
On 3 March 2026, the Nigeria Data Protection Commission (NDPC) issued a statement on joining 60 other data protection authorities in endorsing the joint statement on Artificial Intelligence (AI)-generated imagery and the protection of privacy. The endorsement is part of a broader national framework for responsible artificial intelligence (AI), which includes the National AI Strategy and the NDPC General Application and Implementation Directive (GAID). The statement aims to address privacy concerns associated with AI-generated content by promoting international cooperation among regulators. It was highlighted that the Nigeria Data Protection Act and compliance audit returns, submitted by data controllers and processors of major importance, will serve as the primary yardstick for monitoring and evaluating whether organisations are using AI responsibly in their data processing activities in Nigeria.
On 13 February 2026, the Communications Commission adopted the Internet Code of Practice, including design requirements. The Code requires internet access service providers to offer optional parental control measures, including content filters and monitoring tools, either directly or by prominently directing customers to third-party solutions. Where provided directly, customers must be informed at the point of sale how to update and access information about the tools. Providers must ensure that parental control offerings comply with competition regulations and take reasonable steps to help customers understand how to use them to manage minors’ and vulnerable dependents’ online access.
On 13 February 2026, the Communications Commission adopted the Internet Code of Practice, including non-discrimination requirements. The Code requires internet access service providers to treat all lawful traffic within the same service category equally and must not discriminate based on content, sender, receiver, application, or device. Preferential data prioritisation is prohibited without prior written approval from the Commission and, where exceptionally permitted, must be objectively justified, narrowly defined, transparent, and limited to clearly identified services such as emergency or public interest categories. Zero-rating may be allowed with Commission approval where it advances universal access and public interest objectives, but must avoid distorting competition, with limited exceptions for capped access to public service platforms. It also provides that reasonable network management is permitted only for legitimate technical needs, including security, congestion management, or legal compliance, and must be proportionate, transparent, based on global standards, and applied equally to equivalent traffic categories.
On 13 February 2026, the Communications Commission adopted the Internet Code of Practice, including user rights. The Code guarantees consumers the right to access and share lawful content, use applications and services of their choice, and connect appropriate devices without blocking or discrimination by internet access service providers, subject only to transparent and justified traffic management. Where artificial intelligence or emerging technologies are deployed on networks, consumers who may be affected have the right to be informed by providers, particularly where such tools are used in non-human interfaces for complaints or redress services.
On 13 February 2026, the Communications Commission adopted the Internet Code of Practice including rules regarding deployment of Artificial Intelligence (AI) and emerging technologies. The Code requires Internet Access Service Providers to notify the Commission before deploying AI or other emerging technological tools affecting network management or customer engagement. The notification must specify the services impacted, any existing services to be replaced, planned upgrades or modifications, and the implementation timeline, lifespan, and sunsetting arrangements for the tools.
On 1 January 2026, the Nigeria Data Protection Commission (NDPC) adopted a report focusing on the implementation of the Nigeria Data Protection Act 2023, including strengthening enforcement mechanisms, expanding sector-wide compliance monitoring, and issuing the General Application and Implementation Directive (GAID) 2025. The Directive mandates semi-annual reporting and credential assessments for Data Protection Officers, strengthens lawful basis and consent requirements, imposes privacy notice and cookie obligations, expands mandatory Data Protection Impact Assessments, and establishes structured pathways for cross-border data transfers. It was highlighted that the Commission increased the number of investigations to 230, recorded compliance revenue of NGN 7.2 billion, and expanded the number of verified data protection officers to 10,662 and licensed data protection compliance organisations to 310. It was also stated that enforcement priorities focused on unlawful cross-border transfers, inadequate privacy notices, behavioural profiling, automated decision-making without human intervention, and failure to conduct mandatory data privacy impact assessments.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the public consultation, open since 9 October 2025, on the Draft Nigerian Communications (Enforcement Process, etc.) Regulations, 2025. The draft empowers the NCC to impose administrative sanctions for failures in technical standards, harmful frequency interference, and advertising violations.