Laws, Regulations and Industry Codes of Conduct Regulating the Digital Economy

Nigeria does not have a specific law that governs the digital economy, although a Digital Economy and E-Governance Bill is currently in its final legislative stages. Nevertheless, there are several laws and regulations that significantly impact the digital economy in Nigeria, including the following.

• The Cybercrimes (Prohibition, Prevention, etc) Act 2015 (as amended in 2024) (the “Cybercrimes Act”). The Cybercrimes Act provides a comprehensive framework for the protection of computer systems and networks, electronic communications, data and computer programs. It aims to:
1. promote effective implementation of cybersecurity policies and practices; and
2. protect computer systems and networks by criminalising acts such as unauthorised interference with computer systems, unlawful access to a computer, system interference, interception of electronic messages, tempering with systems and infrastructure designated as critical infrastructure, computer-related forgery and fraud, identity theft and breach of confidence by service providers. Under the Cybercrimes Act, cyber stalking was made a criminal offence. Section 24(1)(b) of the Cybercrimes Act states that any person who knowingly or intentionally sends a false message by means of computer systems or networks for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, ill will or needless anxiety to another person commits an offence. This provision has been utilised by law enforcement agencies to prosecute individuals for sharing false information on social media platforms. The application of this provision in these cases has raised concerns about its effect on the right to freedom of expression. In 2024, an amendment was introduced, stipulating that for an individual to be convicted of cyber stalking, the false message must be intended to cause a breakdown of law and order or pose a threat to life.
• The National Information Technology Development Agency Act 2007 (the “NITDA Act”). The NITDA Act establishes the National Information Technology Development Agency (NITDA), which is empowered to create a framework for planning, development, standardisation, monitoring, evaluation and regulation of information technology practices in Nigeria by developing standards, guidelines and regulations for the Nigerian digital economy. The NITDA is also empowered to develop guidelines for electronic governance and to monitor the use of electronic data interchange and other forms of electronic communication transactions. In line with its functions, the NITDA has issued a number of guidelines and policies that regulate the digital economy, one of which is the Code of Practice for Interactive Computer Service Platforms/Internet Intermediaries (the “Code”). Recognising the increasing shift of services to online platforms, the NITDA issued the Code to:
1. establish best practices for platforms and internet intermediaries;
2. enhance safety within the digital ecosystem for persons residing in Nigeria; and
3. set out measures to address online harms, including disinformation and misinformation. The Code specifically mandates platforms and internet intermediaries to implement measures to address disinformation and misinformation, ensure the removal of unlawful content from their platforms and exercise due diligence to prevent the uploading of unlawful content. Other guidelines issued by the NITDA include:
1. the Guidelines for Nigerian Content Development in Information and Communication Technology;
2. the Framework and Guidelines for Public Internet Access, the National ICT Policy, the National Cloud Computing Policy;
3. the Guidelines for Registration of ICT Service Providers/Contractors for Delivery of its Services to Ministries, Departments and Agencies of Government;
4. the Nigeria e-Government Interoperability Framework;
5. the Framework and Guidelines for Information and Communication Technology Adoption in Tertiary Institutions;
6. the Framework and Guidelines for the Use of Social Media Platforms in Public Institutions;
7. the National Digital Economy Policy and Strategy (2020–2030);
8. the National Blockchain Policy; and
9. the National Policy on Fifth Generation Network for Nigeria’s Digital Economy.
• The Nigerian Communications Act 2003 (NCA). The NCA establishes the Nigerian Communications Commission (NCC) and provides a regulatory framework for the Nigerian telecommunications industry. The NCC is authorised to issue licences to telecommunications service providers and to regulate the telecommunications industry, generally. Among other things, the NCA ensures effective competition in the industry, consumer protection and quality of service.
• Data protection legislation. The Nigeria Data Protection Act 2023 (NDPA) and General Application and Implementation Directive 2025 (GAID) provide the legal framework for the protection of personal data of individuals in Nigeria. The data protection legislation seeks to safeguard the security of personal data of data subjects, ensure that data controllers and processors are accountable for the personal data they process and facilitate data subjects exercising their rights. One of the overarching objectives of the NDPA is to strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.
• The Central Bank of Nigeria Act (the “CBN Act”) and the CBN Guidelines and Regulations. The CBN Act establishes the Central Bank of Nigeria (CBN) and empowers it to regulate banks and other financial institutions. Accordingly, the CBN has issued several guidelines and regulations to regulate entities that leverage technology to provide financial services. Fintech companies offering financial services to Nigerian consumers must obtain the appropriate licences and comply with the CBN’s applicable guidelines. There are a number of guidelines issued by the CBN to regulate these services. For example, the CBN introduced the eNaira and issued the Regulatory Guidelines on eNaira in October 2021 to govern the adoption of the eNaira. The CBN Guidelines on Operations of Electronic Payment Channels in Nigeria 2016 outline the regulatory requirements for entities, including fintech companies, that wish to offer the following services:
1. automated teller machine operations;
2. point of sale (POS) card acceptance;
3. mobile POS acceptance; and
4. web acceptance services. Compliance with these guidelines is mandatory to ensure the secure and efficient provision of electronic payment services in Nigeria. Other regulations issued by the CBN include:
1. the CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks 2024;
2. the CBN Regulation on Electronic Payments and Collections for Public and Private Sectors in Nigeria 2019;
3. the CBN Guidelines on International Money Transfer Services 2024;
4. the CBN Operational Guidelines for Open Banking in Nigeria 2023;
5. the CBN Guidelines on Contactless Payments in Nigeria 2023; and
6. the CBN Regulatory Framework for Mobile Money Services in Nigeria 2021.
• The Investment and Securities Act (ISA). An amendment to the ISA was signed into law in 2025. The ISA established the Securities and Exchange Commission (SEC) and it regulates:
1. investment and securities business in Nigeria;
2. securities exchange;
3. capital trade points;
4. digital and virtual assets;
5. futures, options and derivatives exchanges;
6. commodity exchanges and any other recognised investment exchange;
7. offers of securities by public companies and entities and operators in the capital market; and
8. capital market operators. The SEC issued the Rules on Issuance, Offering Platforms and Custody of Digital Assets 2022 (the “Digital Assets Rules”) which regulate entities offering cryptocurrencies and other virtual and digital assets in Nigeria. The Digital Assets Rules require all virtual assets service providers (VASPs) and issuers of digital assets to register with the SEC prior to providing their services in the country. The SEC also issued the Accelerated Regulatory Incubation Programme Framework for the Onboarding of VASPs (the “ARIP Framework”) which provides an incubation programme for VASPs seeking to register with the SEC. The SEC has published amendments to the Digital Assets Rules through the Exposure of Amendments to the Digital Assets Rules (the “New Rules”) which came into effect on 30 June 2025.
• The Federal Competition and Consumer Protection Act 2018 (FCCPA). The FCCPA prohibits anti-competitive practices in the Nigerian economy and also seeks to protect and promote consumers’ interests. The FCCPA establishes the Federal Competition and Consumer Protection Commission (FCCPC), which is responsible for the enforcement of the FCCPA. To curb predatory lending practices in the digital space, the FCCPC issued the Limited Interim Regulatory Framework and Guidelines for Digital Lending 2022, which required digital lending platforms in Nigeria to register with the FCCPC. This interim framework has now been repealed and replaced by the more comprehensive Digital, Electronic, Online, or Non-Traditional Consumer Lending Regulations 2025.
• The Nigeria Startup Act 2022 (NSA). The NSA regulates the Nigerian tech-enabled start-up ecosystem, which is a leading contributor to the Nigerian digital economy. The NSA was enacted to promote the development of Nigeria’s digital economy by providing a legal and institutional framework that ensures an enabling regulatory and business environment for start-ups in Nigeria. The NSA provides incentives for start-ups, including tax and fiscal incentives and other general incentives.
• The Copyright Act 2022 (the “CA 2022”). The CA 2022 provides comprehensive protection for literary, artistic, musical, and audiovisual works, granting creators exclusive rights over their original creations. As a result, no individual may use copyrighted works without the permission of the creator. A key provision of the CA 2022 empowers copyright holders to request service providers, such as social media platforms, to take down content that infringes on their copyright.
• The Advertising Regulatory Council of Nigeria Act 2022. The Act is the primary legislation for regulating advertising practices in Nigeria. It defines an advertisement as any message aimed at influencing an individual’s opinion or actions regarding a product, service, idea, or person, regardless of the medium or platform used. The Act established the Advertising Regulatory Council of Nigeria (ARCON) and grants it authority to regulate all forms of advertising directed at the Nigerian audience. Organisations are required to obtain prior approval from the Advertising Standards Panel (ASP) before exposing adverts to the Nigerian public. The ARCON has recently intensified enforcement actions against companies advertising on social media without securing approval from the ASP.

