cmdev
Compliance Guide

Lagos CyberSafe 2026: What Your Business Actually Needs to Do

cmdev9 min read
Lagos CyberSafe 2026: What Your Business Actually Needs to Do
Share
~13 min

What happened

On April 19, 2026, Lagos State released its first state-level cybersecurity guidelines — CyberSafe Lagos 2026. Commissioner Gbenga Omotoso announced the publication during a press briefing at Alausa, though the guidelines themselves were prepared under the Ministry of Innovation, Science and Technology led by Commissioner Tubosun Alake. The Advisory Council behind the document is chaired by Prof. Fene Osakwe, with the drafting led by Gbemisola Kayode-Bolarinwa. The full 14-page document is available free at lagosstate.gov.ng/cybersecguide.

The timing matters. These guidelines arrived weeks after ByteToBreach compromised Sterling Bank, Remita, the Corporate Affairs Commission (CAC), and Ikeja Electric in a cascading supply-chain attack that exposed millions of records. Nigeria loses over $500 million annually to cybercrime. Lagos alone has more than 22 million digital platform users and hosts a startup ecosystem valued at $15.3 billion. The state government is signaling that it will not wait for federal enforcement to catch up with the threat environment. Whether that signal translates into action depends on what the guidelines actually contain — and what they leave out.

What the guidelines actually say

The first thing to understand: CyberSafe Lagos 2026 is explicitly voluntary and non-punitive. The document states there will be "no punitive fines and no aggressive audits." This is a set of recommended best practices, not regulation. The guidelines align with existing federal instruments — the Cybercrime (Prohibition, Prevention, Etc.) Act 2024, the Nigeria Data Protection Act (NDPA) 2023, and the National Cybersecurity Policy 2021.

The framework organizes recommendations around four core practice areas: Access Controls, Data Protection Processes, Staff Awareness and Training, and Risk Management. Within these areas, the guidelines define a three-tier structure based on organizational size and risk profile.

The three-tier framework

Tier 1: SMEs and small organizations

Tier 1 targets businesses with limited IT resources — the shops, clinics, law firms, logistics operators, and small fintechs that make up the bulk of Lagos's commercial activity. The requirements are baseline hygiene:

  • Staff training on phishing recognition and social engineering tactics
  • Strong passwords and MFA across all platforms — email, admin panels, cloud services
  • Automatic software updates enabled on all devices and systems
  • 3-2-1 backup rule: three copies of critical data, stored on two different media types, with one copy offsite
  • Basic network hygiene: change default router passwords, segment guest Wi-Fi from business networks
  • Written incident response plan documenting who does what when a breach occurs
  • 72-hour breach reporting to ngCERT for confirmed incidents

Estimated first-year cost: N150,000 to N500,000. This covers MFA tools, a basic training program, backup infrastructure, and the time required to draft an incident response plan. For most SMEs, this is achievable without external consultants.

Tier 2: Medium-to-large enterprises

Tier 2 targets companies with dedicated IT staff, significant data holdings, and higher regulatory exposure — banks, insurance firms, mid-size fintechs, telecoms, healthcare networks, and large retailers:

  • Adopt NIST or ISO 27001 frameworks as the basis for security governance
  • Identity and Access Management (IAM) with least-privilege enforcement — every user gets only the access their role requires
  • Network segmentation between business units, environments, and trust zones
  • SIEM tools for centralized log collection, correlation, and alerting
  • Simulated phishing campaigns to test and reinforce staff training
  • Data Protection Impact Assessments (DPIAs) before launching new products or processing activities involving personal data
  • Privacy-by-design principles embedded in product development
  • Third-party vendor risk management — security assessments of suppliers and partners
  • Dedicated security team with board-level reporting on risk posture

Estimated first-year cost: N800,000 to N3,000,000. The range depends on whether the organization already has SIEM infrastructure, how many vendors require assessment, and whether IAM requires a full rebuild or incremental tightening.

Tier 3: Government MDAs

Tier 3 addresses Ministries, Departments, and Agencies — the entities processing citizen data at scale:

  • Full governance committees for cybersecurity oversight and policy
  • Privileged Access Management (PAM) for administrative and root-level accounts
  • Functional Security Operations Centres (SOCs) with 24/7 monitoring capability
  • Continuous threat intelligence sharing with ngCERT and peer agencies
  • Secure Software Development Lifecycle (SSDLC) with OWASP Top 10 integrated into code review
  • Web Application Firewalls (WAFs) and regular penetration testing on public-facing systems
  • Public notification protocols during incidents affecting citizen data or services

No cost estimate is provided for Tier 3. The investment required to stand up a functional SOC and PAM program varies by orders of magnitude depending on the agency's current posture.

Why "voluntary" does not mean "optional"

The Lagos guidelines carry no direct penalties. There is no Lagos State cybersecurity enforcement body. There are no fines in this document.

But the NDPA does carry penalties — up to N10 million or 2% of annual gross revenue, whichever is greater. The Nigeria Data Protection Commission (NDPC) has enforcement powers and has begun using them. When NDPC investigates a breach, it asks a straightforward question: did the organization take reasonable steps to protect personal data?

Implementing the CyberSafe guidelines creates documented evidence of reasonable practice. An organization that can demonstrate it followed a recognized framework — trained staff, deployed MFA, conducted DPIAs, maintained incident response plans — has a materially stronger position than one that did nothing. The guidelines function as a compliance scaffold: voluntary in themselves, but valuable as documented proof of due diligence under federal law.

