A close-up of Nigeria’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each economy’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Nigeria, Africa’s most populous country, is developing its digital economy to drive growth. According to the National Bureau of Statistics, the Information and Communications sector contributed 11.30% to the total nominal Gross Domestic Product in the third quarter of 2024. The nominal year-on-year growth rate of the sector comprised 14.51%. Nigeria further boasts the largest internet market in Africa, with over 142 million active subscribers for internet services in January 2025, according to the Nigerian Communications Commission. The government has introduced initiatives such as the National Digital Economy Policy and Strategy and the Outsource to Nigeria Initiative to expand digital infrastructure, develop digital skills, and promote innovation. Internationally, Nigeria is engaging in digital trade through initiatives under the African Union, the African Continental Free Trade Area, and bilateral agreements to facilitate cross-border commerce.
But what do Nigeria’s domestic digital policies stand for? Our DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Nigeria-specific points of emphasis.
Data governance: Nigeria adopted the Personal Data Protection Act and expanded cybersecurity regulations.
Content moderation: Nigeria implemented a code of practice for interactive computer service platforms to address harmful and illegal online content.
Competition policy: Nigeria updated guidelines on merger review to consider digital market dynamics.
Artificial Intelligence: Nigeria is deliberating on proposals to regulate Artificial Intelligence and establish oversight mechanisms.
Nigeria’s points of emphasis include the taxation of the digital economy and digital assets.
Jump directly to the section that interests you most:
Discover the details of Nigeria's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Maria Buza and Sherif Taha. Edited by Tommaso Giardini.
In June 2023, Nigeria implemented the Data Protection Act (NDPA). The NDPA applies to data controllers and processors operating in Nigeria or handling the personal data of Nigerian residents. The NDPA builds on the 2019 Data Protection Regulation and its implementation framework. It broadens the legal bases for processing personal data by adding legitimate interest alongside consent, contract, legal obligation, public task, and vital interest. The NDPA also expands the definition of sensitive data to include genetic and biometric information and protects individuals from decisions based solely on automated processing. Additionally, it requires mechanisms for verifying a child’s age and consent and mandates that processors and controllers of “major importance” register with the Nigeria Data Protection Commission (NDPC).
The NDPC regularly specifies the obligations under the NDPA.
In February 2024, the NDPC specified the criteria for “major importance,” including the processing of data from more than 200 individuals within six months, the provision of commercial tech services on third-party devices, the operation in major economic sectors, or the handling of confidential data in a fiduciary capacity. The Federal High Court invalidated certain provisions in November 2024, although no public, official source is available.
In May 2024, the NDPC issued the draft general application and implementation directive for the NDPA. The draft specifies the scope, including its extraterritorial reach and the NDPC’s role in issuing guidelines. It also clarifies the obligation to appoint data protection officers, the requirements for consent to cookies and data privacy impact assessments.
In December 2023, the NDPC issued a code of conduct for data protection compliance organisations to standardise compliance and outline their responsibilities. It also clarifies registration obligations and potential licence revocation in case of non-compliance.
In February 2024, Nigeria amended the 2015 Cybercrimes Act. The amendment introduced a 72-hour incident reporting requirement, expanded the definitions of cyber crime, strengthened identity verification, and enhanced international cooperation. In June 2024, the President signed an order designating specific computer systems, networks, and communication infrastructure as critical infrastructure placing them under enhanced oversight by the Office of the National Security Adviser. These cross-cutting frameworks are complemented by sectoral rules, including the Central Bank of Nigeria's risk-based cybersecurity frameworks for banking and payment institutions and for other financial institutions.
On the international level, Nigeria participates in several initiatives relating to data governance.
The NDPC is part of the Global Privacy Assembly, which published resolutions on data protection certification, data free flow with trust, and neurotechnology in November 2024.
The Digital Trade Protocol to the African Continental Free Trade Area, which includes measures on personal data protection and cross-border data transfers, was adopted in February 2024.
In January 2024, Nigeria signed the African Union’s Convention on Cybersecurity and Personal Data Protection, which includes provisions on data subjects' rights, security measures and enforcement.
Nigeria does not have a general data localisation requirement but imposes sector-specific localisation measures.
In June 2020, the Central Bank of Nigeria issued guidelines on the operation of electronic payment channels, mandating domestic transactions to be routed through a local switch.
In August 2019, the National Information Technology Development Agency (NITDA) issued guidelines on content development in information and communication technology requiring that sovereign data be hosted within the country unless approved by NITDA. The guidelines also require networking service companies to host all subscriber and consumer data within Nigeria.
In August 2019, NITDA issued the cloud computing policy recommending to store certain data, such as government business, sensitive government and citizen data, and national security information in Nigeria.
The NDPA generally allows personal data transfers when recipients provide an adequate level of data protection. This level of protection can be based on the recipient's jurisdiction or safeguards. For jurisdictions, the NDPC assesses the adequacy of the data protection level. In May 2024, the NDPC issued a draft directive outlining the criteria for determining the adequacy level but is yet to issue a whitelist of approved countries. For transfers to non-whitelisted jurisdictions, the NDPC can approve standard contractual clauses as well as firm-specific binding corporate rules, contractual clauses, codes of conduct, or certifications. In the absence of adequate data protection, transfers are permitted based on enumerated exceptions. Exceptions include the data subject’s consent, the performance of a contract with the data subject, and the protection of the vital interests of the data subject. Notably, the NDPC may impose additional restrictions on certain personal data transfers based on the nature of the data and the risks for data subjects.
