NIGERIA COMPLIANCE · 2026 EDITION
The Nigerian
Cybersecurity Compliance
Checklist for Businesses
A practical, regulation-mapped checklist covering NDPR, the Cybercrimes Act, CBN, NCC, and NITDA directives, built for Nigerian organisations of every size.
- 7 Compliance Areas covered
- 50+ Action Items
- Nigerian Law–Referenced
- 2026 Edition
Priority Legend:
CRITICAL - Address immediately.
HIGH - Within 30 days.
MED - Within 90 days.
Your Progress
0%
How to use this checklist: Click each item to mark it complete. Your score updates in real time. Share this with your IT, legal, and compliance teams. Items marked Critical should be addressed immediately — they carry direct regulatory penalty risk under Nigerian law.
1. Data Protection & Privacy (NDPR / NDPA)
Nigeria Data Protection Act 2023 · NDPR 2019- ✓CriticalRegister with the Nigeria Data Protection Commission (NDPC) as a Data Controller / Processor if you process personal data of 1,000+ individuals annually.NDPA 2023, §36. Fines up to ₦10 million or 2% of annual gross revenue.
- ✓CriticalAppoint a qualified Data Protection Officer (DPO) and publish contact details on your privacy policy page.NDPA 2023, §32. Required for all medium and large data controllers.
- ✓CriticalPublish a compliant Privacy Notice on your website that discloses the purpose, legal basis, retention period, and data subject rights.NDPR 2019, Art. 3.1(5). The notice must be in plain language and easily accessible.
- ✓HighConduct and document a Data Protection Impact Assessment (DPIA) for high-risk processing activities (e.g. biometrics, financial data, health records).NDPA 2023, §26. Must be completed before commencing high-risk processing.
- ✓HighEstablish a process to handle Data Subject Access Requests (DSARs) — access, rectification, erasure, and portability — within 30 days.
- ✓HighMaintain a Record of Processing Activities (ROPA) documenting all categories of data processed, purposes, and third-party transfers.
- ✓HighEnsure cross-border data transfers to countries without adequate protection are covered by approved contractual clauses or binding corporate rules.NDPA 2023, §43. No export of Nigerian personal data without adequate safeguards.
- ✓CriticalFile your annual data protection audit report with the NDPC through an NDPC-licensed Data Protection Compliance Organisation (DPCO).NDPR 2019, Art. 7. Deadline is 15 March each year for the previous calendar year.
2. Cybercrime Prevention & Incident Management
Cybercrimes (Prohibition, Prevention) Act 2015 (as amended 2024)- ✓CriticalImplement technical controls to prevent unauthorised computer access, including MFA, privilege access management, and network segmentation.Cybercrimes Act §6 criminalises facilitating unlawful access — operators have a duty of care.
- ✓CriticalDevelop, test, and maintain a documented Incident Response Plan (IRP) with defined roles, escalation paths, and stakeholder communication templates.
- ✓CriticalReport cybersecurity incidents to the Nigerian Computer Emergency Response Team (ngCERT) and relevant sector regulator within 24–72 hours of discovery.ngCERT reporting obligations apply to Critical National Information Infrastructure (CNII) operators.
- ✓HighMaintain audit logs and forensic-quality event records for a minimum of 2 years to support law enforcement and regulatory investigations.Cybercrimes Act §38 compels service providers to retain traffic and subscriber data.
- ✓HighTrain staff annually on cybercrime indicators, phishing awareness, and their legal obligations under the Cybercrimes Act.
- ✓MediumEstablish an insider threat programme — conduct background checks, monitor privileged access, and enforce a clear Acceptable Use Policy (AUP).
3. Financial Sector Cybersecurity (CBN)
CBN Risk-Based Cybersecurity Framework 2022 · BOFIA 2020- ✓CriticalBoard and senior management formally approve a written Cybersecurity Policy reviewed at least annually.CBN Cyber Framework §3.1 — Board oversight is a regulatory requirement, not optional.
- ✓CriticalDesignate a Chief Information Security Officer (CISO) at senior management level with a direct reporting line to the Board.
- ✓CriticalImplement the CBN's five-function cybersecurity framework: Identify, Protect, Detect, Respond, and Recover — with maturity targets for each domain.
- ✓CriticalReport significant cyber incidents (fraud, system outages, breaches) to CBN within 2 hours of detection using the prescribed incident report template.
- ✓HighConduct annual Penetration Tests and Vulnerability Assessments (PTVA) by CBN-approved third-party vendors; submit reports to CBN.
