Nigerian Tech Regulatory Landscape 2026: The Complete Reference Guide
Nigerian technology regulation spans at least six federal agencies and a growing body of legislation that is still consolidating. This reference guide maps the complete regulatory landscape — who regulates what, which laws apply to your business, and where to find the primary sources.
Disclaimer
This article is for educational purposes only and does not constitute legal, financial, or professional advice. Compliance requirements vary by industry and jurisdiction. Consult a qualified professional for guidance specific to your organisation. Information was accurate at the time of writing — verify current regulations with the relevant authorities.
Nigerian Tech Regulatory Landscape 2026: The Complete Reference Guide
If you operate a technology business in Nigeria — or build software for Nigerian clients — you are subject to a regulatory environment that spans multiple agencies, overlapping mandates, and legislation that is still maturing. Understanding which regulations apply to your business, which agencies enforce them, and what compliance actually requires is not optional; it is a prerequisite for operating without legal risk and for winning enterprise contracts.
This guide maps the complete landscape as of February 2026.
Data Protection: NDPR → NDPA → NDPC
The Timeline
2019: The National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) under its mandate from the NITDA Act 2007. This was Nigeria's first comprehensive data protection regulation, establishing principles for lawful data processing, data subject rights, and breach notification requirements.
2023 (June): President Bola Tinubu signed the Nigeria Data Protection Act (NDPA) into law. The NDPA is Nigeria's first dedicated data protection legislation — a full Act of the National Assembly, not a subsidiary regulation. It supersedes and extends the NDPR, though the NDPR remains a reference framework that the NDPA builds upon.
2023 (June): The NDPA established the Nigeria Data Protection Commission (NDPC) as an independent regulatory body. The NDPC assumed the data protection functions previously handled by NITDA's National Information Technology Development Agency and the interim Nigeria Data Protection Bureau (NDPB) that operated briefly in 2022–2023.
Key Regulatory Requirements
Data controller and processor registration: Organisations that process personal data of Nigerian residents must register with the NDPC. This replaces the previous NITDA registration requirement. Registration categories depend on the volume and sensitivity of data processed.
Lawful basis for processing: Personal data may only be processed with a lawful basis — consent, contractual necessity, legal obligation, vital interest, public interest, or legitimate interest. Consent must be freely given, specific, informed, and unambiguous.
Data Protection Impact Assessment (DPIA): Required for processing that is likely to result in high risk to data subjects — including large-scale processing, processing of sensitive personal data, and systematic monitoring.
Breach notification: Data controllers must notify the NDPC of a personal data breach within 72 hours of becoming aware of it. Data subjects must also be notified without undue delay if the breach is likely to result in high risk to their rights.
Data transfer restrictions: Transfer of personal data outside Nigeria requires adequate safeguards — including adequacy decisions, binding corporate rules, standard contractual clauses, or explicit consent. The NDPC is developing a whitelist of countries with adequate data protection frameworks.
Penalties: The NDPA provides for administrative fines of up to ₦10 million or 2% of annual gross revenue (whichever is higher) for data controllers, and up to ₦2 million or 2% of annual gross revenue for data processors.
Where NITDA Still Applies
NITDA has not been replaced — it retains its broader mandate over information technology development, including:
- Technology standards and frameworks
- IT project clearance for government MDAs (Ministries, Departments, Agencies)
- The Nigeria ICT Innovation and Entrepreneurship Vision
- The Framework for the Use of AI in Nigeria (draft stage)
NITDA is not the data protection regulator. That role has transferred to NDPC.
Primary Sources
- NDPC official website: ndpc.gov.ng
- Full text of the NDPA 2023: Available via the NDPC website and the Official Gazette
- NDPR 2019 (original text): Published by NITDA, available at nitda.gov.ng
- NITDA Act 2007: Establishing legislation for NITDA
Financial Technology: CBN Licensing and Regulation
Regulatory Framework
The Central Bank of Nigeria (CBN) regulates financial technology through several licensing categories and regulatory frameworks:
Payment Solution Service Provider (PSSP) Licence: Required for companies that provide payment solutions — payment gateways, payment processing, and digital payment platforms. This is the primary licence for fintech companies facilitating payments.
Mobile Money Operator (MMO) Licence: For companies operating mobile money services. Separate from PSSP. Requires a minimum capital base of ₦2 billion.
Switching and Processing Licence: For companies that provide switching services between financial institutions.
Microfinance Bank (MFB) Licence: Relevant for fintechs offering deposit or lending products. Categories include Unit (₦200M capital), State (₦1B), and National (₦5B).