Key legal challenges affecting the digital economy in Nigeria include the following.

• A lack of comprehensive regulations for emerging technologies – while there are sector-specific regulations which may address the challenges posed by the adoption of these emerging technologies, there is no specific law in Nigeria that regulates these technologies and the peculiar legal challenges that may arise from their adoption.
• Tackling cybercrimes – with the continuous growth of the Nigerian digital economy comes the need to safeguard cyberspace from cyber threats to ensure adequate data security and transaction integrity. In 2022, the CBN reported a 534% increase in attempted cyber-attacks as digital banking surged. For the digital economy to thrive, it is imperative to prioritise measures geared towards improving the security of cyberspace.
• Taxation – due to the pervasive nature of the internet, businesses located outside Nigeria can offer their products and services to individuals in Nigeria using digital technologies. However, taxing these companies poses a challenge for tax authorities as it is difficult for the tax authority to accurately track and identify the income generated from online businesses.
• Lack of awareness of intellectual property – the digital economy is powered by intellectual property assets. However, many creators of copyrighted works are unaware of the full extent of the rights granted to them under the CA 2022. This lack of awareness often results in insufficient enforcement of intellectual property rights.
• Enforcement intensity and regulatory discretion – Nigeria’s digital economy is currently navigating a regulatory environment marked by high enforcement intensity and broad regulatory discretion, which significantly shapes business operations. Regulators are increasingly assertive, imposing higher registration requirements, conducting public enforcement actions, and levying substantial administrative penalties. Many digital economy laws, including the NDPA, FCCPCA, ARCON Act, and sector-specific regulations, grant authorities wide-ranging powers to issue directives, investigate, sanction and publish compliance lists.

Companies Income Tax (CIT)

The worldwide profits and gains of a Nigerian company, including profits derived from the provision of digital services and goods are subject to companies income tax (CIT) at the rate of 30%. Small companies (with gross turnover of NGN50 million or less per annum with total fixed assets not exceeding NGN250 million, excluding companies providing professional services, are exempt from CIT.

Under the provisions of Section 17(9)(b) of the Nigeria Tax Act, 2025 and the Companies Income Tax (SEP) Order 2020, a non-resident entity (NRE) is deemed to have a significant economic presence (SEP) in Nigeria and is liable to tax on its profits derived from Nigeria if it:

• derives over NGN25 million (or its equivalent in other currencies) in gross turnover from activities like streaming or downloading digital content, transmitting user data collected from Nigeria, providing goods and services via digital platforms, or offering intermediation services connecting suppliers and customers in Nigeria through a digital platform;
• uses a Nigerian domain name or registers a website in Nigeria; or
• engages purposefully and consistently with Nigerian users through a digital platform targeting the Nigerian market, including pricing or payment in naira.

Withholding Tax

Where any amount is payable by a Nigerian company to another company or person as fees for the provision of technical, professional, management or consultancy services, the company is required to deduct withholding tax (WHT) at the rate of 5% (if the payment is due to another Nigerian company) or 10% (if due to an NRE) and pay it to the Nigeria Revenue Service (NRS). The WHT deducted on any of these payments to an NRE is the final tax payable in Nigeria. For all other service payments, the company is required to deduct WHT at the rate of 2% (if the payment is due to another Nigerian company) or 5% (if due to an NRE). This 5% WHT will be the final tax where the service is provided offshore, otherwise, it will be treated as an advance payment of CIT, which an NRE can use to offset its ultimate CIT liability upon filing its tax returns.

Capital Gains Tax

From 1 January 2026, capital gains tax (CGT) will no longer apply as chargeable gains arising from the disposal of digital assets in Nigeria, and will be taxed alongside other income of companies at the applicable CIT rate.

VAT

VAT is levied on the supply of digital services and goods in Nigeria at the rate of 7.5%.

Tax Compliance Management Challenges

NREs that supply digital services to Nigerian customers are required to register with the NRS for VAT purposes, collect VAT on their supplies and remit it to the NRS. In order to fulfil these obligations, an NRE may appoint a local third party as its tax compliance agent.

There are no special rules for the taxation of digital advertising revenues in Nigeria. The tax treatment of digital services applies equally to digital advertising revenues.

Consumer Protection Laws in the TMT Sector

The FCCPA is the principal consumer protection law applicable to digital goods and services in the TMT sector. Certain sectors have their own specific consumer framework. For example, in the financial sector, the CBN issued the Consumer Protection Regulations 2019 and the Consumer Protection Framework 2016 and in the telecommunications industry, there is the Nigerian Communications (Consumer Code of Practice) Regulations 2024.

Upholding Consumer Rights in the Digital Economy

To uphold consumer rights in the digital economy, companies should implement internal policies that will ensure that they comply with applicable consumer protection legislation and embrace transparency and fairness in their dealings with consumers.

Legal Frameworks for the Resolution of Consumer Complaints in the Digital Economy

A consumer can file a complaint via the FCCPC’s consumer portal. In addition to the portal, consumers can also file complaints through other channels such as email, letter, or in-person visits. The NCC, the CBN and other regulators have similar procedures for the filing of complaints.

Handling Consumer Disputes Effectively

To handle consumer disputes effectively, TMT companies should:

• set up an effective consumer dispute resolution procedure for receiving and resolving complaints from consumers;
• have a specified timeframe for the resolution of disputes;
• acknowledge complaints received and state the timeframe within which a response will be made available;
• in the event of delays in resolving any dispute, state the reason for the delay including the status of the resolution in the event that the complaint remains unresolved at the expiration of the prescribed timeframe;
• be transparent and ensure that they inform the affected consumer(s) of the status of the dispute resolution at all times; and
• comply with the provisions of applicable legislation.

Cryptocurrencies and blockchain technology have impacted the legal landscape, necessitating the creation of new regulations. Some key effects include the following.

Regulation

The SEC has introduced rules to regulate digital assets and expanded its regulatory incubation programme to accommodate entities providing services related to cryptocurrencies and other forms of digital assets. The regulation of cryptocurrencies has led to the creation of different licence categories for various VASPs.

Taxation

The NTA defines digital assets as “digital representation of value that can be digitally exchanged, including crypto assets, utility tokens, security tokens, non-fungible tokens (NFT), such other similar digital representation or derivatives of any of the listed or similar assets and any other asset as may be defined by the relevant regulatory authority”.

Profits or gains from transactions in digital assets are subject to CIT at the applicable CIT rate.

Challenges

Anonymity v KYC/AML laws

The pseudonymous nature of cryptocurrencies presents a significant challenge with respect to compliance with KYC and AML laws.

Cross-border legal disputes

Blockchain transactions occur across multiple jurisdictions. This complicates the determination of applicable law and forum for settlement of disputes.

