A Review Of The 2026 Cybersecurity Guidelines For Business And Public Institutions In Lagos State

Introduction

With a population of over 22 million digitally active residents and a startup ecosystem valued at approximately $15.3 billion, Lagos presents both considerable opportunity and heightened exposure to cyber risk. The financial impact of these risks is already apparent. Nigeria has recorded losses exceeding ₦1.1 trillion to cybercrime over a threeyear period, including ₦53.4 billion in 2024 alone, while the global average cost of a data breach is estimated at around $4.45 million per incident. These figures suggest that digital growth, when not accompanied by adequate security measures, can significantly increase systemic vulnerability.

The rise in e-commerce, internet banking, and other online services has been accompanied by a corresponding increase in cybercrime across Nigeria. Businesses are increasingly confronted with privacy breaches, fraud, and unauthorised access, often resulting in reputational harm and financial loss. Reports from the Nigerian Communications Commission indicate that the country loses over $500 million annually to cyber-related incidents.

In response, and as part of its broader SMART City initiative, the Lagos State Government issued the 2026 Cybersecurity Guidelines for Businesses and Public Institutions (“the Guidelines”) on 19 April 2026. The aim is to provide clearer direction, reduce operational disruption caused by cyber incidents, and support the development of a secure and competitive digital environment. The announcement was made by Lagos State Commissioner for information and strategy, Mr. Gbenga Omotoso, who noted that the Guidelines represent a further step in positioning Lagos as a secure and forward-looking digital hub.

This article considers the key features of the Guidelines and examines how effectively they respond to the challenges faced by businesses and public institutions. The increasing reliance on technology by SMEs, startups, and government agencies has heightened exposure to cyber risks, particularly where there is limited capacity to implement robust security measures.

Recent legislative developments, including the Cybercrimes (Prohibition and Prevention) Amendment Act 2024 and the Nigerian Data Protection Act 2023, have sought to strengthen the legal framework for managing cyber incidents and protecting personal data. The 2026 Guidelines build on these efforts by promoting awareness and encouraging more consistent cybersecurity practices, with the broader aim of fostering a secure, resilient, and trusted digital ecosystem in Lagos.

KEY HIGHLIGHTS

1. Purpose and Strategic Objectives The 2026 Cybersecurity Guidelines serve as a practical framework designed to simplify cybersecurity implementation across various organizations, provide scalable and actionable security measures, enhance trust in digital transactions and platforms, minimize operational disruptions caused by cyber incidents and ultimately, support the Lagos SMART City Transformation Agenda.

These Guidelines focus on institutional capacity and resilience rather than regulatory enforcement.

2. Legal and Regulatory Alignment

The Guidelines recognize and align with key national regulatory frameworks such as the Cybercrimes (Prohibition, Prevention, etc) Act, 2024, the Nigeria Data Protection Act(“NDPA”), 2023 and the National Cybersecurity Policy and Strategy, 2021. This alignment translates into clear compliance obligations for organizations which includes mandatory incident reporting within 72 hours, protection of personal and business data, secure management of critical national infrastructure and accountability for data governance and security practices.

3. SMEs

3.1 Cyber Risks for SMEs

The major contributors to the Lagos’ economy are the Small and Medium Enterprises (SMEs). However, they are heavily exposed to cyber threats due to various reasons ranging from limited cybersecurity expertise to dependence on cloud and mobile tools. These cyber incidents can be carried out throughthe infection of IT systems with ransomware, data breaches and theft, and most commonly, phishing and business email compromise.

The impact of these incidents on SMEs are heavy as they risk entering financial losses, operational downtime, regulatory sanctions, incessant suits by aggrieved customers and reputational damage.

3.2 Foundational Cybersecurity Controls for SMEs

To mitigate these risks, the Guidelines prescribe five core controls that deliver strong baseline protection with minimal cost:

a. Regular cybersecurity training and awareness

b. Implementation of robust password policies and Multi-Factor Authentication (MFA)

c. Ensuring automated updates to address known vulnerabilities

d. Securing network configuration by segregating networks including guest Wi-Fi controls

e. Employing reliable data backup systems thereby ensuring business continuity in the event of data loss or ransomware attacks

Data Protection and Legal Responsibilities

The Guidelines suggested ways organizations such as SMEs and startups can integrate data protection into their operations. It identified what the Cybercrime Act responsibilities and NDPA responsibilities of an organization are.

The Cybercrime Act responsibilities include:

a. Incident Response Planning: The Guidelines propounded that incorporating a robust incident response plan is crucial for building resilience, reducing risks, and minimizing disruptions caused by cyber incidents. These plans should be regularly reviewed and updated to incorporate new threats and lessons learned from past incidents. Incorporating established frameworks such as the NIST Cybersecurity Framework and the ISO/IEC 27001 for systematic management of sensitive information, Center for Internet Security (CIS) for enhancing cybersecurity resilience and risk management. These frameworks provide a structured approach to managing all phases of incident response, from preparation to post-incident review.

b. Incident Reporting Obligation: In line with the provisions of Section 21 of the Cybercrime Act which mandates institutions, whether public or private, that operate a computer system or network, to immediately inform the National Computer Emergency Response Team (ngCERT) of any attacks, intrusions and other disruptions, the Guidelines reminded organizations of their obligation to report any cybersecurity incident to the NCERT within 72 hours of notice, so that the ngCERT can take necessary measures to tackle the issues.

c. Educating staff on cybercrime awareness: Engaging staff in regular cybersecurity trainings enhances readiness for any cyber incident. The workers are aware of the cyber threats and can react accordingly. The NDPA responsibilities recommended by the Guidelines include:

a. Data Minimization Practices: Section 24 (1) (d) of the NDPA mandates data processors and data controllers to ensure that the data obtained from a data subject is adequate, relevant and limited to the minimum necessary for which the personal data was collected or further processed. The Guidelines mandates organizations to be compliant with the NDPA and integrate data minimization practices in their operational frameworks.

b. Secure Storage and Encryption: Section 39 (1) of the NDPA authorizes data processors and data controllers to implement appropriate organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control. These measures were spelt out in Section 39 (2) of the NDPA.

c. Notifica I tion of NDPC and Customers after breaches: The Guidelines encourages organizations to comply with the provisions of the NDPA by notifying the National Data Protection Commission and the data subject upon the occurrence of a data breach within 72 hours of notice of the incident, in accordance with Section 40 (2) and (3) of the NDPA. The strategic implication is to protect data of data subjects which will directly safeguard brand reputation and customer confidence.

To view the full article clickhere

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.