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. The draft amends the Internet Code of Practice of 2019 to establish additional obligations concerning illegal content and harmful content. Chapter four sets out obligations for Internet Access Service Providers (IASPs) and other covered entities to protect minors online. IASPs must incorporate child online protection policies into their terms of service in compliance with the Cybercrime Act (Amended) 2024, the Child Online Protection Policy, and related regulations. These terms must be clearly displayed on websites and service agreements. Providers must offer user-friendly parental control tools and multilingual safety guidance, with parental controls set to “opt-in” by default for minors. IASPs must also enable customers to report child sexual abuse content to the Commission and block access to such material immediately upon notification. In addition, IASPs must provide optional parental control tools, either directly or through third-party links, and promote digital literacy by informing parents, guardians, and minors about online risks, reporting mechanisms, and safe internet use. Chapter five sets out network governance rules, requiring Internet Access Service Providers to include anti-spam policies, offer spam filters, provide reporting mechanisms for unlawful content, comply within 24 hours with takedown notices, and cooperate with law enforcement, while following all applicable laws and licence conditions. Chapter six establishes governance rules for online and digital platforms, digital service providers, and application service providers under the Nigerian Communications Act 2003. These entities must adopt community rules or guidelines aligned with the Act’s provisions on protecting national interests and submit them to the Commission within six months of the revised Code’s issuance. They are also required to submit biannual reports to the Commission in the format specified in the Second Schedule. All covered entities must maintain a communication channel with the Designated Online Governance Officer (DOGO) appointed by the Commission, serving as the main contact point for managing harmful content, disinformation, fraud, and unlawful material. The Commission may also issue additional governance standards and requirements, developed in consultation with licensees and affected entities, to support effective implementation of these provisions.
On 31 October 2025, the obligations under the Circular on migration and mandatory terminal geo-tagging enter into force. The Circular requires all licensed operators within Nigeria’s payments ecosystem, including Deposit Money Banks (DMBs), Microfinance Banks (MFBs), Mobile Money Operators (MMOs), Switching and Processing Companies (SPCs), Payment Terminal Service Providers (PTSPs), Payment Solution Service Providers (PSSPs), and Super Agents (SAs), to achieve full compliance with the migration to the ISO 20022 messaging standard and the mandatory terminal geo-tagging requirements set out in the Central Bank of Nigeria (CBN) circular No. PSS/DIR/PUB/CIR/001/001. All transaction messages have to align with ISO 20022 and the Society for Worldwide Interbank Financial Telecommunication (SWIFT) specifications, ensuring all mandatory data fields are completed. Payment terminals were required to use dual-frequency Global Positioning System (GPS) receivers, be registered with a Payment Terminal Service Aggregator (PTSA), and operate on Android Operating System (OS) version 10 or higher. Terminals that were not geo-tagged or not routed through a PTSA were prohibited from processing transactions.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the public consultation, open since 9 October 2025, on the Draft Nigerian Communications (Enforcement Process, etc.) Regulations, 2025. The draft defines grounds and processes for revocation where licensees cease operations for 30 days, default on payments for 21 days after notification, or fail to commence services within twelve months of licence issue. It permits the NCC to impose administrative fines or direct management changes as alternatives to revocation, while requiring licensees to return revoked licences within fourteen days of the effective date.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the public consultation, open since 9 October 2025, on the Draft Nigerian Communications (Enforcement Process, etc.) Regulations, 2025. The draft mandates that all operators retain call data records securely and make them available to competent authorities for lawful investigation in accordance with the Cybercrime (Prohibition, Prevention, etc.) (Amendment) Act, 2024. It prohibits tampering, destruction or distortion of communication facilities and prescribes penalties for obstruction, impersonation, or unauthorised access to networks and data systems. The draft further empowers the NCC to collaborate with relevant law-enforcement agencies, ensuring integrity, traceability, and technical resilience of Nigeria’s communications infrastructure.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the public consultation, open since 9 October 2025, on the Draft Licensing Regulations 2025. The draft restricts the grant of new licences to entities holding controlling interests in existing licensees where market dominance or cross-ownership may arise. It requires prior approval for the transfer of licences, shares, or corporate restructuring and prohibits the use of licences as security interests. The NCC retains discretion to withhold authorisation or revoke licences to preserve competition in the communications market.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the public consultation, open since 9 October 2025, on the Draft Licensing Regulations 2025. The draft requires that licence applications be submitted only by corporate bodies registered under Nigerian law. Applicants must demonstrate sufficient financial and technical capacity and provide supporting corporate documentation and proof of registration to the Commission. The draft stipulates that any service provider operating without a licence is liable to administrative fines of NGN 5 million plus daily penalties for continued non-compliance and that licence renewal requests be lodged at least six months before expiry.