The regular aims to strengthen the security of the country’s telecom infrastructure and protect the data of millions of subscribers.

The new requirement will take effect in February 2027, giving operators a year to upgrade their monitoring systems and build the rapid-response reporting structures required under the directive.

New Rules for Faster Incident Reporting

The order forms part of the Cyber Resilience Framework for the Nigerian Communications Sector (CRF-NCS), released by the Nigerian Communications Commission (NCC) in February 2026.

The framework brings strong procedures for how telecom companies must handle and report cybersecurity incidents.

Under the new guidelines, operators must quickly notify the regulator once a cyber threat is detected and continue to provide updates until the incident is fully resolved.

“Under the framework, telecommunications companies must alert the regulator within four hours of detecting a cyber incident and continue to provide updates every four hours until the situation is contained. Operators are also required to submit a confirmation report within 24 hours through a dedicated reporting portal,” the framework states.

Regulators say the goal is to prevent minor security breaches from escalating into major service disruptions or large-scale data leaks that could affect Nigeria’s digital economy.

Mandatory 24/7 Security Monitoring

To meet the new reporting timeline, the NCC has also mandated telecom operators to establish dedicated Security Operations Centres (SOCs).

These centres will monitor network activity round the clock, allowing companies to quickly identify suspicious behaviour, malware or hacking attempts.

Beyond detection, the centres are expected to coordinate rapid responses when threats occur.

“The framework also requires telecommunications companies to establish dedicated Security Operations Centres (SOC) to monitor networks continuously for suspicious activity and cyber threats. These centres are expected to detect and report malicious activities promptly while coordinating responses internally,” the regulator said.

Industry Collaboration and Threat Intelligence

The framework also places strong emphasis on collaboration across the telecom sector. Each operator must appoint a cybersecurity lead who will work directly with the commission’s Computer Security Incident Response Team (CSIRT).

The aim is to improve intelligence sharing across networks. If one operator experiences a specific cyber threat, others can be alerted quickly and take preventive action.

“In addition, each operator must designate a cybersecurity lead responsible for working with the commission’s Computer Security Incident Response Team (CSIRT) to share intelligence and coordinate responses to incidents affecting the communications ecosystem,” the NCC noted.

Protecting Critical Digital Infrastructure

Telecommunications networks now underpin many essential services in Nigeria, from mobile banking to government platforms and everyday internet access.

A major cyberattack on telecom infrastructure could disrupt communication services and affect large parts of the digital economy.

As a result, regulators have been tightening cybersecurity requirements across the industry. The revised Internet Code of Practice introduced in 2026 already requires operators to inform customers if their personal data has been compromised.

“In a related move, operators are now required under the revised Internet Code of Practice 2026 to notify customers of any data breach affecting their personal information within 48 hours of discovery,” the commission added.

Building a Stronger Cybersecurity Framework

According to the NCC, the cyber resilience framework is part of broader efforts to strengthen the security of Nigeria’s communications infrastructure and create a coordinated approach to cyber threats across the sector.

“The NCC said the new framework forms part of broader efforts to strengthen resilience across Nigeria’s communications infrastructure and promote a unified cybersecurity posture in the sector,” the statement said.

With the February 2027 deadline in view, telecom operators are expected to invest in stronger monitoring systems and cybersecurity capabilities to comply with the new rules.

An NCC-CSIRT advisory said threat actors have taken advantage of a viral TikTok challenge, known as the Invisible Challenge, to disseminate an information-stealing malware known as the WASP (or W4SP) stealer.

The WASP stealer, which is high in probability with critical damage potential, is a persistent malware hosted on discord that its developer claim is undetectable.

The advisory said “The Invisible Challenge involves wrapping a somewhat transparent body contouring filter around a presumed naked individual. Attackers are uploading videos to TikTok with a link to software that they claim can reverse the filter’s effects.

“Those who click on the link and attempt to download the software, known as “unfilter,” are infected with the WASP stealer. Suspended accounts had amassed over a million views after initially posting the videos with a link. Following the link leads to the “Space Unfilter” Discord server, which had 32,000 members at its peak but has since been removed by its creators.