Open Banking
The CBN published the Regulatory Framework for Open Banking in Nigeria in February 2021, and subsequently issued Operational Guidelines for Open Banking to provide implementation details.
The framework establishes four participant categories:
- API providers (typically banks and other financial institutions)
- API consumers (fintechs and third parties accessing banking data/services)
- Technical service providers (API infrastructure providers)
- Regulatory bodies (CBN, NDPC, SEC, NAICOM)
Data sharing is categorised by risk tier, with product and service information at the lowest tier and transactional data at the highest.
Anti-Money Laundering / Know Your Customer
CBN's AML/CFT regulations require all financial institutions and designated non-financial businesses to:
- Implement Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
- Verify customer identity using the Bank Verification Number (BVN) and National Identification Number (NIN)
- File Suspicious Transaction Reports (STRs) with the Nigeria Financial Intelligence Unit (NFIU) — within 24 hours for certain categories, with broader reporting obligations under NFIU guidelines
- Maintain transaction records for a minimum of 5 years after the end of the customer relationship
Primary Sources
- CBN Regulatory Framework for Open Banking in Nigeria (2021): Available at cbn.gov.ng
- CBN Guidelines on Operations of Electronic Payment Channels
- CBN AML/CFT Regulations 2013 (as amended)
- CBN Payment System Vision 2025
- NFIU Act 2018 and STR filing guidelines: nfiu.gov.ng
- NIBSS (Nigeria Inter-Bank Settlement System): nibss-plc.com.ng
Telecommunications: NCC Regulation
Regulatory Framework
The Nigerian Communications Commission (NCC) regulates telecommunications services, internet service provision, and increasingly, digital services that use telecoms infrastructure.
Key regulations affecting tech businesses:
Data hosting and localisation: NCC's guidelines require certain categories of telecommunications data to be hosted within Nigeria. This intersects with the NDPA's data transfer provisions.
USSD regulation: The NCC regulates Unstructured Supplementary Service Data (USSD) services, including pricing (the end-user charge per USSD session and the inter-operator charging framework). USSD remains critical for inclusive applications that serve feature phone users.
Type approval for devices: Any electronic communications equipment sold or deployed in Nigeria requires NCC type approval. Relevant for IoT deployments.
Cybersecurity: The NCC issued the Nigerian Communications (Cybercrime and Cybersecurity) Regulations which establish cybersecurity obligations for licensed telecoms operators, including incident reporting, vulnerability management, and collaboration with CERT-NG.
Primary Sources
- NCC official website: ncc.gov.ng
- Nigerian Communications Act 2003
- NCC Consumer Code of Practice Regulations
- NCC Cybersecurity Regulations
Securities and Capital Markets: SEC Regulation
The Securities and Exchange Commission (SEC) regulates:
Digital asset offerings: SEC's Rules on Issuance, Offering, and Custody of Digital Assets (2022) establish a regulatory framework for crypto-asset service providers operating in Nigeria. Registration and compliance requirements apply.
Crowdfunding: SEC's Rules on Crowdfunding regulate investment-based crowdfunding platforms. Technology platforms facilitating peer-to-peer investment must be registered.
Fintech involvement in capital markets: Any technology solution that facilitates securities trading, robo-advisory services, or investment management requires SEC registration.
Primary Sources
- SEC Nigeria: sec.gov.ng
- SEC Rules on Digital Assets 2022
- Investments and Securities Act (ISA) 2007
Insurance: NAICOM Regulation
The National Insurance Commission (NAICOM) regulates InsurTech:
Microinsurance: NAICOM's Microinsurance Guidelines establish requirements for technology-enabled microinsurance products. Relevant for InsurTech startups offering mobile-first insurance.
Digital distribution: Guidelines for digital insurance distribution channels, including requirements for platforms that compare, recommend, or sell insurance products online.
Primary Sources
- NAICOM: naicom.gov.ng
- Insurance Act 2003
- NAICOM Microinsurance Guidelines
Cybersecurity: Cross-Cutting Requirements
Cybersecurity regulation in Nigeria is distributed across multiple agencies:
Cybercrimes (Prohibition, Prevention, etc.) Act 2015: Nigeria's primary cybercrime legislation. Criminalises computer-related fraud, identity theft, cyberstalking, and data breaches. Applies to all organisations operating in Nigeria.
National Cybersecurity Policy and Strategy (NCPS) 2021: The overarching policy document coordinated by the Office of the National Security Adviser (ONSA). Establishes national cybersecurity governance and coordination frameworks.
CERT-NG (Computer Emergency Response Team — Nigeria): The national CERT under the NCC, responsible for cyber threat intelligence, incident coordination, and vulnerability advisories.