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. Chapter seven sets out the Commission’s approach to monitoring and enforcing compliance with the Code. Covered entities are required to provide information requested by the Commission, including details on network management and traffic control measures. Where non-compliance is identified, the Commission will issue a notice outlining corrective actions and require a compliance report within fourteen days. Monitoring and enforcement will be carried out in line with the Nigerian Communications (Enforcement Processes) 2019, including relevant penalties. The chapter further establishes a Consumer Web Portal for users to report non-compliance by Internet Access Service Providers. Complaints will be handled through the Commission’s adjudicatory procedures, and formal requests or approvals under the Code must be addressed to the Designated Online Governance Officer via the Office of the Executive Vice Chairman. All Internet Access Service Providers and other affected entities must also submit biannual compliance reports using the prescribed templates in the Code’s schedules.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice (as amended). The draft amends the Internet Code of Practice of 2019. Chapter three sets out the obligations of Internet Access Service Providers (IASPs) regarding cybersecurity, privacy, and data protection. IASPs must implement the Cyber Security Framework issued by the Commission, which establishes strategic and operational standards for the communications sector. They are required to comply with the Nigerian Data Protection Act 2023 and relevant provisions of the Consumer Code of Practice Regulations 2024. IASPs must adopt reasonable measures to safeguard customer data against unauthorised access or disclosure, taking into account the sensitivity of the information and technical feasibility. In the event of a data breach, they must inform affected customers and notify the Commission within 48 hours. Additionally, IASPs may not permit third-party access to transactional data without prior written approval from the Commission, which will only be granted following an impact assessment.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. The draft amends the Internet Code of Practice of 2019. Chapter two outlines standards for open internet access. It requires Internet Access Service Providers (IASPs) to provide transparent and accurate information on their services and any traffic management practices to allow consumers and third parties to make informed decisions. IASPs must treat all lawful traffic equally and may not block, throttle, or prioritise data except for reasonable network management. Zero-rating is permitted only when it aligns with national ICT policy objectives and is approved by the Commission. Traffic management is acceptable only when necessary for network integrity, congestion prevention, or legal compliance, and must be technically justified, proportionate, transparent, and consistent with global standards. IASPs must also maintain and submit quarterly records of all IP addresses used on their networks and report any breaches of this Code to the Commission.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the public consultation, open since 9 October 2025, on the Draft Licensing Regulations 2025. The draft sets requirements for obtaining, renewing, and surrendering individual, class, general authorisation, and frequency licences, defining eligibility criteria, corporate status, financial capacity, and technical competence. It specifies procedures for application submission, offer letters, payment of licence fees, and renewal notices to be filed six months before expiry. It further provides for revocation and suspension in cases of breach of licence conditions or failure to rectify violations after notification.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. The draft amends the Internet Code of Practice of 2019. The Code requires internet access service providers to offer optional parental control measures, including content filters and monitoring tools, either directly or by prominently directing customers to third-party solutions. Where provided directly, customers must be informed at the point of sale how to update and access information about the tools. Providers must ensure that parental control offerings comply with competition regulations and take reasonable steps to help customers understand how to use them to manage minors’ and vulnerable dependents’ online access.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. The draft amends the Internet Code of Practice of 2019. The Code requires internet access service providers to treat all lawful traffic within the same service category equally and must not discriminate based on content, sender, receiver, application, or device. Preferential data prioritisation is prohibited without prior written approval from the Commission and, where exceptionally permitted, must be objectively justified, narrowly defined, transparent, and limited to clearly identified services such as emergency or public interest categories. Zero-rating may be allowed with Commission approval where it advances universal access and public interest objectives, but must avoid distorting competition, with limited exceptions for capped access to public service platforms. It also provides that reasonable network management is permitted only for legitimate technical needs, including security, congestion management, or legal compliance, and must be proportionate, transparent, based on global standards, and applied equally to equivalent traffic categories.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. The draft amends the Internet Code of Practice of 2019. The Code guarantees consumers the right to access and share lawful content, use applications and services of their choice, and connect appropriate devices without blocking or discrimination by internet access service providers, subject only to transparent and justified traffic management. Where artificial intelligence or emerging technologies are deployed on networks, consumers who may be affected have the right to be informed by providers, particularly where such tools are used in non-human interfaces for complaints or redress services.
