NASS moves to amend data protection act over rising cyber threats

**HEADLINE:** Nigeria Data Protection Act Amendment 2025: NASS Tightens Cyber Rules Amid AI Boom

**META_DESCRIPTION:** Nigeria's National Assembly amends data protection law to combat rising cyber threats and AI risks. What investors and businesses need to know about compliance changes.

---

## ARTICLE:

Nigeria's National Assembly is moving to amend the National Data Protection Act (NDPA) 2023, signaling a critical shift in how the nation's most populous market will regulate digital security and artificial intelligence. The legislative push comes as cyber threats accelerate across Africa's largest economy, and as AI adoption outpaces existing regulatory frameworks. For investors, tech operators, and multinational corporations, this amendment represents both a compliance burden and a market-shaping opportunity.

The original NDPA 2023 was Nigeria's first comprehensive data privacy law, establishing baseline protections for personal data processing. However, just two years into implementation, the framework is already struggling to address emerging risks: ransomware attacks on financial institutions, data breaches in fintech, and unregulated AI deployment in critical sectors. The National Assembly's decision to revisit the law reflects growing pressure from cybersecurity experts, civil society, and international partners who warn that the current act lacks teeth in AI governance and lacks provisions for cross-border data flows essential to modern business.

## What specific cyber threats are driving this amendment?

Nigeria faces a documented surge in cyberattacks targeting banks, telecom operators, and government agencies. In 2024 alone, ransomware gangs targeted Nigerian financial institutions multiple times, with attackers demanding millions in Bitcoin. Additionally, unregulated AI systems—particularly in lending, credit scoring, and hiring—operate without algorithmic accountability, exposing consumers to discriminatory practices. These gaps have prompted lawmakers to strengthen enforcement mechanisms and create explicit AI governance clauses.

## How will the amended act impact business operations?

The expected amendments will likely impose stricter data localization requirements (storing Nigerian data within Nigeria), mandatory AI impact assessments before deploying high-risk algorithms, and increased penalties for non-compliance. Companies currently exempted or operating in gray zones will face tighter scrutiny. Foreign tech firms and fintech platforms—already under pressure from the Central Bank and Securities and Exchange Commission—will need dedicated compliance teams and local data infrastructure investments.

## Why are investors watching this closely?

The amendment signals Nigeria's intent to establish itself as a regulated digital market, not a Wild West for tech experimentation. This regulatory clarity, while costly short-term, reduces systemic risk and attracts institutional capital. However, poorly designed rules could stifle innovation in Nigeria's thriving fintech ecosystem, which has attracted $2+ billion in venture funding since 2020. The key risk: over-regulation could push startups to jurisdictions like Kenya or South Africa with lighter touch governance.

The amendment debate will likely stretch into Q2 2025, with final passage expected by mid-year. Companies operating in Nigeria—especially in fintech, e-commerce, AI, and telecommunications—should begin compliance audits immediately. The window to influence legislative language through industry consultation is closing.

---

##