Opportunities

Efficient cross-border operations

Cryptocurrencies eliminate intermediaries in cross-border transactions, reducing costs and delays.

Intellectual property and content management

Automating royalty payments and licensing through smart contracts has the potential to reduce disputes and administrative costs. Blockchain can also provide transparent and tamper-proof records of content ownership and usage, aiding in copyright enforcement.

New business models

Blockchain can enable tokenisation of assets or revenue streams, creating new business models.

Blockchain and Crypto Regulation

Blockchain

In May 2023, following the approval of the Federal Executive Council, the NITDA issued the National Blockchain Policy for Nigeria (the “Blockchain Policy”) as a roadmap for Nigeria’s adoption of blockchain technology. Through the Blockchain Policy, the Nigerian government recognised cryptocurrency as a potential catalyst for the adoption of blockchain. One of the expected outcomes of the Blockchain Policy is the creation of supportive legal and regulatory frameworks that will provide clarity and certainty to persons who intend to adopt blockchain to create innovative solutions in any sector.

Before the introduction of the Blockchain Policy, the NITDA had developed and issued the National Blockchain Adoption Strategy (the “Adoption Strategy”), providing a detailed roadmap and strategy for adopting blockchain. In terms of regulation and legal framework, the Adoption Strategy envisions a principle-based and technology-neutral approach that encourages innovation and development.

Cryptocurrencies

In 2022, the SEC released the Digital Assets Rules. The Digital Assets Rules created various categories of digital assets service providers and their respective registration and licensing requirements, including VASPs, digital asset offering platforms (DAOPs), digital asset custodians (DACs) and digital asset exchanges (DAXs).

However, the Digital Assets Rules were not operationalised and applications for registration or licensing were not accepted by the SEC. In 2024, the SEC issued the ARIP Framework to facilitate the onboarding of qualified cryptocurrency entities into the SEC’s ARIP Framework and provide a path to registration for operators.

The SEC subsequently issued the Exposure of Amendments to the Digital Assets Rules in 2024, which came into effect on 30 June 2025. The amendments to the Digital Assets Rules cover advertisements, marketing and promotion, including third-party/social media promotions and mandate disclosure of paid promotions. Furthermore, the amendments create a new digital assets intermediary (DAI) category to cover persons that are not DAOPs, DAXs or DACs but are facilitating virtual assets transactions.

Similarly, the CBN reversed its prohibition on banks facilitating cryptocurrency transactions, through the issuance of the Guidelines on Operations of Bank Accounts for Virtual Assets Service Providers (the “VASP Guidelines”), which permit financial institutions to open bank accounts for cryptocurrency businesses, provided the requirements set out in the VASP Guidelines are fulfilled, including obtaining a relevant licence or registration from the SEC.

Laws, Regulations and Industry Codes of Conduct in Cloud and Edge Computing

There is no specific legislation on cloud and edge computing in Nigeria. However, the NITDA issued the Nigeria Cloud Computing Policy 2019 (the “Policy”), which applies to public institutions and government-owned corporations. The aim of the Policy is to ensure an increase in the adoption of cloud computing by public institutions and small and medium enterprises that provide digital enabled services to the government.

The Policy requires public sector entities to prioritise the procurement of cloud-based information and communication technologies where a cloud-based offer is essentially equivalent to other kinds of technology solutions.

Restrictions on Certain Industries

As there is no specific legislation on cloud and edge computing, no industry is subject to greater restrictions than others.

Personal Data Processing in the Context of Cloud Computing

In cloud computing, the provisions of the NDPA with regards to processing personal data must be complied with at all times specifically the following.

• Principles of processing personal data: cloud service providers should ensure that the principles of processing personal data are complied with.
• In the context of cloud computing, it is essential for the parties involved in the sharing of personal data to clearly define their respective roles and responsibilities. Under the NDPA, entities processing personal data may act as data controllers, data processors or joint controllers. Establishing a clear distinction of each party’s role is critical to ensuring compliance with regulatory obligations, accountability and safeguarding data subjects’ rights.
• Compliance with cross-border data transfer regulations is essential when personal data is transferred outside Nigeria in the context of cloud computing. Under the NDPA, data controllers are prohibited from transferring personal data outside Nigeria unless the Nigeria Data Protection Commission (NDPC) has determined that the data protection laws of the destination country provide an adequate level of protection. If the NDPC has not determined that the destination country offers an adequate level of protection, a data controller may still transfer personal data to that country, provided it is based on an approved contractual clause or, in the case of intra-group transfers, on approved binding corporate rules.

Laws, Regulations and Industry Codes of Conduct in Relation to the Use of Artificial Intelligence (AI)

There is no legislation that specifically governs the use of AI in Nigeria. However, the provisions of the NDPA, the CA 2022, the FCCPA, the Cybercrimes Act, the SEC Rules on Robo-Advisory Services 2021 etc may all impact the use of AI in Nigeria.

Deepfake Technologies

The CA 2022 protects original works of creators, including literary, musical and artistic works, audiovisual, sound recordings and broadcasts. The CA 2022 recognises and protects the moral rights of the original creators of works that are eligible for copyright protection. Therefore, where a person’s moral rights are breached by deepfake technologies, the person can have recourse to the remedies provided under the CA 2022.

With respect to a person’s likeness, the CA 2022 protects artistic and cinematographic works, which may include depictions of a person’s personality or image through mediums such as photographs, paintings, sculptures, or cinematography. Consequently, a person’s likeness that has been reduced to an artistic work such as a photograph is protected from unauthorised exploitation. A person’s likeness such as the person’s face, voice and mannerisms qualify as personal data under the NDPA, and as such the use of a person’s likeness needs to comply with the requirements of the NDPA.

Relevant Laws or Regulations About Applications of AI in Transport

There are no laws or regulations that specifically address the application of AI in transport.

Relevant Elements

Liability

Where any harm is caused by an AI system, the developers or users of the AI system, may be liable for such harm under the law of tort.

Data protection

Data protection is an integral aspect of AI as AI systems rely on a vast amount of data to function. Although recourse is not made expressly to processing in the context of AI in the NDPA, the NDPA requires that the data subjects be made aware of the processing of their personal data prior to the commencement of the processing activity. Accordingly, AI developers should inform individuals before they can use the personal data of the individuals to train their AI models. The NDPA also mandates that data controllers (including AI developers and deployers) inform data subjects about the existence of automated decision-making processes.

Intellectual property

The training of AI models with copyrighted materials should comply with the CA 2022. A critical IP consideration is the ownership of AI-generated works. Nigerian IP laws currently lack provisions on ownership of AI-generated works, leaving the ownership of these works in a grey area.

Fundamental human rights

The right to privacy and freedom from discrimination are two essential fundamental human rights provided for in the 1999 Constitution of Nigeria (the “Constitution”). AI systems must be built to ensure that the right to privacy is not breached. It is also important to ensure that AI systems are trained on unbiased data to prevent bias and discrimination against any person or a group of people in AI outputs. 

Laws, Regulations and Industry Codes of Conduct in Relation to the Internet of Things (IoT)

While there is no specific law on the internet of things (IoT) in Nigeria, the provisions of the NDPA, the Nigeria Communications Act, the Cybercrimes Act and intellectual property laws will all impact the use of IoT technologies.

Relevant Elements

Machine-to-machine communications, communications secrecy and data protection

The IoT primarily thrives on data exchange. To promote confidentiality and integrity of the data, it is necessary that data exchange is done securely. It is therefore expedient to deploy data protection and information security strategies to ensure data protection. Nigeria has enacted adequate data protection laws to ensure safe data processing in the course of deploying the IoT.

The Cybercrimes Act also criminalises intentionally accessing a computer system or network to obtain computer data, gain access to any programme, commercial or industrial secrets or classified information.