Sector-specific requirements:
- CBN: Risk Management Framework for banks, including IT risk management and cybersecurity controls
- NCC: Cybersecurity regulations for telecoms operators
- NDPC: Security requirements under the NDPA for organisations processing personal data
International Standards Commonly Used
While not mandated by Nigerian law (except where specified in sector regulations), these international standards are widely referenced in Nigerian compliance:
- ISO/IEC 27001:2022 — Information Security Management System. The most commonly requested certification in Nigerian enterprise procurement.
- SOC 2 Type II — Service Organisation Control report. Increasingly requested by Nigerian fintechs' international partners and investors.
- PCI DSS — Payment Card Industry Data Security Standard. Mandatory for any organisation processing payment card data.
Primary Sources
- Cybercrimes Act 2015: Available via National Assembly
- NCPS 2021: Office of the National Security Adviser
- CERT-NG: cert.gov.ng
Tax and Employment: FIRS, PenCom, NSITF, ITF
Technology businesses are subject to the same tax and employment regulations as all Nigerian employers:
PAYE (Pay As You Earn): Monthly deduction under the Personal Income Tax Act (PITA). Computed after Consolidated Relief Allowance (20% of gross income + the higher of ₦200,000 or 1% of gross income). Remitted to the relevant State Internal Revenue Service by the 10th of the following month.
Pension (PenCom): Under the Pension Reform Act 2014, employer contributes 10% and employee contributes 8% of monthly emolument (basic + housing + transport). Remit to employee's PFA within 7 working days of salary payment. Late remittance surcharge: 2% per month, non-waivable.
NSITF: 1% of total monthly payroll, employer contribution under the Employee Compensation Act 2010.
ITF: 1% of annual payroll for organisations with 5+ employees or annual turnover above ₦50 million.
NHF: 2.5% of basic salary for employees earning above the threshold, remitted to FMBN monthly.
Primary Sources
- Federal Inland Revenue Service (FIRS): firs.gov.ng
- Personal Income Tax Act (PITA) as amended
- National Pension Commission (PenCom): pencom.gov.ng
- Pension Reform Act 2014
- NSITF: nsitf.gov.ng
- ITF: itf.gov.ng
Regulatory Map: Which Agencies Apply to Your Business
| Business Type | Primary Regulators | Key Registrations |
|---|---|---|
| SaaS / Software company | NDPC, FIRS | NDPC data controller registration, tax obligations |
| Fintech (payments) | CBN, NDPC, FIRS | PSSP licence, NDPC registration, FIRS |
| Fintech (lending) | CBN, NDPC, FIRS | MFB licence or digital lending licence, NDPC |
| InsurTech | NAICOM, NDPC, FIRS | NAICOM registration, NDPC |
| Telecoms / ISP | NCC, NDPC, FIRS | NCC licence, NDPC |
| E-commerce | NDPC, FIRS | NDPC registration, PCI DSS if processing cards |
| Digital assets / crypto | SEC, NDPC, FIRS | SEC registration, NDPC |
| HealthTech | NDPC, relevant health regulators | NDPC (health data is sensitive personal data) |
| EdTech | NDPC, FIRS | NDPC (student data is personal data) |
Staying Current
Nigerian technology regulation is evolving rapidly. The NDPA 2023 is less than three years old. CBN open banking is still in early implementation. SEC digital asset regulation is being refined through ongoing engagement with industry participants.
We recommend:
- Subscribe to regulatory agency newsletters: NDPC, CBN, NCC, and SEC all publish circulars and guidelines
- Monitor the Official Gazette: New regulations are published here before appearing on agency websites
- Engage with industry associations: The Fintech Association of Nigeria, the Nigeria Internet Group, and sector-specific bodies often receive advance notice of regulatory changes
- Review quarterly: The pace of change warrants at least quarterly review of your compliance posture against current regulations
This guide is maintained and updated as new regulations are issued. Last verified: February 2026.
Related Articles
- NDPR Readiness Checklist for Nigerian SaaS — Practical implementation checklist for data protection compliance
- Compliance Roadmap: Startup to International Scale — Stage-by-stage compliance framework
- Data Sovereignty for African Businesses — Cross-border data transfer and localisation requirements
- GDPR for Nigerian Companies Exporting to Europe — When international data protection applies
- ISO 27001 vs SOC 2 for Nigerian Tech Companies — Choosing the right security certification
- Open Banking Nigeria: CBN Framework and Business Software — Building on the CBN open banking framework
- NDPR Compliance: From Cost Centre to Competitive Edge — Making compliance a business advantage
- Fraud Detection Architecture for Nigerian Financial Applications — AML/KYC implementation patterns