The Nigeria Data Protection Commission has issued a regulatory advisory to all Data Controllers and Data Processors across the country in response to escalating threats to Nigeria’s data security architecture.
In a statement signed by Babatunde Bamigboye, the head, Legal, Enforcement & Regulations, NDPC said a recent technical assessments indicate that coordinated cyber operations by shadowy threat actors are targeting financial systems and other critical digital infrastructure in Nigeria, raising urgent concerns over data privacy, institutional resilience, and national cybersecurity.
The Commission reminded public institutions of the Presidential Directive by President Bola Ahmed Tinubu, which states:
“Data is the new oil; its value increases the more it is refined and responsibly shared. I therefore direct all Ministries, Extra-Ministerial Departments and Agencies to capture information rigorously and safeguard it under the Nigeria Data Protection Act 2023,” Bamigboye said.
In line with this directive, the NDPC has called on all Data Controllers and Data Processors, including Ministries, Departments and Agencies (MDAs), to urgently strengthen both technical and organisational safeguards to protect the personal data of Nigerians and other data subjects in compliance with the Nigeria Data Protection Act (NDP Act), 2023.
Recommended Immediate Actions
The Commission advised organisations to implement the following critical measures:
- Appointment of trained and certified Data Protection Officers
- Development and effective implementation of Privacy Policies and information security standards
- Conduct of Data Privacy Impact Assessments
- Deployment of robust identity and access controls, including Multi-Factor Authentication (MFA)
- Adoption of zero-trust security architecture and network segmentation
- Immediate remediation of system vulnerabilities and continuous patch management
- Protection of cloud infrastructure, APIs, databases, and access credentials
- Real-time monitoring, logging, and threat detection systems
- Encryption, key management, and secure credential handling
- Regular Vulnerability Assessment and Penetration Testing (VAPT) on critical systems
- Routine backup, recovery, and resilience testing
Regulatory Support and Compliance Warning
The NDPC stated that it is prepared to provide the necessary regulatory guidance and support to organisations seeking to improve their data protection posture.
However, the Commission warned that organisations that fail to implement adequate measures as required under the Nigeria Data Protection Act, 2023 may face legal liabilities and regulatory sanctions.
The Commission reaffirmed its commitment to safeguarding personal data, strengthening institutional resilience, and driving compliance across all sectors of the Nigerian economy.