Compliance Challenges for IoT Solutions in Nigeria

There are no specific laws on IoT technologies and so it may be difficult for IoT companies to understand the regulatory landscape. Additionally, in deploying IoT solutions, companies are usually faced with requirements to comply with multiple regulations which can be very complex.

Governance Frameworks for Managing IoT Deployments in Nigeria

To manage IoT deployments in Nigeria, companies should implement:

• a data management framework to cater for data protection and the ethical use of data;
• a risk management framework that will specify the process of risk identification and management;
• a cybersecurity framework;
• a regulatory compliance framework to monitor compliance with the applicable legislation;
• an incident response and management framework; and
• a disaster recovery framework.

Key Data Sharing Requirements for IoT Companies

IoT companies intending to share data with third parties may enter into a formal data sharing agreement and non-disclosure agreements with third parties. When the data to be shared includes personal data, the IoT companies are required by the NDPA to enter into a data processing agreement with the third party and ensure that the third party:

• complies with the data protection principles outlined in the NDPA;
• has adequate processes in place to respect and uphold the rights of data subjects; and
• implements appropriate technical and organisational measures to safeguard the security, integrity and confidentiality of personal data.

These data sharing requirements apply to all companies that share personal data with third parties.

Requirements for Specific Categories of Data

The NDPA has particular requirements for two specific categories of data: the personal data of children and sensitive personal data.

Under the NDPA, an IoT company processing a child’s personal data is required to obtain verifiable consent from the child’s parent or legal guardian. The company must also implement robust mechanisms to verify the child’s age and the authenticity of the consent provided.

Sensitive personal data means data relating to an individual’s:

• genetic and biometric data, for the purpose of uniquely identifying a natural person;
• race or ethnic origin;
• religious or similar beliefs, such as those reflecting conscience or philosophy;
• health status;
• sex life;
• political opinions or affiliations; and
• trade union memberships.

Companies, including IoT companies, are prohibited from processing sensitive personal data except under the following conditions:

• the data subject has given explicit consent, which has not been withdrawn;
• the processing is necessary to protect the vital interests of the data subject or another person, especially where the data subject is physically or legally unable to provide consent; or
• the processing is necessary for the establishment, exercise, or defence of a legal claim, the provision of legal advice or the conducting of legal proceedings.

The Main Requirements for Providing Audiovisual Media Services

The provision of audiovisual media services in Nigeria is regulated by the National Broadcasting Commission (NBC) under the National Broadcasting Commission Act. The NBC requires any applicant requesting a broadcasting licence to meet the following conditions.

• The applicant must be a body corporate duly registered in Nigeria.
• The applicant must demonstrate that they are not applying on behalf of any foreign interest.
• The applicant must comply with the objectives of the National Mass Communication Policy as applicable to electronic media, including radio and television.
• The applicant must provide an undertaking that the licensed station will promote the national interest, unity and cohesion and will not be used to offend religious sensibilities or promote ethnicity, sectionalism, hatred or disaffection among the Nigerian population.

Video streaming platforms currently operate in a regulatory grey area with respect to licensing. However, in 2021, the government directed the NBC to commence the licensing of all over-the-top (OTT) media platforms.

The National Film and Video Censors Board (NFVCB) also plays a critical role in regulating films and video content distributed within Nigeria. It issues licences to exhibit films and video works. While streaming and video-sharing platforms are not explicitly mentioned in the National Film and Video Censors Board Act (the “NFVCB Act”), films distributed via these platforms need to comply with the NFVCB Act.

Procedure

Application for a broadcasting licence

Apply to the director general of the NBC specifying the type of licence (eg, free-to-air terrestrial television, FM radio) required.

Submit an application along with the following:

• a certificate of incorporation;
• a comprehensive feasibility study and business plan for the proposed station; and
• an undertaking to comply with the terms of the licence.

Once approved, an applicant has to pay the prescribed licence fee and sign a licence agreement with the NBC.

A broadcast licence is valid for a period of five years from the date of issuance. The operator must apply for renewal at least six months prior to the licence’s expiration.

The fees for a broadcast licence in Nigeria vary based on the category of licence sought and the geographical coverage of the broadcast station. The fees are as follows.

• Radio       (Federal Capital Territory, Lagos and Port Harcourt) – NGN20 million.
• Radio       (other States) – NGN15 million.
• Terrestrial TV (Federal Capital Territory, Lagos and Port Harcourt) – NGN15 million.
• Terrestrial TV (other States) – NGN11,250,000.
• Cable TV (Federal Capital Territory, Lagos and Port Harcourt) – NGN10 million.
• Cable TV (all locations) – NGN7.5 million.
• Government-owned stations (all locations) – NGN5 million.
• Direct Broadcast Satellite (Single Channel) (all locations) – NGN10 million.
• Direct Broadcast Satellite (Multi-Channel) (all locations) – NGN25 million.

Technologies and Services Within the Scope of Local Telecommunications Rules

The scope of Nigerian telecommunications laws

Nigerian telecommunications laws regulate all telecommunications services and networks used in Nigeria. Services in this sense include applications services, content services, network services, network facilities services or any combination of these services that facilitate any communication in the form of sound, data, text, visual images, signals or any other form. This includes internet access services, telephone network services, fixed wireless services, Voice over Internet Protocols, satellite communications and content provision services.

Nigerian telecommunications laws also regulate the use of all equipment, systems and technologies applied to communications including customer devices and equipment used for lawful interception of communication.

Requirements for introducing a product or service into the Nigerian telecommunications market

Every individual or corporate body that intends to introduce a product or service into the telecommunications market must ensure that the relevant licence is sought and obtained from the NCC. The applicant must also be an incorporated entity under Nigerian laws. Furthermore, the applicant must ensure that the product or service complies with technical regulations issued by the NCC. The applicant may also have to get clearance from other relevant agencies like the Standards Organisation of Nigeria.

Relevant security requirements for telecommunications services

Protection of consumer information

Providers of telecommunications services are required to ensure the protection of consumer information in line with Nigeria’s data protection laws. They are also required to disclose the security measures adopted to protect the information of consumers.

National interest

The NCA obligates a telecommunications services provider to use its best endeavours to prevent the network facilities it owns or provides, or its services, from being unlawfully accessed or used.

Rules and Regulations Around Net Neutrality

Regulatory framework

The issue of net neutrality is primarily regulated by the provisions of the Internet Code of Practice (the “Internet Code”) issued by the NCC. The Internet Code grants internet users the right to access and distribute information and content, use and provide applications and services and use appropriate terminal equipment of their choice. No lawful content, applications or services are to be blocked or made unavailable to users of internet services. No lawful content, applications or services will be discriminated against by any internet access service provider.

Internet service providers (ISPs) will treat all lawful traffic within the same service category equally, without discrimination, restriction or interference, irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided or the terminal equipment used. Similarly, an ISP will not block any lawful content, applications, services or non-harmful devices, with the exception of reasonable network management. An ISP will not impair or degrade lawful internet traffic on the basis of internet content, source, destination, application or service or use of a non-harmful device, with the exception of reasonable network management. An internet access service provider is prohibited from engaging in preferential data prioritisation under any circumstances.

Impact on the telecommunications sector

ISPs are obligated to take reasonable measures to prevent unlawful content on the internet while promoting consumers’ right to an open internet. Effectively, the regulatory landscape facilitates a telecommunications industry that promotes innovation and prevents unfair and anti-competitive practices in the sector. For example, the Internet Code, which prohibits the blocking of any lawful internet service, prevents arrangements by big players in the telecommunications sector to stifle upcoming industry players in order to protect their position and revenue inflow.

Impact of Technologies Like 5G, IoT and AI on the Telecommunications Legal Landscape

The rapid advancement of 5G, IoT and AI has significantly transformed the legal landscape of telecommunications. These technologies demand a more robust regulatory framework to address critical issues like spectrum allocation, data protection, cybersecurity, intellectual property, consumer protection and antitrust regulations.

