The Nigeria Data Protection Commission (NDPC) has raised alarm over growing cybersecurity risks, issuing a regulatory advisory to data controllers and processors across the country.
The warning comes amid what the commission described as increasing threats to Nigeria’s data security infrastructure. According to its technical assessment, certain unidentified threat actors have been carrying out coordinated operations aimed at financial systems and other critical digital assets.
In a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, the commission urged both public and private organisations to take immediate steps to strengthen their data protection systems.
“Public establishments are therefore reminded of the presidential directive of President Bola Ahmed Tinubu, declaring that, ‘Data is the new oil, its value increases the more it is refined and responsibly shared,” the statement said.
The commission also referenced the President’s directive to government institutions, reinforcing the importance of safeguarding national data assets.
‘I therefore direct all Ministries, Extra-Ministerial Departments and Agencies to capture information rigorously and safeguard it under the Nigeria Data Protection Act 2023.”
NDPC stressed that all data controllers and processors—including Ministries, Departments, and Agencies (MDAs)—must urgently enhance both their technical and organisational safeguards in line with the provisions of the Nigeria Data Protection Act 2023.
Among the recommended measures are the appointment of qualified Data Protection Officers, the development and enforcement of comprehensive privacy policies, and the adoption of recognised information security standards.
The commission also highlighted the need for regular Data Privacy Impact Assessments, stronger identity and access control systems such as Multi-Factor Authentication, and the implementation of zero-trust security models alongside network segmentation.
Other critical steps include addressing system vulnerabilities promptly through continuous patch management, securing cloud environments and databases, and strengthening access credential protection.
Organisations were further advised to deploy real-time monitoring and threat detection systems, implement encryption and proper key management practices, and conduct routine Vulnerability Assessment and Penetration Testing (VAPT) on sensitive infrastructure.
Regular data backup, recovery planning, and resilience testing were also emphasised as essential components of a robust data protection strategy.
The commission assured stakeholders of its readiness to provide regulatory guidance and support to ensure compliance and strengthen national data protection standards.
However, it warned that organisations that fail to implement the necessary safeguards as stipulated under the Act may face legal consequences.