The NDPC further oversees compliance, including several investigations:
In August 2024, the NDPC fined Fidelity Bank NGN 555.8 million (approx. USD 369’000) for processing personal data without the data subject's consent and using non-compliant third-party data processors.
In July 2024, the NDPC in collaboration with the Federal Competition and Consumer Protection Commission (FCCPC) fined Meta USD 220 million and ordered it to implement a new opt-in screen for data sharing. In addition, Meta must restore Nigerian users' control over their data, update its privacy policies, and cease sharing WhatsApp user data with Facebook without explicit consent.
In February 2023, the Data Protection Bureau, later replaced by the NDPC, launched an investigation into data breaches in banks, telecom firms, and other entities.
Nigeria's content moderation framework is primarily governed by the 2015 Cybercrimes Act. It requires intermediaries to prevent and address illegal online activities. These entities are required to retain traffic data, subscriber information, and content for two years and disclose it to law enforcement upon request. Additionally, intermediaries must implement measures to prevent cybersquatting, phishing, and spamming.
In September 2022, the National Information Technology Development Agency (NITDA) issued a code of practice for interactive computer service platforms. The Code applies to all digital platforms and internet intermediaries in Nigeria, requiring compliance with local laws and the removal of unlawful content within 48 hours. Platforms must provide complaint mechanisms for harmful and unlawful content, exercise due diligence, and disclose content creators' identities when required. Additionally, large platforms are required to establish a local presence in Nigeria and provide human oversight over automated content moderation tools.
Several Bills aiming to expand the content moderation framework were introduced in the past years:
In December 2024, NITDA published a white paper on the Online Harms Protection Bill, proposing a co-regulatory framework that defines moderation obligations for private online spaces. It aims to uphold fundamental freedoms, tailors obligations based on service categorisation, and explicitly excludes end-to-end encrypted private messaging.
In November 2019, the Senate passed the Protection from Internet Falsehood and Manipulation Bill, which would address online disinformation.
In July 2019, the Internet Child Pornography Prevention Bill was introduced, proposing measures for the detection and prevention of child sexual abuse material.
In December 2024, the NITDA released a report on large platforms' compliance with the code of practice. The code requires platforms with over 1 million users to submit information on measures implemented to address harmful and unlawful content. The report notes that Google, X, TikTok, and LinkedIn deactivated over 12 million accounts and removed more than 65 million pieces of harmful content. The report also recommends creating a government-platform task force, developing crisis response protocols and enhancing AI-driven content moderation.
Previously, in January 2022, the government lifted the suspension of Twitter, after the company agreed to establish a local office and to comply with Nigerian laws and their own code. In June 2021, the Federal Ministry of Information and Culture suspended the platform, citing concerns that the platform was being used for activities threatening Nigeria's stability. The Attorney-General warned of potential prosecution for those who continued to use Twitter despite the ban.
Nigeria has not adopted specific rules for digital competition and instead applies the 2019 Federal Competition and Consumer Protection Act. The Act prohibits the abuse of a dominant position, banning excessive pricing and exclusionary conduct, among others. The Act also requires “large mergers” to be notified for approval and establishes consumer protection measures. Non-compliance can result in fines of up to 10% of a company’s yearly turnover. Finally, the Act established two authorities: the Federal Competition and Consumer Protection Commission (FCCPC) which has the power to issue rules and advise the government, and the Competition and Consumer Protection Tribunal, which reviews FCCPC decisions and imposes penalties.
In July 2024, the Federal Ministry of Communications, Innovation, and Digital Economy published the draft National Digital Economy and E-Governance Bill 2024. The Bill would prohibit activities that distort market competition, introduce mechanisms to resolve disputes through online platforms, and regulate unsolicited messages. In addition, it would further require interoperability, scalability, and the use of approved government ICT resources in public procurement processes.
The FCCPC has the power to enforce the Federal Competition and Consumer Protection Act’s obligations, regulate mergers, issue guidelines and advise the government.
In July 2022, the FCCPC issued a notice outlining indicative timeframes for merger reviews. Small mergers are assessed within 60 days, while large mergers can extend to 120 days.
In April 2022, the FCCPC adopted rules on investigative cooperation, allowing entities and individuals to receive benefits such as reduced penalties or immunity in exchange for full disclosure and ongoing cooperation.
In July 2020, the FCCPC released merger review guidelines. They emphasise that mergers involving firms with significant pipeline products, particularly in the digital sector, require thorough analysis to evaluate their market impact. In such cases, the simplified procedure is typically not applicable.
At the international level, the FCCPC participated in an African Union statement on digital markets regulation and signed a memorandum of understanding with Russia on antitrust.
Nigeria also pursues enforcement in digital markets:
In May 2024, the FCCPC launched a market study into the digital market sector. It aims to assess the competitive dynamics within the sector, identifying potential barriers to competition and consumer protection issues.
