Cybersecurity Policy (Nigeria)
CYBERSECURITY POLICY
Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 | Nigeria Data Protection Act 2023 | CBN Cybersecurity Framework and Guidelines 2021 | NCC Cybersecurity Regulations 2022
Organisation: [Organisation Name] (RC: [RC Number])
Sector: [Organisation Type]
Effective Date: [Effective Date]
CISO / Security Lead: [CISO Name]
Data Protection Officer (NDPA 2023 s.32): [DPO Name]
1. PURPOSE AND POLICY STATEMENT
1.1 [Organisation Name] is committed to protecting the confidentiality, integrity, and availability of its information systems, data, and digital assets against cybersecurity threats including unauthorised access, cyberattacks, data breaches, and ransomware.
1.2 This Policy is adopted to comply with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, the Nigeria Data Protection Act 2023 (NDPA), the CBN Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers (Revised 2021) (where applicable), and the NCC Cybersecurity Regulations 2022 (where applicable).
1.3 The Board of Directors of [Organisation Name] has reviewed and approved this Cybersecurity Policy.
2. SCOPE
2.1 This Policy applies to: [Scope Description].
3. DATA CLASSIFICATION
3.1 [Organisation Name] classifies its information assets as follows: [Data Classification]. The security controls applied to each data class are specified in the Data Classification and Handling Standard.
4. ACCESS CONTROL AND AUTHENTICATION
4.1 Access control requirements: [Access Control Policy].
4.2 Password and authentication standards: [Password Policy].
4.3 All access to personal data under the NDPA 2023 is restricted to personnel with a legitimate business need (data minimisation and purpose limitation principles, NDPA Section 24).
5. INCIDENT DETECTION, RESPONSE, AND REPORTING
5.1 Reportable cybersecurity incidents: [Incident Definition].
5.2 Internal reporting: [Internal Reporting Timeframe].
5.3 Regulatory notification obligations: [Regulatory Notification].
5.4 Evidence preservation: all logs, system snapshots, and communications related to a cybersecurity incident shall be preserved for forensic investigation and potential engagement of the Economic and Financial Crimes Commission (EFCC) or Nigeria Police Cybercrime Unit where criminal activity is suspected.
6. THIRD-PARTY AND VENDOR SECURITY
6.1 Vendor security requirements: [Vendor Requirements].
7. EMPLOYEE OBLIGATIONS AND TRAINING
7.1 Employee security obligations: [Employee Obligations].
7.2 Policy violations: [Violations].
8. GOVERNANCE AND REVIEW
8.1 The CISO ([CISO Name]) is responsible for implementing, maintaining, and monitoring compliance with this Policy. The DPO ([DPO Name]) is responsible for data protection aspects under the NDPA 2023.
8.2 This Policy shall be reviewed annually or following a significant cybersecurity incident, material change to the Organisation's systems, or change in applicable law.
8.3 This Policy was approved by the Board of [Organisation Name] with effect from [Effective Date].
Chief Executive Officer (Approving Authority)
________________
Signature
Chief Information Security Officer
________________
Signature
What Is a Cybersecurity Policy (Nigeria)?
A Cybersecurity Policy in Nigeria establishes the obligations and procedures governing the conduct it regulates.
The primary cybersecurity legislation in Nigeria is the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 (Cybercrime Act), which criminalises unauthorised access to computer systems, cyberstalking, phishing, identity theft, and other cybercrime offences. The Cybercrime Act imposes obligations on Critical National Information Infrastructure (CNII) operators — identified by Presidential Directives — to implement specific cybersecurity measures, conduct periodic risk assessments, and report cybersecurity incidents to the Office of the National Security Adviser (ONSA) and the Nigeria Computer Emergency Response Team (ngCERT).
The Nigeria Data Protection Act 2023 (NDPA), which replaced the Nigeria Data Protection Regulation (NDPR) 2019 issued by the National Information Technology Development Agency (NITDA), imposes obligations on data controllers and processors to implement appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. The Nigeria Data Protection Commission (NDPC), established under the NDPA, supervises compliance and has powers to impose administrative fines of up to 2% of annual global turnover or NGN 10 million (whichever is higher) for violations.
Financial institutions regulated by the Central Bank of Nigeria (CBN) are subject to the CBN Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers (Revised 2021), which mandates board-level cybersecurity governance, Chief Information Security Officer (CISO) appointment, security operations centre (SOC) operation, and annual cybersecurity penetration testing. The CBN Cyber Incident Reporting Guidelines require financial institutions to report cybersecurity incidents to the CBN Financial Services Information Sharing and Analysis Centre (FS-ISAC) within specified timeframes.
Telecommunications operators and internet service providers licensed by the Nigerian Communications Commission (NCC) are subject to the NCC Cybersecurity Regulations 2022, which impose network security, subscriber data protection, and lawful interception obligations.
The legal framework governing the Cybersecurity Policy (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Cybersecurity Policy (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a Cybersecurity Policy (Nigeria)?