On 31 October 2025, the Nigerian Communications Commission (NCC) closes the consultation on the Draft Internet Code of Practice. The draft amends the Internet Code of Practice of 2019. Chapter five requires Internet Access Service Providers to ensure that all artificial intelligence tools and emerging technologies deployed on their networks comply with the Code’s governance rules. Providers must notify the Commission before deploying AI or emerging technologies, detailing the services affected, potential replacements or upgrades, implementation timelines, and lifespans. They must inform impacted subscribers, maintain network integrity, ensure compliance with the Cyber Security Framework, protect consumer data, and retain the ability to withdraw tools if required by regulatory determination. The Commission may issue additional guidance and governance standards in consultation with licensees and affected entities to support effective implementation.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice until 31 October 2025. The draft amends the Internet Code of Practice of 2019 to establish additional obligations concerning illegal content and harmful content. Chapter four sets out obligations for Internet Access Service Providers (IASPs) and other covered entities to protect minors online. IASPs must incorporate child online protection policies into their terms of service in compliance with the Cybercrime Act (Amended) 2024, the Child Online Protection Policy, and related regulations. These terms must be clearly displayed on websites and service agreements. Providers must offer user-friendly parental control tools and multilingual safety guidance, with parental controls set to “opt-in” by default for minors. IASPs must also enable customers to report child sexual abuse content to the Commission and block access to such material immediately upon notification. In addition, IASPs must provide optional parental control tools, either directly or through third-party links, and promote digital literacy by informing parents, guardians, and minors about online risks, reporting mechanisms, and safe internet use. Chapter five sets out network governance rules, requiring Internet Access Service Providers to include anti-spam policies, offer spam filters, provide reporting mechanisms for unlawful content, comply within 24 hours with takedown notices, and cooperate with law enforcement, while following all applicable laws and licence conditions. Chapter six establishes governance rules for online and digital platforms, digital service providers, and application service providers under the Nigerian Communications Act 2003. These entities must adopt community rules or guidelines aligned with the Act’s provisions on protecting national interests and submit them to the Commission within six months of the revised Code’s issuance. They are also required to submit biannual reports to the Commission in the format specified in the Second Schedule. All covered entities must maintain a communication channel with the Designated Online Governance Officer (DOGO) appointed by the Commission, serving as the main contact point for managing harmful content, disinformation, fraud, and unlawful material. The Commission may also issue additional governance standards and requirements, developed in consultation with licensees and affected entities, to support effective implementation of these provisions.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a public consultation until 31 October 2025 on the Draft Nigerian Communications (Enforcement Process, etc.) Regulations, 2025. The draft empowers the NCC to impose administrative sanctions for failures in technical standards, harmful frequency interference, and advertising violations.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a public consultation until 31 October 2025 on the Draft Nigerian Communications (Enforcement Process, etc.) Regulations, 2025. The draft mandates that all operators retain call data records securely and make them available to competent authorities for lawful investigation in accordance with the Cybercrime (Prohibition, Prevention, etc.) (Amendment) Act, 2024. It prohibits tampering, destruction or distortion of communication facilities and prescribes penalties for obstruction, impersonation, or unauthorised access to networks and data systems. The draft further empowers the NCC to collaborate with relevant law-enforcement agencies, ensuring integrity, traceability, and technical resilience of Nigeria’s communications infrastructure.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a public consultation until 31 October 2025 on the Draft Licensing Regulations 2025. The draft restricts the grant of new licences to entities holding controlling interests in existing licensees where market dominance or cross-ownership may arise. It requires prior approval for transfer of licences, shares, or corporate restructuring and prohibits the use of licences as security interests. The NCC retains discretion to withhold authorisation or revoke licences to preserve competition in the communications market.