Nigeria Requires Telecom Operators to Report Cyberattacks Within Four Hours from 2027
Nigerian Communications Commission (NCC) has introduced new rules requiring telecom operators and communications service providers in Nigeria to report cyberattacks within four hours of detection, as part of efforts to strengthen the security of the country’s communications infrastructure.
The regulation, outlined in the Cyber Resilience Framework for the Nigerian Communications Sector (CRF-NCS) released in February 2026, will take effect in February 2027, giving operators time to implement the required monitoring and reporting systems.
Under the framework, telecom companies must notify the NCC within four hours after identifying a cyber incident and provide follow-up updates every four hours until the issue is contained. Operators will also be required to submit a detailed confirmation report within 24 hours through a dedicated reporting portal.
The regulator said the new framework is designed to improve cybersecurity oversight in a sector that manages large volumes of sensitive consumer data and critical national infrastructure.
Cyberattacks on telecom networks can lead to service disruptions, malware infections, and breaches of subscriber information. By introducing faster reporting timelines, the NCC aims to improve sector-wide visibility of cyber threats and enable quicker responses before incidents escalate into major outages or data compromises.
As part of the new requirements, telecom operators will also need to establish Security Operations Centres (SOCs) to continuously monitor their networks for suspicious activity. These centres will be responsible for detecting potential threats, reporting incidents promptly, and coordinating internal response measures.
Each operator must also appoint a dedicated cybersecurity lead to work with the commission’s Computer Security Incident Response Team (CSIRT) to share threat intelligence and coordinate responses to sector-wide incidents.
The NCC said the framework is part of a broader push to strengthen the resilience of Nigeria’s digital infrastructure as the country’s telecom sector continues to expand.
In a related move, the regulator has also updated its Internet Code of Practice 2026, requiring telecom operators to notify customers within 48 hours if their personal data is compromised in a breach.
With telecom networks supporting millions of mobile and broadband users and serving as gateways for services such as digital payments, messaging, and government platforms, regulators say stronger cybersecurity standards are essential to protect both national infrastructure and consumer privacy.