A Nigeria Cybersecurity Policy is needed by every organisation that operates information systems, processes digital data, or provides electronic services — regulatory requirements and risk management make a formal policy essential rather than optional.
Financial institutions — including deposit money banks, microfinance banks, payment service providers, and FinTech companies — regulated by the CBN are mandated by the CBN Cybersecurity Framework 2021 to maintain a formal, board-approved cybersecurity policy. The CBN conducts cybersecurity assessments and examinations of regulated financial institutions; the absence of a documented policy is a compliance finding.
Organisations processing personal data of Nigerian residents are data controllers or processors under the NDPA 2023 and must implement appropriate security measures as required by Section 24 of the NDPA. A cybersecurity policy is the foundational document demonstrating that the organisation has systematically addressed security risk, which the NDPC may require on investigation or audit.
Critical National Information Infrastructure (CNII) operators — in sectors including energy, telecommunications, banking and finance, transport, and government — identified by Presidential Declaration under Section 3 of the Cybercrime Act 2015 are legally required to implement the cybersecurity standards specified by ONSA and ngCERT. A formal cybersecurity policy is the starting point for this compliance.
Companies seeking to contract with the Nigerian government or with multinational organisations — particularly in the technology, financial services, and telecoms sectors — are increasingly required to present cybersecurity policies as part of procurement qualification and vendor due diligence processes.
Organisations applying for ISO/IEC 27001 Information Security Management System certification — recognised internationally and increasingly required by Nigerian corporate clients — must demonstrate a documented information security policy as a baseline requirement of the standard.
Parties in Nigeria should prepare a Cybersecurity Policy (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Cybersecurity Policy (Nigeria)
A Nigeria Cybersecurity Policy must address the following key areas to meet regulatory requirements and provide effective security governance.
Scope and applicability: the policy must specify which systems, data, locations, employees, contractors, and third parties it covers. For regulated entities, the scope must encompass all systems and data in scope of the CBN Cybersecurity Framework, NDPA 2023, or NCC Regulations as applicable.
Governance and accountability: the policy must assign cybersecurity responsibilities at board level (board oversight of cybersecurity risk), executive level (CISO or equivalent responsible officer), and operational level (IT security team, data protection officer under NDPA Section 30). The CBN Cybersecurity Framework 2021 requires board-approved cybersecurity strategy and board-level Cybersecurity Committee.
Access control and authentication: rules governing who can access which systems and data, minimum password standards, multi-factor authentication requirements, and procedures for granting, reviewing, and revoking access. The NDPA 2023, Section 24, requires appropriate access controls for personal data.
Data classification and protection: a framework for classifying data (public, internal, confidential, strictly confidential) and the security controls required for each classification level, consistent with NDPA 2023 data security obligations and CBN data classification requirements.
Incident detection, reporting, and response: procedures for detecting, assessing, and responding to cybersecurity incidents, including the timeframes for internal reporting and external regulatory notification. The CBN requires financial institutions to report material cyber incidents to the CBN within 24 hours of detection; the NDPC under the NDPA 2023 requires notification of personal data breaches within 72 hours.
Third-party and vendor security: requirements for assessing and managing cybersecurity risks from third-party vendors, contractors, and outsourced service providers, consistent with NDPA 2023 data processor obligations and CBN outsourcing guidelines.
Employee security obligations and training: mandatory cybersecurity awareness training, staff obligations regarding acceptable use of information systems, and consequences for policy violations under the employment contract and the Cybercrime Act 2015.
Business continuity and disaster recovery: plans for maintaining or restoring critical business operations following a cybersecurity incident, aligned with the CBN Business Continuity Management Guidelines.
Additional compliance elements for a Cybersecurity Policy (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cybersecurity Policy (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/policies/cybersecurity-policy-nigeria
"Cybersecurity Policy (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/policies/cybersecurity-policy-nigeria.
@misc{formslegal-cybersecurity-policy-nigeria,
author = {{Forms Legal}},
title = {Cybersecurity Policy (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/policies/cybersecurity-policy-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}
Frequently Asked Questions
A formal cybersecurity policy is a legal requirement for several categories of Nigerian organisations. Financial institutions (banks, payment service providers, FinTech companies) regulated by the Central Bank of Nigeria (CBN) are mandated to maintain a board-approved cybersecurity policy under the CBN Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers (Revised 2021). The CBN's Risk-Based Cybersecurity Assessment Programme (RC-AP) examines financial institutions' cybersecurity posture, and the absence of a documented policy is a regulatory finding. Data controllers and processors subject to the Nigeria Data Protection Act 2023 (NDPA) must implement appropriate technical and organisational security measures under Section 24 of the NDPA, and a cybersecurity policy is the foundational mechanism for demonstrating compliance. Critical National Information Infrastructure operators under the Cybercrimes Act 2015 must implement security standards specified by ONSA. Telecommunications operators licensed by the NCC must comply with the NCC Cybersecurity Regulations 2022. While the Cybercrime Act 2015 does not expressly require all companies to maintain a written cybersecurity policy, the Act's liability provisions mean that organisations that suffer cybersecurity incidents without demonstrable security measures face civil liability exposure and regulatory sanctions.