With respect to 5G, telecommunications investments and terrestrial fibre infrastructure in Nigeria are concentrated in large commercial cities like Lagos, Abuja and Port Harcourt, creating an infrastructure gap in rural areas. To bridge this gap, network infrastructure sharing, particularly for 5G, is essential. The NCC has issued 5G spectrum licences to two telecom providers. If these licensed operators share their 5G infrastructure with other operators, telecommunications coverage can easily be extended to underserved areas.

Although AI is relatively new and its impact on the telecommunications sector is in its infancy, it will play an important role in the deployment of 5G, especially in the areas of resource allocation, efficient spectrum usage and intelligent traffic steering.

The rise of IoT technologies has implications for the type of approval process of telecommunications equipment. As IoT devices proliferate, regulators will need to develop and implement updated type approval certification standards to address the unique characteristics of these new technologies.

Legal Considerations for TMT Companies in Integrating Emerging Technologies

Companies integrating emerging technologies in Nigeria should be aware of the following.

Data protection and privacy concerns

With 5G, IoT and AI technologies enabling the faster and more efficient transfer of personal data, including cross-border transfers of personal data, it is essential for companies to comply with the requirements of the NDPA. Essentially, companies should implement procedures to enable data subjects to exercise their rights.

Consumer protection

Compliance with the provisions of the FCCPC and other sector-specific consumer protection laws is essential. Companies must avoid unfair trade practices and provide clear terms of service in line with relevant consumer protection laws.

Freedom against discrimination

Companies must ensure AI systems are designed to avoid bias and discriminatory outcomes, aligning their efforts with Nigeria’s constitutional principles of equality and non-discrimination.

Tax implications

Tax implications are significant, particularly for digital businesses. Understanding and complying with digital tax laws is crucial.

Cybersecurity

Companies must anticipate ways these technologies may be exploited for cybercrimes and implement safeguards that align with Nigerian cybersecurity regulations and frameworks. The NDPA requires companies to adopt appropriate technical and organisational measures to protect information technology systems from unauthorised interference.

Main Challenges Faced by Organisations Entering into a Technology Agreement

Regulatory and compliance challenges

Given Nigeria’s complex and sometimes uncertain regulatory environment, with several laws and regulations, agencies and guidelines governing the technology sector, organisations have the burden of ensuring that their technology agreements comply with all these laws and regulations.

Increased cost

Technology transfer agreements in Nigeria are subject to mandatory registration with the National Agency for Technology Acquisition and Promotion (the “NOTAP”). Failure to do so will result in the Nigerian party being unable to remit payments through the official foreign exchange market. The NOTAP has specific guidelines regarding fee limits payable under the agreement, as well as certain local content requirements. Without these the technology agreement will not be registered.

Cross-border legal and jurisdictional issues

Technology agreements, such as technology transfer agreements, often involve cross-border collaborations. This can create complexities in contract enforcement. If the technology provider is based outside Nigeria, enforcing the agreement in case of a breach may pose significant challenges for the Nigerian party.

Data protection and data privacy concerns

Technology agreements that involve cross-border transfer of data face particular challenges, as they must comply with the additional requirement under the NDPA with respect to cross-border transfer of data.

Mandatory or Excluded Laws to be Taken into Account

Several requirements are mandated by certain regulations which parties cannot exclude by contract when entering into technology agreements in Nigeria. These include the following.

• The Central Bank of Nigeria’s 2011 Guidelines on Point of Sale (POS) Card Acceptance Services mandate that entities engaged in POS card acceptance services within Nigeria must utilise a local network switch for all domestic POS. The Guidelines explicitly prohibit the routing of domestic transactions outside of Nigeria for switching purposes between Nigerian issuers and acquirers.
• The NITDA’s Guidelines for Nigerian Content Development in Information and Communication Technology requires all:
1. telecommunications companies and network service companies to host all subscriber and consumer data in Nigeria, in line with existing legislation;
2. data and information management companies to host all sovereign data in Nigeria; and
3. government ministries to host all sovereign data locally on servers within Nigeria.

Price Revision

A telecommunication company cannot revise the prices of their services without the prior approval of the NCC.

Foreign Exchange Controls

The CBN has regulations in place governing foreign exchange transactions in Nigeria. Contracts that involve payments in foreign currencies (e.g., US dollars) need to comply with the applicable exchange control rules. When a party to a contract seeks to repatriate funds in foreign currency through an authorised dealer, such as a commercial bank, they are required to provide relevant documentation, including regulatory approvals such as approval from the NOTAP for technology transfer agreements or approval from the NCC for telecom-related agreements.

Regulated Industries

The financial sector in Nigeria is subject to greater regulations. This is due to the sensitive nature of the data these industries handle, as well as the specific regulatory requirements imposed on them. Consequently, the institutions must comply with both the NDPA and sector-specific regulations such as the CBN’s Cybersecurity Framework and Open Banking Guidelines which impose higher data protection obligations on participants.

Key Elements of Telecommunications Service Agreements

The NCC Nigerian Communications (Consumer Code of Practice) Regulations sets out mandatory terms to be included in a telecommunications service agreement, which are as follows.

• Minimum contract period including the termination procedure and the consequence for termination.
• The procedure for early termination of the agreement.
• The amount or method for calculating any charges payable upon early termination.
• Provision for disconnection and reconnection of services including applicable fees.
• Provision on service interruption, withdrawal or discontinuance.
• Provision on the service delivery, installation or activation.

Negotiating Favourable Contractual Terms

In negotiating favourable terms in telecommunications service agreements, companies can consider the following strategies.

• Clearly communicating expectations, limitations and service capacity to ensure that the terms balance the interests of parties.
• Review industry pricing and compare pricing offers from multiple providers to ensure competitive rates.
• Ensure the contract includes detailed service levels that guarantee uptime, response times and penalties for service outages or poor performance.
• Include clauses allowing regular performance reviews and audits to ensure the provider continues to meet agreed standards.
• If the service provider offers multiple services, consider negotiating bundled pricing for better overall value.

Considerations for TMT Companies Before Entering Interconnection Agreements

Some factors companies should consider before entering interconnection agreements include the following.

• Description of interconnection services to be provided.
• Terms of payment, including billing procedures.
• Points of interconnection and interconnection facilities.
• Technical standards for interconnection.
• Interconnection charges and their evolution over time.
• Dispute resolution procedure between parties.
• Procedures for alterations being proposed to the telecommunications network or service offerings of one of the parties.
• Traffic and network management.
• Maintenance of end-to-end quality of interconnection services.
• Termination procedures.

Regulation of Trust Services, Electronic Signatures and Digital Identity Schemes

Regulation of trust services

Under the NITDA Public Key Infrastructure Regulations, the NITDA introduced a voluntary licensing regime for certification authorities. The licensing of a certification authority by the NITDA is an indication to the public that the certification authority is trustworthy and deserving of consumer confidence.

These certification authorities issue digital certificates, which are used to authenticate and verify electronic transactions and digital signatures. Digital certificates issued by licensed certification authorities provide this assurance, ensuring that the transactions are secure, reliable and tamper-free.

Recognition of electronic signatures

With regards to the recognition of electronic signatures, the Nigerian Evidence Act recognises the use of electronic signatures as a means of authenticating electronic records. However, the Act stipulates that an unsecured digital signature will only be deemed reliable if it can be proven that the signature is uniquely linked to the signatory.

Regulation of digital identity in Nigeria

The laws that regulate digital identity in Nigeria include:

• the National Identity Management Commission (NIMC) Act 2007 (the “NIMC Act”);
• the NDPA;
• the Registration of Telephone Subscribers Regulations 2011;
• the NCC Consumer General Code of Practice Regulations 2024;
• the Mandatory Use of National Identification Number Regulations 2017; and
• the CBN Framework for Bank Verification Numbers.