This matters because 72% of Nigerian SMEs are currently unprepared for a cybersecurity incident, according to estimates cited in the guidelines themselves. Most cannot demonstrate that they have taken any structured steps toward data protection. When the next breach occurs — and it will — the gap between organizations that documented their security posture and those that did not will determine who faces enforcement action and who receives the benefit of the doubt.

The guidelines essentially build a paper trail that defends against federal penalties. Treating them as optional is a bet that your organization will never be investigated. That is a bad bet.

Where the guidelines fall short

We have reviewed the full 14-page document. Our assessment is that CyberSafe Lagos 2026 is a credible first effort with several material gaps.

No self-assessment tools. The guidelines describe what organizations should do but provide no checklists, maturity models, or scoring frameworks to help them measure where they stand. An SME reading Tier 1 knows it should have MFA but has no structured way to assess its overall readiness. This is a missed opportunity — a simple compliance checklist would have doubled the document's practical value.

No mention of emerging threats. AI-generated phishing, deepfake voice and video fraud, and the long-term implications of quantum computing on encryption are absent from the document. These are not hypothetical concerns. AI-generated phishing attacks are already in active use against Nigerian financial institutions. A 2026 framework should acknowledge them.

Light on implementation timelines. The guidelines recommend practices but set no milestones. There is no suggested timeline for achieving Tier 1 compliance, no phased rollout for Tier 2 controls. Without timelines, adoption will drift.

No incentive structures. Voluntary frameworks succeed when adoption is rewarded — through tax incentives, preferential procurement scoring, reduced regulatory burden, or public recognition. CyberSafe Lagos offers none of these. The document asks businesses to invest in security out of enlightened self-interest. That is necessary but insufficient.

No technical testing for SMEs. Penetration testing appears only at Tier 3. An SME running a customer-facing web application with payment processing receives no guidance on testing its application security. Vulnerability scanning — even using free tools — should be in Tier 1.

Weak on supply chain risk. The ByteToBreach incident demonstrated exactly how a compromise at one organization cascades through shared infrastructure and API dependencies. The Sterling Bank breach spread to Remita and downstream to organizations that had no direct relationship with the initial target. The CyberSafe guidelines mention vendor risk management at Tier 2 but do not address systemic supply chain exposure. Given that this incident was the immediate backdrop to the guidelines' release, the omission is notable.

What to do right now

Regardless of your organization's size, start with Tier 1. These are baseline hygiene measures that every business should have in place. They cost relatively little and address the attack vectors responsible for the majority of successful compromises in Nigeria.

Get MFA on everything. Email accounts, admin panels, financial systems, cloud platforms, code repositories. If a system holds customer data or processes money, it needs a second factor. Authenticator apps or hardware keys — not SMS, which is vulnerable to SIM swap attacks that remain common in Nigeria.

Run a basic access audit. Document who has access to what systems. Identify accounts belonging to former employees. Find shared credentials. Revoke access that is not justified by current job function. This is free and takes a few hours.

Patch what is unpatched. Enable automatic updates on every device and server in your environment. Review your infrastructure for systems running end-of-life software. If it cannot be updated, isolate it.

Verify your backups. Having backups is not enough. Test a restore. Confirm that backups are stored offsite and not accessible from the same credentials that access production systems. Ransomware operators specifically target backup infrastructure.

Draft an incident response plan. It does not need to be elaborate. One page covering: who is contacted, what systems are isolated, how evidence is preserved, when ngCERT is notified, and who communicates with affected parties. Write it down, share it with your team, and review it quarterly.

Document your compliance posture. Create a record of every security measure you implement: training dates, MFA enrollment records, backup test results, access reviews. This paper trail is your defense under the NDPA.

Train staff quarterly. Phishing remains the number one initial access vector in Nigerian cybercrime incidents. A single training session at onboarding is not enough. Run simulated phishing tests. Discuss real incidents. Make security awareness a routine, not an event.

If you are Tier 2 or above: prioritize vendor risk assessment and network segmentation. The ByteToBreach incident proved that your security posture is only as strong as your weakest integration partner. Identify your critical third-party dependencies, assess their security practices, and segment your network so that a compromise in one zone cannot propagate laterally.

How cmdev helps

cmdev works with organizations across all three tiers to implement the controls outlined in CyberSafe Lagos 2026. For SMEs, we run rapid security assessments that identify the highest-risk gaps, deploy MFA across your platforms, and deliver staff training programs calibrated to the phishing tactics actually used against Nigerian businesses. For enterprises at Tier 2, we design and deploy SIEM infrastructure, architect network segmentation, and build NDPA compliance programs that satisfy both the CyberSafe guidelines and federal regulatory requirements. For government agencies and MDAs at Tier 3, we provide SOC design and staffing models, threat intelligence integration, and penetration testing aligned with OWASP and ngCERT reporting standards.

The CyberSafe guidelines are a starting point — a reasonable one, despite their gaps. But the threat environment does not wait for readiness assessments to be filed or governance committees to convene. The organizations that act on these recommendations this month will be materially better positioned than those that treat the document as something to read later. Start with what you can control this week.

lagoscybersecuritycompliancecybersafenigeriasmb-securityndpa

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation
← PreviousAfter the Breach: Building Resilience in Nigeria's Financial SectorNext →Why AWS S3 Storage Costs Keep Increasing Even After You Delete Files