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a public consultation until 31 October 2025 on the Draft Licensing Regulations 2025. The draft requires that licence applications be submitted only by corporate bodies registered under Nigerian law. Applicants must demonstrate sufficient financial and technical capacity and provide supporting corporate documentation and proof of registration to the Commission. The draft stipulates that any service provider operating without a licence is liable to administrative fines of NGN 5 million plus daily penalties for continued non-compliance, and that licence renewal requests be lodged at least six months before expiry.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice until 31 October 2025. Chapter seven sets out the Commission’s approach to monitoring and enforcing compliance with the Code. Covered entities are required to provide information requested by the Commission, including details on network management and traffic control measures. Where non-compliance is identified, the Commission will issue a notice outlining corrective actions and require a compliance report within fourteen days. Monitoring and enforcement will be carried out in line with the Nigerian Communications (Enforcement Processes) 2019, including relevant penalties. The chapter further establishes a Consumer Web Portal for users to report non-compliance by Internet Access Service Providers. Complaints will be handled through the Commission’s adjudicatory procedures, and formal requests or approvals under the Code must be addressed to the Designated Online Governance Officer via the Office of the Executive Vice Chairman. All Internet Access Service Providers and other affected entities must also submit biannual compliance reports using the prescribed templates in the Code’s schedules.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice (as amended), until 31 October 2025. The draft amends the Internet Code of Practice of 2019. Chapter three sets out the obligations of Internet Access Service Providers (IASPs) regarding cybersecurity, privacy, and data protection. IASPs must implement the Cyber Security Framework issued by the Commission, which establishes strategic and operational standards for the communications sector. They are required to comply with the Nigerian Data Protection Act 2023 and relevant provisions of the Consumer Code of Practice Regulations 2024. IASPs must adopt reasonable measures to safeguard customer data against unauthorised access or disclosure, taking into account the sensitivity of the information and technical feasibility. In the event of a data breach, they must inform affected customers and notify the Commission within 48 hours. Additionally, IASPs may not permit third-party access to transactional data without prior written approval from the Commission, which will only be granted following an impact assessment.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice (as amended) until 31 October 2025. The draft amends the Internet Code of Practice of 2019. Chapter two outlines standards for open internet access. It requires Internet Access Service Providers (IASPs) to provide transparent and accurate information on their services and any traffic management practices to allow consumers and third parties to make informed decisions. IASPs must treat all lawful traffic equally and may not block, throttle, or prioritise data except for reasonable network management. Zero-rating is permitted only when it aligns with national ICT policy objectives and is approved by the Commission. Traffic management is acceptable only when necessary for network integrity, congestion prevention, or legal compliance, and must be technically justified, proportionate, transparent, and consistent with global standards. IASPs must also maintain and submit quarterly records of all IP addresses used on their networks and report any breaches of this Code to the Commission.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a public consultation until 31 October 2025 on the Draft Nigerian Communications (Enforcement Process, etc.) Regulations, 2025. The draft defines grounds and processes for revocation where licensees cease operations for 30 days, default on payments for 21 days after notification, or fail to commence services within twelve months of licence issue. It permits the NCC to impose administrative fines or direct management changes as alternatives to revocation, while requiring licensees to return revoked licences within fourteen days of the effective date.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a public consultation until 31 October 2025 on the Draft Licensing Regulations 2025. The draft sets requirements for obtaining, renewing, and surrendering individual, class, general authorisation, and frequency licences, defining eligibility criteria, corporate status, financial capacity and technical competence. It specifies procedures for application submission, offer letters, payment of licence fees, and renewal notices to be filed six months before expiry. It further provides for revocation and suspension in cases of breach of licence conditions or failure to rectify violations after notification.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice (as amended) until 31 October 2025. The draft amends the Internet Code of Practice of 2019. The Code requires internet access service providers to offer optional parental control measures, including content filters and monitoring tools, either directly or by prominently directing customers to third-party solutions. Where provided directly, customers must be informed at the point of sale how to update and access information about the tools. Providers must ensure that parental control offerings comply with competition regulations and take reasonable steps to help customers understand how to use them to manage minors’ and vulnerable dependents’ online access.