The NIMC Act is the primary regulation that provides for digital identity in Nigeria. It established the NIMC. The responsibilities of the NIMC include the creation, management, maintenance and operation of the national identity database. The NIMC Act requires the details of the following persons to be included in the database:

• any person who is a citizen of Nigeria;
• any person, whether or not they are a citizen of Nigeria, who is lawfully and permanently resident in Nigeria; and
• any non-citizen of Nigeria who is lawfully resident in Nigeria for a period of two years.

The NCC Regulations

The NCC issued the Registration of Telephone Subscribers Regulations 2011 which provides a regulatory framework for the registration of subscribers to mobile telephone services using subscription medium in Nigeria. Telecommunication companies are required to register each subscriber and ensure that the information of the subscribers is protected and not disclosed to any third party.

Banking and Financial Sector-Specific Regulations

The CBN’s Know Your Customer (KYC) guidelines require banks and financial institutions to verify the identity of customers, often using identity information like national identification numbers or bank verification numbers. This ensures that financial institutions can securely identify their clients.

Relevant Elements

Liability

Licensed certification authorities are required to inform their users of the scope and limitations of certification authorities’ liabilities with respect to the expected reliance to be placed in the information contained in the digital certificates issued by the certification certificates.

Under the NITDA Public Key Infrastructure Regulations, the liabilities of licensed certification authorities are limited. Certification authorities will not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber as long as the certification authorities have complied with the requirements in the NITDA Public Key Infrastructure Regulations.

Data protection

Trust service providers, telecommunication service providers, financial institutions and other organisations are required to put procedures and security controls in place to protect the privacy and confidentiality of the subscribers’ data. Confidential information provided by the subscriber must not be disclosed to a third party without the subscribers’ consent unless the information is required to be disclosed under Nigerian law or a court order.

Laws or Regulations in Relation to the Gaming Industry

Before November 2024, the regulation of lotteries and gaming was done at both the federal and state levels of government. These included:

• the National Lottery Act 2005 (NLA);
• the National Lottery Regulations 2007 (NLR);
• the Lagos State Lotteries and Gaming Authority Law 2021 (LSLGA); and
• various laws of other states.

However, following a Supreme Court decision in November 2024 in the case of Attorney-General of Lagos State & Ors and the Attorney-General of the Federation & Ors, the NLA has been declared void and the regulation of the industry is now limited to the State level.

Key Legal Challenges

Complex and multiple regulatory frameworks

Following the decision of the Supreme Court, the gaming industry is now subject to regulation by multiple state regulators and the FCCPC. The multiple state regulatory frameworks will require operators wishing to engage in lottery and gaming activities to obtain several licences from the various states in which they want to operate.

Licensing and compliance issues

Decentralisation complicates operations by requiring businesses to navigate diverse state regulations on licensing and compliance, leading to higher administrative burdens and costs for multi-state operators.

Remote operations

Online gaming operators licensed in one state (eg, Lagos State) but serving customers in other states may come within the regulatory purview of the various states. This will lead to potential conflicts of authority, regulatory overlap and conflicting legal requirements.

Sector-Specific Issues

Nigeria’s current gaming regulatory framework does not explicitly mention or address in-game purchases or loot boxes, but the laws of the various states could potentially apply. For in-game purchases, the FCCPC may intervene where, for example, a game’s in-game purchase system is misleading or causes harm to consumers or is found to use deceptive tactics to pressure users into making in-game purchases. Similarly, if loot boxes are considered to involve an element of betting or a game of chance, they will fall under the regulatory purview of the relevant state regulator.

Legal Requirements for Game Developers

In Nigeria, it is illegal for persons under the age of 18 to be involved in gambling activities. All operators must ensure that they adhere to responsible gaming policy by ensuring that persons under 18 are prevented from gaming. Consequently, games developers can employ anti-underage gaming measures such as reliable age verification methods or setting up age restriction options to prevent underage gambling.

Furthermore, under the LSLGA, it is a requirement for a grant of a licence for an operator to have measures in place to protect underage people from exploitation or harmful or addictive gaming tendencies. These measures which are to be submitted as part of the application process, will be reviewed and assessed by the LSLGA and serve as a determinant for whether or not it may grant the licence.

While video games are regarded as exempted works that do not require the prior approval of the NFVCB, video games will cease to be classified as such if, to any significant extent, they depict explicit sexual activities, mutilation or torture, acts of gross violence towards humans or animals.

Developers must also adhere to advertising standards, consumer protection laws and privacy regulations. They must ensure that promotional content for games, whether through in-game ads, TV, online ads or other media, complies with the advertising standards in the Nigerian Code of Advertising Practice.

Primary Regulatory Bodies

The primary regulatory bodies overseeing the gaming industry include:

• the lottery and gaming authorities of the various states, eg, the Lagos State Lotteries and Gaming Authority, and other state lotteries regulators; and
• the FCCPC.

In addition, the Federation of State Gaming Regulators of Nigeria (FSGRN), established in 2025 by the gaming regulators of some of the states in Nigeria, plays a co-ordinating and oversight role by fostering collaboration among state gaming and lottery regulators to promote uniform regulatory standards, enhance compliance and transparency, protect stakeholders, and reduce underage gaming across Nigeria.

Enforcement Powers

The enforcement powers of the regulators include:

• forwarding complaints to law enforcement for prosecution of offences under the lottery laws currently in force;
• revocation of licences;
• suspension of licences;
• sealing off premises where unlicensed gaming activities are conducted;
• seizure and forfeiture;
• issuing of warnings; and
• imposing fines and penalties.

Examples of Recent Enforcement Actions

In 2024, Netbet, Wakabet and Supabets were shut down for operating without licences. The management of the unlicensed operators were also arrested and face possible prosecution.

Following the Supreme Court’s decision nullifying the NLA, the Lagos State Lottery and Gaming Authority issued a directive requiring all gaming operators in Lagos to regularise their operations by obtaining the necessary licences. The NLA further warned that non-compliance would result in enforcement actions against operators.

Common IP Challenges

Some common IP challenges faced by game developers are the following.

Game cloning

The rampant practice of copying game concepts, characters, and storylines without proper authorisation from the authors.

Software piracy

The illegal/unauthorised copying and distribution of game software.

Trade mark squatting

Competing brands maliciously register trade mark(s) similar to existing game titles or characters to profit from the established trade mark’s reputation.

Counterfeiting

Counterfeiting of game mechanics and technology is another common challenge.

Creator Rights

In Nigeria, creators can protect their rights under the CA 2022 which affords creators protection over their literary and artistic works/expressions in a game, including the game’s source codes, artwork and associated music to prevent unauthorised use or reproduction.

Creators can protect their rights by registering their branding materials such as names, logos, colours or any other distinctive features as trade marks. Trade marks prevent others from using similar brand identity materials in the gaming industry.

Creators also have the right to protect the process/method involved in producing their product if the process is novel, results from an inventive activity and is capable of industrial application. This right also prevents others from using, making or selling the process without permission from the creator.

Key Considerations for Copyright in Digital and Virtual Assets

When dealing with copyright in digital and virtual assets, several key considerations arise. These include the following.

Originality

Copyright protects original works in that the creator of the work must have expended sufficient efforts to give the work an original character. With respect to virtual assets, it is critical for the creator of the asset to show that this threshold of originality is satisfied.

Ownership of copyright

The CA 2022 states that unless there is an agreement stating otherwise, the copyright in a work belongs to the person who created the work. It is necessary to clarify the ownership of virtual assets.

