Introduction

2025 was another significant year, marking further progress in Nigeria's evolving data protection ecosystem. It signalled the eclipsing end of the era of "passive compliance" and regulatory grace periods; the practice of dangling carrots to induce compliance is dying out, replaced by assertive enforcement. Building on the foundational work of previous years, the Nigeria Data Protection Commission (NDPC) moved assertively to translate the Nigeria Data Protection Act (NDPA) from statute into practice. A critical implementation directive, a record-breaking flurry of enforcement actions, and varying legislative manoeuvres filled the year. For the ecosystem, the message became undeniable: a proactive, operational approach to data governance is no longer a "nice-to-have" but a non-negotiable requirement.

This review examines the pivotal developments of 2025, analyses the new compliance realities, and provides a strategic forecast for the regulatory landscape in 2026.

2025 in Review — From Passenger to Driver Seat

‍

Nigeria's data protection framework matured significantly in 2025. As predicted at the start of the year, the NDPC fulfilled its promise to shift focus from policy formulation to active implementation and sanctioning.  The most significant regulatory milestone was the operationalisation of the Nigeria Data Protection Act General Application and Implementation Directive (GAID). Published in March 2025 following extensive stakeholder consultations in 2024, the GAID came into full effect on September 19, 2025. The NDPC also revised the mandatory registration guidance note in response to the court's judgment to clarify the guidance.

Furthermore, the Commission launched a major enforcement drive in the second quarter, issuing compliance notices to over 1,300 organisations across key economic sectors, including finance, insurance, and gaming. Additionally, a high-profile dispute with a major international social media platform over alleged violations involving the processing of Nigerian users' data was resolved in November through an out-of-court settlement.  In a clear signal to the telecommunications and media sector, the NDPC imposed a ₦766.2 million fine on a leading digital satellite television provider. The sanction addressed privacy breaches and illegal cross-border data transfers.  Beyond issuing fines, the NDPC launched formal investigations into the data-processing activities of widely used platforms, including a popular caller-identification app and a social media service. Scrutiny also turned inward to the public sector, with an investigation launched into alleged data breaches at the Joint Admissions and Matriculation Board.

While the regulator moved on to enforcement, the year saw increased litigation, and the Nigerian judiciary played a part in shaping the interpretation of damages and liability. Courts issued some crucial decisions. A High Court awarded ₦5 million in damages against a commercial bank. The bank altered and deleted transaction records, resulting in the customer losing a property deal valued at ₦200 million. This judgment established that data mismanagement leading to economic loss is actionable and compensable. Similarly, the Federal High Court awarded damages against a microfinance bank for intrusive robocalls. The court issued a perpetual injunction against the company and ordered a formal apology. Crucially, in another case involving unsolicited marketing, a High Court awarded a plaintiff ₦1 million, affirming that a customer’s objection to marketing is absolute and requires no further action to be valid. The court also provided a crucial clarification in one of its judgments. The court decided that data subjects whose rights under the NDPA were infringed upon could approach the court directly without first lodging a complaint with the NDPC. The court emphasised that approaching the NDPC in the first instance is merely discretionary. Collectively, these judicial and regulatory milestones underscore a decisive shift: accountability is no longer theoretical, and the cost of non-compliance has moved from a potential risk to an immediate reality.

The Legislative Surge

‍

2025 witnessed an uptick in legislative activity. The National Assembly introduced multiple bills targeting different facets of the digital economy, often creating a complex web of overlapping requirements. A proposed amendment to the NDPA, first introduced in 2024, scaled second reading in the Senate in March. The bill seeks to require foreign social media companies and bloggers to establish a physical office in Nigeria. In August, the House of Representatives introduced another Nigerian Data Protection (Amendment) Bill targeting application developers. This proposal seeks to enforce mandatory registration with the NDPC, standardised consent interfaces, and annual impact assessments. It also empowers the NDPC to recommend the removal of non-compliant applications. However, these obligations already exist under the NDPA and GAID, raising concerns about legislative redundancy.

Expanding the scope, the Digital Sovereignty, AI Governance, and Fair Compensation Bill was presented in February to target the extraction and monetisation of Nigerian data by foreign companies. This ambitious proposal includes a Digital Services Tax for companies with annual turnover exceeding ₦10 billion, strict data localisation requirements for national security data, and a "local content" requirement that at least 30% of AI research on Nigerian data be conducted in the country. Flowing from this focus on AI governance, the National Artificial Intelligence Commission (Establishment) Bill was introduced in May, while another Nigerian Artificial Intelligence Bill was presented in October for its first reading.

Most notably, a public hearing on the National Digital Economy and E-Governance Bill was held in November. This Bill introduces explicit regulation of AI. It positions the National Information Technology Development Agency (NITDA) as a "super-regulator" with powers to classify AI risks, mandate transparency, and accredit AI auditors. In parallel, the House of Representatives passed the Child Online Access Protection Bill. This legislation mandates Internet Service Providers to block violent or exploitative material and penalises online grooming. Complementing this, there were at least four proposals to amend the Cybercrimes (Prohibition, etc.) Act at the Senate and House of Representatives, there is an ongoing effort to introduce cybersecurity-specific legislation.