The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 (Cybercrime Act) establishes specific criminal penalties for cybercrime offences in Nigeria, enforced by the Nigeria Police Force, the Economic and Financial Crimes Commission (EFCC), and the Office of the National Security Adviser (ONSA). Key penalties under the Cybercrime Act include: unauthorised access to computer systems (Section 6) — up to 3 years imprisonment or NGN 7 million fine; causing damage through unauthorised access (Section 7) — up to 7 years imprisonment or NGN 5 million fine; cyber fraud including obtaining financial benefit by false pretence (Section 14) — up to 7 years imprisonment; identity theft and impersonation (Section 22) — up to 7 years imprisonment or NGN 10 million fine; cyberstalking (Section 24) — up to 3 years imprisonment. Under the NDPA 2023, organisations that fail to implement adequate security measures resulting in a data breach face administrative fines of up to 2% of annual global turnover or NGN 10 million. The CBN may impose additional regulatory fines and licence suspension on financial institutions that breach CBN cybersecurity requirements. Directors and officers of companies that fail cybersecurity compliance obligations face personal liability under the Cybercrime Act and the Companies and Allied Matters Act (CAMA) 2020.
The Nigeria Data Protection Commission (NDPC), established under the Nigeria Data Protection Act 2023 (NDPA), is the primary regulatory authority for data protection in Nigeria, with supervisory jurisdiction over all data controllers and processors handling personal data of Nigerian residents. In the cybersecurity context, the NDPC's role focuses specifically on the protection of personal data against security breaches. Under Section 24 of the NDPA 2023, data controllers and processors must implement appropriate technical and organisational measures to protect personal data having regard to the nature, scope, context, and purposes of the processing, and the risk to the rights and freedoms of data subjects. Where a security breach results in unauthorised access, disclosure, alteration, or destruction of personal data, the data controller must notify the NDPC within 72 hours of becoming aware of the breach under Section 40 of the NDPA. The NDPC has powers to investigate data breaches, require remediation, and impose administrative fines under Section 48 of the NDPA. The NDPC also registers Data Protection Compliance Organisations (DPCOs) — formerly under the NITDA NDPR framework — which provide data protection compliance services to Nigerian organisations. The NDPC works alongside sector regulators (CBN, NCC, National Insurance Commission (NAICOM)) who have their own cybersecurity oversight functions within their respective sectors.
A Nigerian organisation's response to a cybersecurity incident should follow a structured incident response plan aligned with regulatory notification obligations and operational recovery priorities. Immediately upon detecting a cybersecurity incident: (1) activate the incident response team (comprising IT security, legal, compliance, and executive management); (2) contain the breach by isolating affected systems to prevent further damage; (3) assess the scope and impact, including whether personal data has been compromised (triggering NDPA 2023 obligations) and whether critical systems are affected. Regulatory notification obligations: financial institutions must report material cyber incidents to the CBN Financial Services Information Sharing and Analysis Centre (FS-ISAC) within 24 hours of detection under CBN Incident Reporting Guidelines; organisations that have suffered a personal data breach must notify the NDPC within 72 hours under NDPA 2023 Section 40; Critical National Information Infrastructure operators must notify ngCERT under the Cybercrime Act 2015 framework. Evidence preservation: all logs, system snapshots, and communications related to the incident should be preserved for forensic investigation and potential law enforcement use. Post-incident: conduct a root cause analysis, remediate the vulnerability exploited, update the cybersecurity policy and controls, and prepare a formal incident report. The EFCC and Nigerian Police Cybercrime Unit may be engaged where criminal activity is suspected.
A Cybersecurity Policy (Nigeria) does not legally require a lawyer in Nigeria, though legal advice is recommended. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) governs corporate documents through the Corporate Affairs Commission (CAC). The National Industrial Court of Nigeria (NICN) adjudicates employment disputes. The Nigeria Data Protection Regulation (NDPR) and NDPC impose data protection obligations. The Federal Inland Revenue Service (FIRS) requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Nigerian lawyer for significant transactions. Under Nigeria law, Companies and Allied Matters Act (CAMA) 2020, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Privacy Impact Assessment (Nigeria)
A Data Privacy Impact Assessment (DPIA) template for Nigerian organisations compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC guidance. Covers risk identification, mitigation measures, consultation obligations, and documentation requirements for high-risk data processing activities.
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Data Consent Form (Nigeria)
A Nigeria-compliant data consent form for collecting freely given, specific, informed, and unambiguous consent for processing personal data under the Nigeria Data Protection Act (NDPA) 2023. Covers purpose specification, data subject rights, withdrawal of consent, and sensitive personal data categories.