Rights in derivative works

Virtual assets typically build on or incorporate pre-existing works. The creation of derivative works based on pre-existing works requires permission from the original copyright holder unless the pre-existing work is deemed to be part of works in the public domain.

Applicability of Trade Mark Laws to Virtual Goods and Services

Trade mark laws apply to both physical and virtual goods and services. Trade marks are governed primarily by the Trademarks Act in Nigeria. The Trademarks Act is designed to protect marks associated with goods and services in the course of trade. While the Trademarks Act does not explicitly mention virtual goods and services, its principles may be extended to these categories of goods and services.

Nigeria utilises the Nice Classification of Goods and Services and under Class 42 of the Nice Classification, trade marks can be registered in respect of scientific and technological services including:

• design and development of computer software;
• computer programming;
• installation, maintenance and repair of computer software;
• computer consultancy services;
• design, drawing and commissioned writing for the compilation of websites;
• creating, maintaining and hosting the websites of others; and
• design services.

It is therefore possible for the Trademarks Registry to recognise and register trade marks for virtual goods and services.

Implications of User-Generated Content on IP Rights

User-generated content (UGC) refers to any form of content created by an individual. Users who create content, such as videos, images, music or text, often own the copyright to their original works. This grants them the exclusive right to reproduce, distribute and licence their content. Many platforms require users to grant broad licences to the platforms for the use and distribution of their content, potentially limiting the creator’s control.

While UGC is protected by copyright, the creators of the work may find it difficult to exercise any of their exclusive rights, especially where the works have been shared on social media platforms like Facebook or TikTok. This is because it is somewhat easy for other users of the platform to copy the works without permission.

Laws and Regulations Relevant to Social Media

Code of Practice for Interactive Computer Service Platforms/Internet Intermediaries

The Code aims to combat online harm by regulating platforms like social media where users share or access content.

CA 2022

The CA 2022 contains provisions empowering the copyright owner to notify social media platforms to take down or disable access to infringing content or links hosted on the platform.

Cybercrimes Act

The Act criminalises identity theft, cyber bullying, harassment, online fraud, the dissemination of false information, the distribution of obscene or pornographic content, phishing and unauthorised access to computer systems. The use of social media platforms to facilitate any of these offences such as spreading false information via Facebook with the intent to disrupt public order or distributing obscene or pornographic content through TikTok carries legal consequences.

National Broadcasting Commission Act

The broadcasting laws prohibit the broadcast of contents that contain hate speech or contents that incite violence. Broadcasts should also not contain contents that promote discrimination on the grounds of ethnicity, religion, gender, etc. The use of social media platforms to violate these requirements attracts penalties.

The NDPA and GAID

The disclosure of someone’s personal data on social media without authorisation and without any lawful basis can lead to legal actions under the NDPA. Consequently, users of social media must adhere to the NDPA and GAID. The social media platforms must also comply with the NDPA and GAID and ensure that users’ personal data is secured and processed in line with the NDPA.

Advertising Regulatory Council of Nigeria Act 2022

This Act governs advertising in Nigeria, extending its scope to online advertisements. Under its provisions as well as the provisions of the Nigerian Code of Advertising Practice, advertisers are required to obtain prior approval from the ASP before any advertisement is made available to the Nigerian market.

Key Legal Challenges

With respect to social media, the key legal challenges are as follows.

• Nigeria lacks specific laws that seek to address the legal issues around social media. The absence of specific regulations means that social media platforms will have to navigate a number of regulatory regimes in order to operate effectively.
• The large number of social media users and the large amount of content that is frequently shared on social media platforms makes it challenging for regulatory bodies to monitor and enforce legal norms.

Primary Social Media Regulatory Bodies

The NITDA

The NITDA oversees the IT sector, including social media platforms. It also promotes the ethical use of technology, including social media.

Its enforcement powers include investigations of complaints of violations of the law related to social media platforms and issuing take down orders.

The NBC

Traditionally focused on radio and television broadcast, the NBC has extended its oversight to digital media.

Its enforcement powers include issuing take down orders and removing false information likely to cause public disorder.

The NDPC

The NDPC ensures that social media platforms collect and process users’ data transparently and lawfully. It mandates platforms to inform users about the purpose and use of their data.

Its enforcement powers include investigating any complaints related to data protection violations, conducting inspections of entities, issuing orders and directives and imposing penalties and fines.

The ARCON

The ARCON was established to regulate advertising in Nigeria, and as such it is responsible for ensuring that adverts exposed online comply with the advertising laws.

Its enforcement powers include imposing fines on organisations that expose adverts without the approval of the ASP. It can also demand organisations take down offending adverts.

The FCCPC

The FCCPC is responsible for consumer protection. It also ensures that users of social media platforms are protected against unfair commercial practices.

It has the power to impose fines on undertakings that violate consumer protection laws after conducting investigations.

Recent Enforcement Actions

In 2024, the FCCPC fined Meta Platforms USD220 million for violations of data protection laws. This was after a joint investigation by the FCCPC and the NITDA (the erstwhile data protection regulator) into the practices of Meta Platforms between May 2021 and December 2023.

Separately, in February 2025, the NDPC imposed a USD32.8 million administrative fine on Meta Platforms for alleged violations of the NDPA. Meta Platforms challenged the fine and the accompanying compliance directives before the Federal High Court, Abuja, seeking to set them aside. Subsequently, the parties entered into negotiations, which culminated in an out-of-court settlement. The agreed settlement terms were adopted by the court as a consent judgment in November 2025, thereby resolving the dispute.

The ARCON filed a lawsuit against Meta Platforms claiming NGN30 billion and a declaration that the continued publication and exposure of various advertisements targeting the Nigerian market through Facebook and Instagram, without ensuring the adverts are vetted and approved prior to exposure, is illegal, unlawful and in violation of Nigeria’s advertising laws.

Key Data Privacy Laws and Regulations

The NDPA and GAID

The NDPA is the primary legal framework governing the processing of all personal data in Nigeria, including within the telecommunications sector. Similarly, the GAID, issued as subsidiary legislation under the NDPA and providing operational and compliance guidance, applies equally to entities in the telecommunications industry.

NCC Regulations

Other than the draft Data Protection (Communications Services) Regulations issued by the NCC in 2023, there is currently no standalone, data-protection-specific regulation made by the NCC. Nonetheless, data privacy and protection principles are embedded across existing NCC regulatory instruments, including the Nigerian Communications (Consumer Code of Practice) Regulations 2024, the NCC Registration of Telephone Subscribers Regulations, and the NCC Mobile Number Portability Regulations, 2014, which impose obligations relating to the confidentiality, security, and lawful handling of subscriber and consumer information.

Cybercrimes Act

The Cybercrimes Act contains provisions requiring the preservation and retention of “traffic data”, which may oblige telecommunications service providers to retain subscriber and traffic data for the purpose of complying with lawful law enforcement requests. In practice, this obligation is commonly interpreted as requiring retention for up to two years, subject to lawful access and due process requirements.

The Lawful Interception of Communications Regulations 2019

The NCC’s Lawful Interception of Communications Regulations establish the framework for the authorised interception of communications in Nigeria, permitting interception only by designated security and law enforcement agencies and strictly pursuant to lawful authority, such as a court order. Under this regime, telecommunications licensees are required to maintain the necessary technical capabilities and to co-operate with authorised requests for interception or disclosure, subject to due process and applicable legal safeguards.

Main Challenges in Managing Customer Data

Telecommunications companies face distinct compliance challenges due to the scale, sensitivity, and granularity of the data they process, such as location data, call detail records, and biometric identifiers. The main challenges include the following.