In July 2024, the FCCPC and the Nigeria Data Protection Commission (NDPC) fined Meta USD 220 million. While the NDPC focused on data protection non-compliance, the FCCPC determined that Meta abused its dominant market position by forcing “exploitative” and non-compliant privacy policies on Nigerian consumers and engaging in discriminatory practices. Meta was ordered to restore Nigerian users' control over their data and cease sharing WhatsApp user data with Facebook without explicit consent.
In February 2024, the FCCPC announced the initiation of an investigation into digital money lenders over alleged violations of regulatory standards.
Nigeria has not yet enacted primary or secondary legislation on artificial intelligence (AI) regulation. In December 2024, the House of Representatives passed a Bill to establish the National Institute for Artificial Intelligence and Robotics Studies Regulation Commission. The Bill aims to ensure the proper oversight of AI development, deployment, and use in Nigeria. It incorporates several other proposals, including the National Artificial Intelligence and Robotic Sciences (Establishment) Bill (HB 601), introduced in October 2023, and the Control of Usage of Artificial Intelligence Technology Bill (HB 942), introduced in November 2023.
At the international level, Nigeria has endorsed several international initiatives on AI governance.
In February 2025, Nigeria joined nine other countries in adopting the Paris Charter on AI in the public interest. In addition, the Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet, was adopted by members of the African Union, the European Union, the G20, the G7, and the United Nations. In November 2023, Nigeria signed the Bletchley Declaration on AI Safety along with 27 other countries, agreeing to address AI risks and develop risk-based policies.
The African Union, of which Nigeria is a member, adopted the Continental Artificial Intelligence Strategy for digital transformation and the AI Governance Framework, as well as cooperation on AI research and development with China.
In February 2024, the Digital Trade Protocol to the African Continental Free Trade Area was adopted. It requires parties to facilitate the adoption and regulation of emerging and advanced technologies, aligning with public policy and security interests, and to develop governance frameworks ensuring ethical, trusted, safe, and responsible use.
Several government authorities have issued non-binding policies addressing AI.
In August 2024, the National Centre for Artificial Intelligence and Robotics (NCAIR) published the draft National AI Strategy, outlining the country’s AI landscape and potential for socio-economic progress. It sets out ten guiding principles to shape legislative reforms, including ethics, inclusivity, transparency, and risk management.
In November 2019, the Nigerian Communications Commission issued the Digital Economy Policy and Strategy highlighting the need to advance emerging technologies, including AI, to strengthen the digital economy.
Nigeria has regulated both the direct and the indirect taxation of the digital economy.
In terms of direct taxes, Nigeria established a Digital Services Tax (DST) on non-resident digital service providers through several steps.
The Finance Act of 2019 introduced the DST concept by expanding the scope of foreign companies subject to the Companies Income Tax Act. It specifically applies to companies offering digital services that have a “significant economic presence” in Nigeria.
In February 2020, the Finance Ministry adopted an order defining three criteria for “significant economic presence.” First, the derivation of a gross annual turnover exceeding NGN 25 million from the provision of various digital services to persons in Nigeria. Second, the use of a Nigerian domain name (.ng) or the registration of a website in Nigeria. Third, the purposeful interaction with users in Nigeria, for instance by displaying prices in Nigerian currency or by customising webpages to target users in Nigeria.
The Finance Act of 2021 implemented the DST, with a rate of 6%.
Regarding indirect taxes, in February 2020 Nigeria extended its 7.5% value-added tax (VAT) to resident and non-resident providers of digital services consumed in Nigeria. In October 2021, the Federal Inland Revenue Service (FIRS) issued an order requiring non-resident providers to register if their supplies to Nigeria total or are expected to total USD 25,000 (or its equivalent) within 12 consecutive months. Previously, the threshold for registration was a turnover exceeding NGN 25 million.
At the international level, Nigeria signed the Multilateral Convention to Implement Tax Treaty-Related Measures to Prevent Base Erosion in August 2017 and endorsed the statement on the OECD/G20 Two-Pillar Solution for international taxation in September 2021.
Concerning enforcement, in February 2025, the FIRS reportedly filed a lawsuit against Binance, seeking NGN 10.3 trillion (approx. USD 79.5 billion) in economic damages and NGN 259 billion (approx. USD 2 billion) in back taxes for failing to comply with local tax rules.
Various government authorities have implemented regulatory frameworks regarding digital assets:
In December 2024, the Securities and Exchange Commission (SEC) issued amendments to its Digital Assets Rules, expanding oversight to cross-chain transfers, virtual asset services, and stricter standards for issuers of digital securities, stablecoins, and cryptocurrencies. The rules take effect in June 2025. In July 2024, the SEC established a regulatory incubation program specifically designed for virtual asset service providers.
In December 2023, the Central Bank issued guidelines governing bank accounts for virtual assets providers. In July 2021, it released a regulatory framework for mobile money services.
Concerning enforcement, the SEC issued a warning against investing with Binance in July 2023. The SEC noted that Binance is neither registered with nor regulated through the SEC and Binance's activities are therefore illegal.