Nigeria: Communications Commission opened consultation on Draft Internet Code of Practice 2025 including cybersecurity regulation

On 9 October 2025, the Nigerian Communications Commission (NCC) opened a consultation on the Draft Internet Code of Practice (as amended), until 31 October 2025. The draft amends the Internet Code of Practice of 2019. Chapter three sets out the obligations of Internet Access Service Providers (IASPs) regarding cybersecurity, privacy, and data protection. IASPs must implement the Cyber Security Framework issued by the Commission, which establishes strategic and operational standards for the communications sector. They are required to comply with the Nigerian Data Protection Act 2023 and relevant provisions of the Consumer Code of Practice Regulations 2024. IASPs must adopt reasonable measures to safeguard customer data against unauthorised access or disclosure, taking into account the sensitivity of the information and technical feasibility. In the event of a data breach, they must inform affected customers and notify the Commission within 48 hours. Additionally, IASPs may not permit third-party access to transactional data without prior written approval from the Commission, which will only be granted following an impact assessment.