CAC suspends portal for 3 days amid cyber threat concerns

Nigeria's Corporate Affairs Commission (CAC), the country's primary business registration authority, has faced a significant operational disruption following reports of a data breach that prompted both a three-day emergency portal shutdown and a formal investigation by the Nigeria Data Protection Commission (NDPC).

The CAC announced the temporary closure of its online portal from April 17–20, 2026, citing scheduled maintenance and system upgrades. However, the timing coincides with the NDPC's public disclosure of an active investigation into alleged unauthorized access to CAC systems, revealing that the "maintenance" was likely a damage-containment response to a confirmed security incident.

**The Regulatory Response**

The NDPC, established under the Nigeria Data Protection Act 2023, has formally invoked its enforcement authority to probe the breach. In a statement signed by the Head of Legal, Enforcement and Regulations Babatunde Bamigboye, the commission emphasized its mandate to "safeguard trust in data management practices" across Nigerian institutions. This marks one of the first major test cases for Nigeria's nascent data protection framework and signals regulatory willingness to hold even government agencies accountable.

**What This Means for European Investors**

For European entrepreneurs and institutional investors operating in Nigeria, this incident carries material implications across multiple dimensions.

First, it raises critical questions about the security of business registration data. The CAC portal processes company formations, director registrations, and beneficial ownership filings—foundational documentation that foreign investors rely upon for due diligence, compliance verification, and title confirmation. If investor data, director information, or corporate structures have been compromised, European entities face potential identity theft, targeted fraud, and regulatory exposure.

Second, the incident exposes governance gaps in Nigerian critical infrastructure. While the NDPC's intervention demonstrates regulatory maturity, the breach itself reflects insufficient cybersecurity investment in a government agency handling sensitive commercial data. This is emblematic of broader infrastructure vulnerabilities in African digital ecosystems that European firms must factor into their risk assessments when expanding operations on the continent.

Third, the three-day shutdown creates immediate operational friction. European companies in mid-transaction—filing new subsidiaries, updating shareholder registers, or processing compliance amendments—face unexpected delays. In jurisdictions where regulatory timelines are tight, this disruption compounds administrative burden.

**Operational and Compliance Considerations**

The incident underscores the importance of due diligence discipline. European investors should:

- Verify all CAC filings immediately upon system restoration, ensuring data integrity and detecting unauthorized amendments
- Strengthen internal controls over corporate governance documentation
- Review cyber liability and data breach insurance policies, ensuring adequate coverage for Nigeria operations
- Demand enhanced data protection commitments from local service providers and law firms managing CAC interactions

**Longer-Term Implications**

This breach may accelerate Nigeria's digital infrastructure hardening, particularly as the NDPC gains enforcement credibility. Expect tighter cybersecurity standards, potential mandatory reporting timelines, and increased compliance costs for CAC users. However, it also creates opportunity: firms offering cyber resilience consulting and data security solutions in Nigeria will likely see rising demand from both government agencies and private sector clients seeking to avoid similar incidents.

The three-day shutdown itself, while disruptive, is a necessary step. Transparent incident response and regulatory investigation strengthen long-term confidence in Nigeria's business ecosystem—critical for sustaining European investment flows.

---

#