Sectoral Mandates and Ethical AI

Beyond the National Assembly, sectoral regulators and statutory bodies actively expanded the scope of compliance. The National Insurance Commission issued the Guidelines for Insurtech Operations in Nigeria, which explicitly require all insurance institutions and Insurtech firms to comply with the NDPA and the Cybercrimes Act. Similarly, the Federal Competition and Consumer Protection Commission released the Digital Electronic Online or Non-Traditional Consumer Lending Regulations 2025. These regulations impose strict data governance standards on digital lenders to prevent privacy violations and unethical recovery practices.

On the policy front, Nigeria finalised and published its National AI Strategy, establishing a structured approach to AI adoption. Complementing this, the National Human Rights Commission established a unit to engage with technology companies to prevent AI-related harms and ensure that human rights remain central to technological advancement. The Nigerian Communications Commission (NCC) added to the regulatory mix by opening its draft Internet Code of Practice for public comment. This code introduces distinct obligations for Internet Access Service Providers (IASPs), including a strict 48-hour data-breach reporting timeline (shorter than the NDPA’s 72-hour timeline) and requirements for parental-control measures.

International Alignment and Innovation

Nigeria’s domestic efforts were bolstered by significant international milestones. The country hosted the Network of African Data Protection Authorities conference, asserting its leadership on the continent. More critically, Nigeria was formally welcomed as an associate member of the Global Cross-Border Privacy Rules Forum. This strategic move signals Nigeria's intent to align with global mechanisms for data flows, offering an alternative transfer mechanism to the European-centric GDPR adequacy model. Simultaneously, the NDPC announced plans to launch regulatory AI sandboxes.

2026 Outlook — From Compliance to Strategy

‍

The developments of 2025 underscore a deepened institutional commitment to data protection. As we look ahead to 2026, the framework's maturation will likely centre on an implementation strategy that harmonises robust enforcement with the imperatives of a thriving digital economy. Drawing on global best practices and the trajectory established in 2025, several key trends are likely to shape the industry's future.

1. With the National AI Strategy now published, the focus shifts to legislative backing. We anticipate the enactment of the National Digital Economy and E-Governance Bill in the second quarter of 2026. This legislation will position NITDA as a "super-regulator" for the digital economy. The Bill is expected to grant wide-ranging powers to classify AI systems by risk, mandate algorithmic transparency, and accredit AI auditors, thereby creating a dual regulatory environment alongside the NDPC. Simultaneously, we expect progress on various AI-specific bills. These include the Digital Sovereignty, AI Governance, and Fair Compensation Bill; the National Artificial Intelligence Commission (Establishment) Bill; and the four consolidated AI Bills. The Digital Economy Bill may lay them to rest, thereby allowing NITDA to regulate more broadly.
2. Concurrently, the two proposals to amend the NDP Act—targeting foreign social media platforms and application developers—are expected to advance in the National Assembly. While intended to close perceived gaps, these amendments may introduce complexity for digital businesses. Alongside this, we anticipate a new proposal for a Cybersecurity Law and the potential progress with the Digital Rights and Freedom Bill.
3. Child online safety will receive heightened regulatory and policy attention in 2026. A significant push is anticipated with the Child Online Access Protection Bill expected to be signed into law. This will be complemented by amendments to the Cybercrimes Act and new regulations from the NCC, including its draft Internet Code of Practice and Child Online Standard Operating Procedure. More domain regulators are expected to play their part, creating a comprehensive safety net for younger digital users.
4. The NDPC is expected to continue imposing fines and will also begin to strategically use other administrative powers. We anticipate a move towards a more risk-based strategy, prioritising high-risk sectors. The Commission will likely continue to leverage "naming and shaming" as a compliance tool, publicly listing organisations that fail to file audits or respond to breach inquiries. Furthermore, building on the announcement in May 2025, the NDPC will likely launch its regulatory sandbox, allowing startups to test their solutions in a controlled environment.
5. We anticipate that the NDPC will publish additional guidance notes to provide much-needed clarity on the implementation of the Act. Additionally, sector-specific regulators are expected to publish guidance and regulations with a data-protection focus. AI regulation will also gain prominence, with sector- and domain-level regulators issuing guidance and establishing dedicated offices. 
6. We predict a rise in litigation against both public and private organisations. Following the success of some cases in the past years, we expect more "copycat complaints and litigation" as citizens and civil society groups become more emboldened to test the limits of the law in court. This judicial activity will add another layer of interpretation to the NDPA.
7. Finally, progress is expected on the critical issue of international data transfers. We anticipate that the NDPC will publish a definitive, specific guidance note on transfer tools. More importantly, 2026 will be the year Nigeria operationalises its membership of the Global CBPR Forum. The potential licensing of local certification bodies under this system could bring much-needed clarity, allowing Nigerian companies to certify once and transfer data freely to other participating economies.

Conclusion

Ultimately, these parallel trends point to a unified conclusion: data governance in Nigeria is evolving from a theoretical, check-the-box exercise into a core, operational, and strategic business function. For organisations operating in Nigeria, the key challenge in 2026 will no longer be whether to comply, but how to build a sustainable, proactive governance programme. The winners in 2026 will be those who view privacy not as a legal hurdle, but as a marker of trust and a competitive advantage in an increasingly regulated digital economy.

‍

Editor's Note: This article has been edited to align with other reports we are publishing during this period. A condensed version of these forecasts will appear in the IAPP Global Legislative Predictions for 2026. The article now includes GIFs for visual reference.

‍