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice (as amended) until 31 October 2025. The draft amends the Internet Code of Practice of 2019. The Code requires internet access service providers to treat all lawful traffic within the same service category equally and must not discriminate based on content, sender, receiver, application, or device. Preferential data prioritisation is prohibited without prior written approval from the Commission and, where exceptionally permitted, must be objectively justified, narrowly defined, transparent, and limited to clearly identified services such as emergency or public interest categories. Zero-rating may be allowed with Commission approval where it advances universal access and public interest objectives, but must avoid distorting competition, with limited exceptions for capped access to public service platforms. It also provides that reasonable network management is permitted only for legitimate technical needs including security, congestion management, or legal compliance, and must be proportionate, transparent, based on global standards, and applied equally to equivalent traffic categories.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice (as amended) until 31 October 2025. The draft amends the Internet Code of Practice of 2019. The Code guarantees consumers the right to access and share lawful content, use applications and services of their choice, and connect appropriate devices without blocking or discrimination by internet access service providers, subject only to transparent and justified traffic management. Where artificial intelligence or emerging technologies are deployed on networks, consumers who may be affected have the right to be informed by providers, particularly where such tools are used in non-human interfaces for complaints or redress services.
On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice until 31 October 2025. The draft amends the Internet Code of Practice of 2019. Chapter five requires Internet Access Service Providers to ensure that all artificial intelligence tools and emerging technologies deployed on their networks comply with the Code’s governance rules. Providers must notify the Commission before deploying AI or emerging technologies, detailing the services affected, potential replacements or upgrades, implementation timelines, and lifespans. They must inform impacted subscribers, maintain network integrity, ensure compliance with the Cyber Security Framework, protect consumer data, and retain the ability to withdraw tools if required by regulatory determination. The Commission may issue additional guidance and governance standards in consultation with licensees and affected entities to support effective implementation.
On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025) under the Nigeria Data Protection Act (NDP Act) 2023 enters into force. Article 28 and Schedule 4 require Data Privacy Impact Assessments (DPIAs) for high-risk processing, evaluating necessity, proportionality, and mitigation measures to safeguard data subjects. The Directive requires controllers to report breaches to the NDPC within 72 hours and notify affected data subjects if risks are high.
On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025) under the Nigeria Data Protection Act (NDP Act) 2023 enters into force, mandating registration for data controllers and processors of major importance. Articles 8–9 and Schedule 7 classify entities into Ultra-High, Extra-High, and Ordinary-High levels, requiring annual registration and compliance audit returns (CAR) filings with prescribed fees.
On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025) under the Nigeria Data Protection Act (NDP Act) 2023 enters into force, defining the NDPC’s regulatory powers. The directive outlines the Commission’s responsibilities, including issuing guidelines, conducting compliance audits, and enforcing penalties under Sections 5, 6, and 62 of the NDP Act. It also establishes procedures for cooperation with public authorities and sectoral regulators under Article 4 of the GAID.
On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025) under the Nigeria Data Protection Act (NDP Act) 2023 enters into force, regulating cross-border data transfers. The directive permits transfers only under conditions such as adequacy decisions, approved transfer instruments, or other lawful bases under Sections 41–43 of the NDP Act. Schedule 5 provides guidance on assessing foreign jurisdictions for adequacy, ensuring compliance with Nigerian data protection standards.
On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025) under the Nigeria Data Protection Act (NDP Act) 2023 enters into force, establishing rules for the processing of personal data. The directive outlines the rights of data subjects, including access, rectification, and erasure, and imposes obligations on data controllers and processors to ensure lawful, fair, and transparent processing. It mandates compliance with principles such as purpose limitation, data minimisation, and accountability, as stipulated in Sections 24–27 of the NDP Act.