“Successful installation will allow the malware to harvest keystrokes, screenshots, network activity, and other information from devices where it is installed. It may also covertly monitor user behaviour and harvest Personally Identifiable Information (PII), including names and passwords, keystrokes from emails, chat programs, websites visited, and financial activity. This malware may be capable of covertly collecting screenshots, video recordings, or the ability to activate any connected camera or microphone,” it explained.

The Team said some ways to forestall such an attack include avoiding clicking on suspicious links, using anti-malware software on your devices, checking app tray and removing any apps that you do not remember installing or that are dormant and embracing healthy password hygiene practices such as using a password manager.

The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with Nigerian Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

The fact that car remotes are categorized short range devices that make use of radio frequency (RF) to lock and unlock cars informed the need for the Commission to alert the general public on this emergent danger, where hackers take advantage to unlock and start a compromised car.

Dr. Ikechukwu Adinde, Director, Public Affairs at NCC cited the latest advisory released by the Computer Security Incident Response Team (CSIRT), the Cybersecurity Centre for the telecom sector established by the NCC, stating that the vulnerability is a Man-in-the-Middle (MitM) attack or, more specifically, a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-sends them later to unlock the car at will.

With this latest type of cyber-attack, it is also possible to manipulate the captured commands and re-transmit them to achieve a different outcome altogether.

“Multiple researchers disclosed a vulnerability, which is said to be used by a nearby attacker to unlock some Honda and Acura car models and start their engines wirelessly. The attack consists of a threat actor capturing the radio frequency (RF) signals sent from your key fob to the car and resending these signals to take control of your car’s remote keyless entry system,” the advisory stated emphatically.

However, the NCC-CSIRT, in the advisory, has offer some precautionary measures or solutions that can be adopted by car owners to prevent falling victim to the attack.

According to the cyber-alert unit of the Commission, “When affected, the only mitigation is to reset your key fob at the dealership. Besides, the affected car manufacturer may provide a security mechanism that generate fresh codes for each authentication request, this makes it difficult for an attacker to ‘replay’ the codes thereafter. Additionally, vulnerable car users should store their key fobs in signal-blocking ’Faraday pouches’ when not in use.”

Importantly, car owners in the stated categories are advised to choose Passive Keyless Entry (PKE) as opposed to Remote Keyless Entry (RKE), which would make it harder for an attacker to read the signal due to the fact that criminals would need to be at close proximity to carry out their nefarious acts.

The PKE is an automotive security system that operates automatically when the user is in proximity to the vehicle, unlocking the door on approach or when the door handle is pulled, and also locking it when the user walks away or touches the car on exit.

The RKE system, on the other hand, represents the standard solution for conveniently locking and unlocking a vehicle’s doors and luggage compartment by remote control.

Additionally, in a related advisory, the NCC, based on another detection by CSIRT, wishes to inform the general public about the resurgence of Joker Trojan-Infected Android Apps on Google Play Store.

This arose due to the activities of criminals who intentionally download legitimate apps from the Play Store, modify them by embedding the Trojan malware and then uploading the app back to the Play Store with a new name.

The malicious payload is only activated once the apps goes live on the Play Store, which enables the apps to scale through Google’s strict evaluation process. Once installed, these apps request for permissions that once granted, enable the apps to have access to critical functions such as text messages and notifications.

As a consequence, a compromised device will subscribe unwitting users to premium services, billing them for services that do not exist.

A device like this can also be used to commit Short Messaging Service (SMS) fraud while the owner is unaware.

It can click on online ads automatically and even use SMS One Time password (OTPs) to secretly approve payments. Without checking bank statements, the user will be unaware that he or she has subscribed to an online service. Other actions, such as stealing text messages, contacts, and other device data, are also possible.

To avoid falling victim to the manipulation of hackers deploying Joker Trojan-Infected Android Apps, Android users have been advised to avoid downloading unnecessary apps or installing apps from unofficial sources.

The NCC also wishes to advise telecom consumers to ensure that apps installed from the Google Play Store are heavily scrutinized by reading reviews, assessing the developers, perusing the terms of use and only granting the necessary permissions.

Conclusively, the NCC recommends that unauthorised transactions be checked against any installed app.

Indeed, any apps not in use should be deleted while users are also advised to ensure that a device is always patched and updated to the latest software.