- ✓HighPerform annual Business Continuity/Disaster Recovery (BC/DR) tests and submit results to CBN; RTO and RPO must meet regulatory thresholds.
- ✓HighComply with CBN's requirements on transaction monitoring, fraud analytics, and anti-money laundering system integration.
4. IT Governance & Critical Infrastructure (NITDA / NCC)
NITDA Act 2007 · NCC Consumer Code · Critical Infrastructure Protection Framework- ✓HighEnsure all IT systems used by public institutions and regulated entities comply with NITDA's Nigerian e-Government Interoperability Framework (NeGIF).
- ✓HighAdopt and document compliance with the NITDA cybersecurity guidelines and accreditation standards for IT vendors.
- ✓CriticalTelecommunications and OTT service providers must register with the NCC and comply with its Consumer Code on cybersecurity and lawful intercept requirements.NCC has powers under NITDA Act §17 to issue compliance notices and withdraw licences.
- ✓CriticalIf designated as Critical National Information Infrastructure (CNII), register with the Office of the National Security Adviser and implement the CNII Protection Framework.
- ✓MediumEnsure all software procurement and IT contracts contain security requirements clauses aligned with NITDA guidelines and NDPA data processing provisions.
5. Technical Security Controls (Best Practice Baseline)
ISO/IEC 27001 · NIST CSF · CBN Framework Annex- ✓CriticalEnforce Multi-Factor Authentication (MFA) on all privileged accounts, remote access systems, and customer-facing financial portals.
- ✓CriticalEncrypt all sensitive data at rest (AES-256) and in transit (TLS 1.2 or higher), including database backups and removable media.
- ✓HighDeploy a Security Information and Event Management (SIEM) or equivalent log monitoring solution with 24/7 alerting coverage for critical systems.
- ✓HighMaintain a patching programme — critical/high CVEs patched within 30 days; emergency patches (CVSS ≥9.0) within 72 hours.
- ✓HighImplement a documented Vulnerability Management programme with quarterly internal scans and annual external penetration tests.
- ✓HighMaintain an up-to-date asset inventory covering all hardware, software, cloud services, and data flows — reviewed every 6 months.
- ✓HighEnforce Role-Based Access Control (RBAC) and the principle of least privilege; review access rights quarterly and immediately upon staff departure.
- ✓HighTest data backups monthly and full disaster recovery annually; store backups off-site or in a geographically separate cloud region (include at least one Nigerian data centre).NDPA 2023 and CBN Framework require data residency considerations for Nigerian personal and financial data.
- ✓MediumDeploy endpoint protection (EDR/AV) on all company devices; enforce device encryption and remote-wipe capability for mobile and laptop assets.
- ✓MediumImplement a Web Application Firewall (WAF) and DDoS mitigation for all public-facing web services, including USSD and mobile banking endpoints.
6. Vendor & Third-Party Risk Management
NDPA 2023 §27 · CBN Framework §5 · Cybercrimes Act §38- ✓CriticalConduct security due diligence on all third-party vendors that access, process, or store Nigerian personal or financial data before onboarding.
- ✓CriticalExecute Data Processing Agreements (DPAs) with all data processors, including international cloud providers, specifying NDPA obligations and breach notification duties.
- ✓HighMaintain a current Third-Party Vendor Register listing all suppliers with access to systems or data, their risk tier, and last assessment date.
- ✓HighRequire critical vendors to provide evidence of ISO 27001 certification or equivalent and annual penetration test reports.
- ✓MediumContractually require vendors to notify you of security incidents affecting your data within 24 hours, and include right-to-audit clauses.
7. Governance, Risk & Compliance (GRC)
NDPA 2023 · Companies and Allied Matters Act 2020 · CBN CG Code- ✓HighEstablish a cybersecurity risk register reviewed quarterly; risk appetite approved by the Board and communicated to all business units.
- ✓HighDeliver mandatory cybersecurity awareness training for all staff at onboarding and annually thereafter; keep attendance records for audit purposes.
- ✓MediumMaintain an Information Security Management System (ISMS) aligned to ISO/IEC 27001 or the NIST Cybersecurity Framework; consider formal certification.
- ✓MediumDocument and test cybersecurity insurance coverage and understand sub-limits applicable to Nigerian regulatory fines and first-party cyber losses.
- ✓MediumConduct annual internal compliance audits against this checklist and sector-specific regulations; document findings and remediation plans.
- ✓MediumMaintain a regulatory watch programme to monitor updates from NDPC, CBN, NCC, NITDA, ngCERT, and the ONSA — and update policies accordingly.
0%
Compliance Score
Begin the checklist above ↑