On 3 September 2025, the Nigerian Communications Commission closes the consultation on the use of the 5925 – 6425 MHz band. The 5925–6425 MHz band, is a portion of the radio frequency spectrum allocated for high-speed, license-free Wi-Fi and other wireless access systems. The guidelines provide that the access and use of this band does not require a license, however, users of the band are expected to apply and obtain an Operational Licence-exemption certificate from the Commission. All equipment to be deployed must be Type-Approved by the Commission prior to importation and deployment in compliance with type approval regulations. Additionally, users of the lower band are required to notify the Commission upon deployment of services on this band using the template on the Commission’s website. They are also required to submit to the Commission data on the use of the frequency twice yearly, or upon request by the Commission. The Commission may impose fines or directives following non-compliance. Disputes between parties concerning the guidelines are to be resolved first through the dispute resolution clause in their agreement.
On 29 August 2025, the Nigerian Communications Commission (NCC) closes the public consultation on the review of the Internet Code of Practice 2019. The review sets out seven areas for reform. These include the governance of offensive and misleading content such as deep fakes, misinformation and incitement, with stronger safeguards for child online protection. They also cover governance principles for online platforms and parameters for international cooperation, as well as measures to ensure the responsible use of emerging technologies such as Artificial Intelligence in traffic management and content integration. Further proposals address enhanced data protection and privacy for transactional and behavioural data, clearer net neutrality rules with definitions of reasonable network management and zero-rating practices, and stronger cybersecurity standards aligned with the NIST Cybersecurity Framework and ISO 27001, including real-time intelligence sharing and rapid response. Finally, the NCC proposes regulatory clarity for essential internet resources through DNSSEC adoption, IPv6 deployment and electronic addressing in line with International Telecommunication Union Resolution 180. The consultation is intended to guide the Commission’s rule-making process scheduled for the third quarter of 2025.
On 29 August 2025, the Nigerian Communications Commission (NCC) closes the public consultation on the Consultation Paper for the review of the Licensing Regulations 2019. The review paper lists several proposals. These include strengthening pre-licensing evaluation and background checks to ensure that only entities with adequate governance, technical capacity and financial stability are licensed, revising the categorisation of individual and class licences to reflect changes in service models and emerging technologies, and reviewing existing licensable undertakings while extending the framework to cover new communications services. The paper also proposes clearer procedures, obligations and milestones for frequency licences, including post-licensing regulatory actions, and differentiated obligations for privately owned and publicly listed licensees based on ownership structures. The consultation builds on a Regulatory Impact Assessment conducted since 2019, which identified barriers for start-ups caused by complex application processes, recommended an expanded framework for innovative services, and highlighted onerous payment terms for frequency licences. It marks the first stage of engagement ahead of the NCC’s rule-making process scheduled for the third quarter of 2025.
On 29 August 2025, the Nigerian Communications Commission (NCC) closes the public consultation on the review of the Enforcement Processes Regulations 2019. The review sets out five proposed reforms. These include the introduction of non-monetary administrative measures, new liabilities for call masking, refilling and SIM boxing under Section 70 of the Act, and clarification of general and specific fines, including those set out in the Schedule and in Regulations 15 and 16. The paper also proposes that liability should extend to the boards and management of licensees and that enforcement should be applied asymmetrically according to licensee size. The proposals build on findings from a 2024 Regulatory Impact Assessment and are intended to shape the Commission’s rule-making process in the third quarter of 2025.
On 25 August 2025, Nigeria's Data Protection Commission (NDPC) announced a sector-by-sector investigation into organisations' compliance with the Nigeria Data Protection Act of 2023. The investigation applies to insurance companies, pension firms, gaming companies, banks, and insurance brokers. The organisations are required to provide compliance evidence within 21 days, including 2024 audit returns, Data Protection Officer appointments, technical protection measures, and registration as Data Controllers or Processors of Major Importance. It was highlighted that non-compliance may result in enforcement orders, administrative fines, or criminal prosecution under the NDP Act.
