Protecting Nigerians Online: How NCC Can Align with Global Standards in Data Privacy and Cybersecurity

The Nigerian Communications Commission (NCC) has recently made significant moves to enhance Nigeria’s digital infrastructure, data privacy, and cybersecurity, but experts have pointed out areas where improvements are critical to achieving broader goals of global competitiveness, digital equity, and data sovereignty.

Dr. Vincent Olatunji, the National Commissioner and CEO of the Nigeria Data Protection Commission (NDPC), described privacy as a “fundamental right guaranteed by our Constitution” during Nigeria’s National Privacy Week 2026. He emphasized that trust is the foundation of Nigeria’s digital economy, noting that “as Nigeria’s digital economy expands, the data that powers innovation and inclusion must be protected with the same seriousness as financial capital”. This statement underscores the growing importance of enforcing Nigeria’s Data Protection Act (NDPA) of 2023, which aims to safeguard citizens’ information while ensuring that it is not exploited by foreign tech giants or third-party data banks. Olatunji further highlighted the need for data localization policies to ensure that sensitive information about Nigerians remains within the country’s jurisdiction.

In February 2026, the NCC and NDPC signed a Memorandum of Understanding (MoU) to deepen collaboration on data privacy enforcement within the telecom sector. Dr. Aminu Maida, Executive Vice Chairman of the NCC, stressed the importance of this partnership, saying, “The future is data. If we do not get the principles of how we govern it right, even our sovereignty as a nation is threatened”. He explained that the MoU would ensure swift implementation of data privacy measures and provide a framework for holding data processors accountable, especially as Nigeria transitions into a data-driven economy.

However, while the NCC has taken commendable steps, challenges remain in ensuring digital penetration in underserved and disadvantaged communities. Despite crossing the 50% broadband penetration milestone in late 2025, rural areas still suffer from limited access to reliable internet. Mrs. Nnenna Ukoha, NCC’s Head of Public Affairs, acknowledged the need for improved access, stating, “Telecom operators must comply with the Nigeria Data Protection Act, 2023, in handling call records, location data, and digital identities, while ensuring equitable access to emerging technologies”. Experts have suggested that the NCC must streamline bureaucratic processes such as Right of Way (RoW) permits and increase subsidies for infrastructure deployment in rural areas to bridge the digital divide.

Cybersecurity is another pressing issue highlighted by stakeholders. The NCC recently unveiled a comprehensive cybersecurity framework aimed at protecting Nigeria’s telecommunications sector from sophisticated threats. Abraham Oshadami, NCC’s Executive Commissioner for Technical Services, noted that “cyber threats now endanger not only system performance but also human safety, amplifying the severity and consequences of disruptions to vital communications infrastructure.” He added that the framework would introduce mandatory incident reporting protocols and risk management strategies for telecom operators, ensuring resilience against evolving threats. This initiative is vital, as experts like Uwem Uwemakpan, Head of Investment at Launch Africa Ventures, have warned that Africa’s digital platforms are increasingly targeted due to weak cybersecurity infrastructure. Uwemakpan remarked, “The gap between the value stored on African digital platforms and the security protecting it is widening, and that gap is where capital will move”.

The NCC’s efforts to align with global best practices in data governance and cybersecurity are commendable, but the Commission must accelerate implementation to address these challenges effectively. Strengthening rural connectivity, enforcing stricter data privacy regulations, and operationalizing the cybersecurity framework will not only protect Nigerians but also position the country as a global leader in digital innovation.

Global Analysis

Globally, leading nations in cybersecurity and data protection, such as the United States, the European Union, and Singapore, emphasize proactive measures, robust enforcement, and public-private partnerships. For instance, the EU’s General Data Protection Regulation (GDPR) sets stringent standards for data privacy, including mandatory data breach notifications within 72 hours and hefty fines for non-compliance. Similarly, Singapore’s Cybersecurity Act mandates critical information infrastructure (CII) operators to adopt advanced cybersecurity measures, conduct regular audits, and report incidents promptly. In contrast, while the NCC’s framework includes incident reporting, risk management, and collaboration requirements, it is still in the early stages of implementation and lacks the same level of enforcement mechanisms as these global benchmarks.