• Valid consent – transitioning away from pre-ticked boxes or bundled/forced consent to the NDPA standard of informed, specific, and freely given consent is particularly challenging in USSD- and SMS-based onboarding flows, where speed and interface limitations constrain meaningful disclosures.
• Data minimisation v Big Data analytics – while the NDPA requires controllers to collect and process only data that is adequate, relevant, and limited to what is necessary, telecommunications providers increasingly rely on large-scale data analytics for network planning, optimisation, and fraud detection, creating inherent tension with the data minimisation principle.
• User rights fulfilment – responding at scale to data subject requests (including access, rectification, erasure, and restriction), demands highly automated and interoperable systems, which many legacy telecoms infrastructures are not yet fully equipped to support efficiently.

Cross-Border Transfers and Data Localisation

Nigeria maintains a strict data localisation approach for the telecommunications sector, with NCC and NITDA guidelines generally requiring subscriber and consumer data to be hosted within Nigeria. Where cross-border transfers are necessary, the NDPA permits them only where the recipient country provides adequate protection or where NDPC-approved safeguards such as Standard Contractual Clauses or Binding Corporate Rules are in place. Data relating to government functions or critical national infrastructure is subject to even stricter local storage and security requirements.

Balancing Lawful Interception and Surveillance Obligations with Data Privacy Protections

Telecommunications operators must carefully balance customer privacy obligations with national security and law enforcement requirements. Under the NCC’s Lawful Interception of Communications Regulations 2019, operators are required to deploy and maintain technical interception capabilities that enable authorised agencies to access communications data. To guard against arbitrary surveillance, access to communications data is generally subject to judicial oversight, with law enforcement agencies typically required to obtain a warrant or court order, which operators must verify before granting access. In parallel, statutory data retention obligations apply: the Cybercrimes Act mandates the retention of traffic data and subscriber information for up to two years. The Nigerian Communications (Consumer Code of Practice) Regulations 2024 require the retention of billing and related records for a minimum of two years.

Role of Third-Party Vendors and Cloud Providers

Telecommunications operators rely on vendors and cloud service providers, which introduces additional data protection considerations. Under the NDPA, operators acting as data controllers must execute formal Data Processing Agreements with vendors acting as processors, and remain legally liable for any privacy breaches by these third parties. Operators are also required to conduct due diligence and regular audits to ensure that vendors implement adequate technical and organisational measures, such as encryption, access controls, and incident response mechanisms consistent with Nigerian law. The use of global cloud services is further complicated by data localisation requirements, which often necessitate that servers storing Nigerian subscriber and consumer data be physically located within Nigeria to comply with sectoral regulations.

Impact of Evolving Regulations on Infrastructure and Innovation

Evolving regulations in Nigeria serve both as a constraint and a driver of innovation in the telecommunications sector. Privacy by Design is required under the NDPA and the GAID, with new network deployments such as 5G necessitating Data Protection Impact Assessments (DPIAs) during the design phase to embed privacy into hardware and software architectures. Also, data localisation mandates compel operators to invest in local data centres, increasing infrastructure costs compared with using global cloud clusters. At the same time, consumer trust is emerging as a competitive differentiator, with operators developing privacy-preserving services such as secure messaging and digital identity management to appeal to privacy-conscious users.

Primary Legal and Operational Challenges

Legal challenges

Digital media providers in Nigeria face a complex and fragmented regulatory landscape. They are required to comply with the NDPA, GAID, sector-specific guidance from NITDA, and general consumer protection rules from the FCCPC. Aligning obligations across these legal frameworks creates legal uncertainty. Consent management presents another significant challenge, as the NDPA requires consent to be freely given, specific, informed, and unambiguous. Many platforms historically relied on implied consent, bundled consent, or pre-ticked boxes, which now expose them to compliance risk. Platforms that serve minors or engage in behavioural advertising must navigate heightened obligations regarding children’s data and profiling, including obtaining verifiable parental consent and age validation without excessive data collection. Finally, cross-border data processing remains a critical risk area, as many platforms rely on offshore hosting, and the NDPA restricts international transfers unless adequate safeguards, such as approved transfer mechanisms, are in place.

Operational challenges

On the operational side, digital media platforms grapple with the sheer volume and velocity of data they process. High-volume, real-time flows of behavioural, location, and preference data make strict data minimisation difficult to achieve. Furthermore, legacy consent mechanisms pose challenges for digital media platforms, as older platforms often lack the ability to track granular user preferences for analytics, personalisation, and advertising, necessitating significant system redesigns. Also, implementing robust security measures, including encryption, access controls, logging, and monitoring introduces trade-offs with performance, latency, and ad-delivery efficiency.

Implementing Privacy-by-Design and Security-by-Design

Digital media companies are increasingly embedding privacy and security into the design of their products and systems rather than treating them as afterthoughts.

Privacy-by-Design measures include the following.

• Data minimisation by default – collecting only the data necessary for core functions, such as content delivery, while making personalisation optional.
• Granular consent controls – layered consent mechanisms that separately manage essential cookies, analytics, targeted advertising, and personalisation.
• Anonymisation and pseudonymisation – replacing user identifiers with hashed or tokenised IDs for analytics and reporting purposes.
• Data Protection Impact Assessments (DPIAs) – conducted prior to launching new features such as behavioural advertising, recommendation engines, or AI-driven content moderation.
• User rights dashboards – tools that allow users to access, download, correct, or delete their data, supporting NDPA-aligned rights.

Security-by-Design measures include the following.

• Secure architecture – zero-trust access models, encrypted APIs, and role-based access controls across engineering and editorial teams.
• Encryption by default – ensuring encryption of data in transit and at rest, including backups.
• Secure development lifecycle (SDLC) – integrating security testing, such as code reviews and vulnerability scans, into development pipelines.
• Incident response planning – establishing breach-response playbooks aligned with NDPA notification obligations.

Challenges of Third-Party Data Sharing

Digital media platforms face significant challenges when sharing user data with third parties, including advertisers, analytics providers, and other partners. Key challenges include the following.

• Loss of data visibility and control – once data is shared with advertisers or analytics vendors, platforms may struggle to track downstream processing.
• Regulatory liability for partners’ misconduct – under the NDPA, platforms remain legally accountable for any privacy breaches or non-compliance by their processors, even if these occur at the vendor level.
• Opaque ad-tech ecosystems – programmatic advertising involves multiple intermediaries, heightening the risk of unauthorised data use or profiling.
• Cross-border transfer risks – many ad-tech and analytics vendors operate outside Nigeria, triggering NDPA-compliant transfer restrictions.

Risk management strategies adopted by media platforms include the following.

• Strict data processing agreements – contracts that specify purpose limitation, security controls, sub-processor restrictions, breach notification timelines, and audit rights.
• Vendor due diligence – conducting security assessments, privacy questionnaires, and reviewing certifications.
• Data sharing minimisation – sharing aggregated, anonymised, or contextual data rather than raw personal information.
• Consent-driven data flows – ensuring ad-tech and analytics scripts only activate after valid user consent is obtained.
• Ongoing vendor monitoring – performing periodic audits and retaining the right to terminate relationships for non-compliance.

Impact of Emerging Regulations on Operations and Agreements

Emerging cybersecurity requirements are reshaping both the operations and technology agreements of digital media platforms. Operationally, platforms face higher compliance costs, including investments in security operations centres, monitoring tools, forensic readiness, and specialised personnel. They must maintain mandatory incident readiness, detecting, responding to, and reporting breaches promptly. Additionally, product deployment timelines are often extended, as new features undergo thorough security and privacy reviews prior to launch.

These operational pressures are reflected in technology and vendor agreements. Contracts increasingly include strong security clauses, such as minimum security standards, penetration testing, audit co-operation, and cyber-insurance requirements. Vendors are expected to accept breach liability and indemnities, and data localisation and transfer obligations covering hosting location, encryption key ownership, and government access, have become critical negotiation points. Platforms also retain termination rights for cyber non-compliance, enabling them to suspend or end vendor relationships following serious security incidents.