The Nigerian Communications Commission (NCC) has directed mobile network operators and other communications service providers to report any cyberattack within four hours of detecting it as part of efforts to strengthen the security of Nigeria’s telecommunications infrastructure.
The directive is aimed at protecting the country’s digital networks and safeguarding the personal data of millions of subscribers who depend on telecom services for communication, banking and internet access.
The new reporting requirement will take effect in February 2027, giving operators about one year to upgrade their monitoring systems and establish rapid-response reporting structures required under the directive.
The order forms part of the Cyber Resilience Framework for the Nigerian Communications Sector (CRF-NCS) released by the commission in February 2026. The framework introduces stricter procedures on how telecom operators must detect, manage and report cybersecurity incidents affecting their networks.
Under the new guidelines, telecommunications companies are required to notify the regulator within four hours of detecting a cyber incident and continue to provide updates every four hours until the situation is contained.
Operators are also expected to submit a confirmation report within 24 hours through a dedicated reporting portal created by the commission.
Regulators say the move is designed to prevent minor cyber incidents from escalating into major service disruptions or large-scale data breaches that could threaten Nigeria’s growing digital economy.
To meet the reporting requirement, the commission has also directed telecom operators to establish dedicated Security Operations Centres to monitor network activity round the clock.
These centres will track suspicious activity, malware infections and hacking attempts across telecom networks while coordinating internal responses whenever threats are detected.
The commission noted that the monitoring centres are expected to detect malicious activities quickly and ensure that incidents are reported promptly to the regulator.
The framework also encourages stronger collaboration across the telecommunications sector. Under the new rules, each operator must appoint a cybersecurity lead who will work directly with the commission’s Computer Security Incident Response Team to share intelligence and coordinate responses to cyber incidents.
The arrangement is expected to strengthen threat intelligence sharing across telecom networks so that when one operator detects a new cyber threat, others can take preventive action quickly.
Telecommunications networks now support several essential services in Nigeria, including mobile banking, government platforms and internet services used by millions of individuals and businesses.
Industry experts warn that a major cyberattack on telecom infrastructure could disrupt communication services and affect large segments of the country’s digital economy.
As part of broader efforts to strengthen cybersecurity within the sector, the revised Internet Code of Practice introduced in 2026 also requires operators to notify customers within 48 hours if their personal data has been compromised in a data breach.
According to the commission, the cyber resilience framework forms part of ongoing efforts to strengthen the security of Nigeria’s communications infrastructure and promote a coordinated approach to managing cyber threats across the sector.
