Nigeria’s telecom regulator has ordered mobile network operators and other communications service providers to notify it within four hours of detecting any cyberattack, in a move aimed at strengthening the protection of telecom infrastructure and subscriber data.
The rule will take effect in February 2027, giving operators a year to put in place the necessary monitoring and reporting systems.
The directive is contained in the Cyber Resilience Framework for the Nigerian Communications Sector (CRF-NCS) released by the Nigerian Communications Commission in February 2026.
Under the framework, telecommunications companies must alert the regulator within four hours of detecting a cyber incident and continue to provide updates every four hours until the situation is contained. Operators are also required to submit a confirmation report within 24 hours through a dedicated reporting portal.
The commission said the framework is designed to strengthen cybersecurity oversight in a sector that handles vast volumes of sensitive consumer and national infrastructure data.
Cyber threats targeting telecom networks can lead to service disruptions, data breaches affecting subscriber information, malware infections and other attacks capable of crippling communications systems, according to the regulator.
By introducing faster reporting timelines, the commission said it hopes to improve sector-wide situational awareness and ensure quicker response to threats before they escalate into major outages or data compromises.
The framework also requires telecommunications companies to establish dedicated Security Operations Centres (SOC) to monitor networks continuously for suspicious activity and cyber threats. These centres are expected to detect and report malicious activities promptly while coordinating responses internally.
In addition, each operator must designate a cybersecurity lead responsible for working with the commission’s Computer Security Incident Response Team (CSIRT) to share intelligence and coordinate responses to incidents affecting the communications ecosystem.
The NCC said the new framework forms part of broader efforts to strengthen resilience across Nigeria’s communications infrastructure and promote a unified cybersecurity posture in the sector.
The measures come amid growing global and domestic concern over data breaches and cyber intrusions targeting companies that manage large volumes of digital information.
Telecommunications companies, which serve as gateways for internet traffic, mobile banking, messaging and other digital services, are increasingly seen as critical infrastructure vulnerable to cyber threats.
Nigeria’s telecom regulator has in recent years tightened rules around data protection and network security as the country’s digital economy expands.
In a related move, operators are now required under the revised Internet Code of Practice 2026 to notify customers of any data breach affecting their personal information within 48 hours of discovery.
The regulation aims to ensure that subscribers are informed quickly when their personal data may have been compromised through unauthorised access, disclosure or misuse.
With Nigeria’s telecom networks supporting millions of mobile and broadband users as well as financial and government services, regulators say stronger cybersecurity standards are essential to safeguard both national infrastructure and consumer privacy.