On 13 August 2025, the Nigerian Communications Commission opened a consultation on the use of the 5925 – 6425 MHz band, until 3 September 2025. The 5925–6425 MHz band, is a portion of the radio frequency spectrum allocated for high-speed, license-free Wi-Fi and other wireless access systems. The guidelines provide that the access and use of this band does not require a license, however, users of the band are expected to apply and obtain an Operational Licence-exemption certificate from the Commission. All equipment to be deployed must be Type-Approved by the Commission prior to importation and deployment in compliance with type approval regulations. Additionally, users of the lower band are required to notify the Commission upon deployment of services on this band using the template on the Commission’s website. They are also required to submit to the Commission data on the use of the frequency twice yearly, or upon request by the Commission. The Commission may impose fines or directives following non-compliance. Disputes between parties concerning the guidelines are to be resolved first through the dispute resolution clause in their agreement.
On 25 July 2025, the Nigerian Communications Commission (NCC), acting under Section 71 of the Nigerian Communications Act 2003, opened a public consultation on the review of the Internet Code of Practice 2019 until 29 August 2025. The review sets out seven areas for reform. These include the governance of offensive and misleading content such as deep fakes, misinformation and incitement, with stronger safeguards for child online protection. They also cover governance principles for online platforms and parameters for international cooperation, as well as measures to ensure the responsible use of emerging technologies such as Artificial Intelligence in traffic management and content integration. Further proposals address enhanced data protection and privacy for transactional and behavioural data, clearer net neutrality rules with definitions of reasonable network management and zero-rating practices, and stronger cybersecurity standards aligned with the NIST Cybersecurity Framework and ISO 27001, including real-time intelligence sharing and rapid response. Finally, the NCC proposes regulatory clarity for essential internet resources through DNSSEC adoption, IPv6 deployment and electronic addressing in line with International Telecommunication Union Resolution 180. The consultation is intended to guide the Commission’s rule-making process scheduled for the third quarter of 2025.
On 25 July 2025, the Nigerian Communications Commission (NCC) opened a public consultation on the review of the Licensing Regulations 2019, until 29 August 2025. The review paper lists several proposals. These include strengthening pre-licensing evaluation and background checks to ensure that only entities with adequate governance, technical capacity and financial stability are licensed, revising the categorisation of individual and class licences to reflect changes in service models and emerging technologies, and reviewing existing licensable undertakings while extending the framework to cover new communications services. The paper also proposes clearer procedures, obligations and milestones for frequency licences, including post-licensing regulatory actions, and differentiated obligations for privately owned and publicly listed licensees based on ownership structures. The consultation builds on a Regulatory Impact Assessment conducted since 2019, which identified barriers for start-ups caused by complex application processes, recommended an expanded framework for innovative services, and highlighted onerous payment terms for frequency licences. It marks the first stage of engagement ahead of the NCC’s rule-making process scheduled for the third quarter of 2025.
On 25 July 2025, the Nigerian Communications Commission (NCC), acting under Section 71 of the Nigerian Communications Act 2003, opened a public consultation on the review of the Enforcement Processes Regulations 2019, until 29 August 2025. The review sets out five proposed reforms. These include the introduction of non-monetary administrative measures, new liabilities for call masking, refilling and SIM boxing under Section 70 of the Act, and clarification of general and specific fines, including those set out in the Schedule and in Regulations 15 and 16. The paper also proposes that liability should extend to the boards and management of licensees and that enforcement should be applied asymmetrically according to licensee size. The proposals build on findings from a 2024 Regulatory Impact Assessment and are intended to shape the Commission’s rule-making process in the third quarter of 2025.
On 25 July 2025, the National Information Technology Development Agency (NITDA) announced the draft Online Harm Protection Bill during a policy workshop in Abuja. The proposed Bill aims to create a regulatory framework for digital platforms, addressing issues such as online harms, misinformation, and algorithmic bias. It introduces the establishment of an Online Harm Protection Centre, a Multi-Stakeholder Council, a Redress Panel, and an Independent Oversight Forum to ensure accountability and transparency. The Bill builds upon previous initiatives such as the 2021 Code of Practice for Interactive Computer Service Platforms, aiming to shift digital governance in Nigeria to a public interest and digital sovereignty approach.
Last updated: 03/03/2026