Another key area is stakeholder engagement and industry compliance. Globally, successful cybersecurity frameworks are built on strong partnerships between regulators, telecom operators, and technology providers. The NCC has taken steps in this direction by consulting stakeholders and tailoring its framework to Nigeria’s unique challenges. However, experts like Dr. Kazeem Durodoye have pointed out the need for the framework to incorporate cutting-edge technologies such as AI-enhanced threat detection, quantum cryptography, and Open RAN to address emerging threats effectively. This aligns with global trends where regulators proactively integrate advanced technologies into their cybersecurity strategies to stay ahead of evolving risks.

Data localization is another critical aspect where the NCC can draw inspiration from global practices. Countries like India and Russia have implemented strict data localization laws requiring sensitive data to be stored within their borders to protect national sovereignty. While the NCC and NDPC’s recent MoU emphasizes data sovereignty and privacy, its enforcement mechanisms and capacity-building initiatives need to be scaled up to match these global standards. Dr. Vincent Olatunji rightly noted that “if people do not know their rights around data, somebody else will monetize it,” highlighting the need for public awareness campaigns and stronger regulatory oversight.

Lastly, the NCC’s focus on cybersecurity capacity building is a step in the right direction. The framework’s emphasis on training, information sharing, and collaboration mirrors global best practices, such as the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. However, its success will depend on consistent implementation, adequate funding, and regular updates to address the rapidly changing threat landscape.

In summary, while the NCC is making significant progress, it must enhance enforcement mechanisms, integrate advanced technologies, and scale up public awareness and capacity-building efforts to align more closely with global best practices.

Data Protection Regulations: Nigeria vs. Global Standards

Nigeria’s data protection regulations, as outlined in the Nigeria Data Protection Act (NDPA) 2023, share similarities with the European Union’s General Data Protection Regulation (GDPR). Both frameworks emphasize individual rights, data governance, and digital trust. Key similarities include:

• Data Subject Rights: Both NDPA and GDPR recognize rights such as access, correction, erasure, and portability.
• Data Breach Notification: Both require notification within 72 hours of becoming aware of a breach.
• Data Protection Officers (DPOs): Both frameworks mandate DPOs for high-risk or large-scale data processing.

Key Differences and Challenges

While Nigeria’s data protection regulations are evolving, challenges remain in enforcement and compliance. Some key differences between NDPA and GDPR include:

• Jurisdiction: GDPR applies to EU residents, while NDPA applies to Nigerian residents and entities processing Nigerian data.
• Fines: GDPR imposes fines of up to €20 million or 4% of global turnover, while NDPA fines range from ₦2 million to ₦10 million or 1-2% of annual turnover.
• Registration: NDPA requires registration with the NDPC, while GDPR does not have a similar requirement.

Forward-Thinking African Countries

Several African countries are making progress in data protection, including:

• South Africa: Implementing the Protection of Personal Information Act (POPIA) to safeguard personal data.
• Kenya: Enacting the Data Protection Act 2019 to regulate data processing and protect individual rights.
• Ghana: Passing the Data Protection Act 2012 to establish data protection principles and regulations.

These countries are setting examples for other African nations to follow in protecting citizens’ data and promoting digital trust.

What’s Next for Nigeria’s Data Protection Landscape?

As Nigeria continues to evolve its data protection regulations, it’s essential to strengthen enforcement mechanisms, enhance public awareness, and promote compliance. The NCC’s efforts to develop a comprehensive cybersecurity framework and collaborate with international partners will be crucial in this regard.

What are your thoughts on Nigeria’s data protection progress? How can the country improve its data protection landscape?