The Nigerian Communications Commission (NCC) has rolled out a new Cyber Resilience Framework for the telecommunications sector, mandating that key telecom operators report significant cybersecurity incidents within four hours of detection. This framework, released on February 23, 2026, aims to strengthen Nigeria’s digital infrastructure against increasingly complex cyber threats and enhance coordinated responses among telecom providers.
Telecom service providers, including major players like MTN Nigeria, Airtel Nigeria, and Globacom, are required to report cybersecurity breaches to the NCC’s Computer Security Incident Response Team (CSIRT). For critical incidents, operators must initially notify the NCC within four hours, followed by a comprehensive post-incident report once the situation has been managed.
The new regulations also establish a standardised reporting method, obliging operators to detail incidents using an official cybersecurity incident notification template. The report needs to specify the type of threat—whether distributed denial-of-service (DDoS) attacks, ransomware, or others—along with the systems affected and the initial measures taken to contain the threat.
This directive applies to communication service providers at three operational levels. Tier 1 encompasses significant operators, including mobile network operators, Universal Access Service License holders, and data centre teams. Tier 2 includes Internet service providers, value-added service aggregators, and infrastructure-sharing providers, while Tier 3 covers support service providers such as terminal equipment vendors and cybercafés.
The NCC’s updated reporting requirement is geared towards boosting sector-wide cyber resilience, enabling rapid coordination in responses and preventing threats from cascading through interconnected networks. Additionally, it emphasises the need to protect Critical National Information Infrastructure (CNII) and consumer data as Nigeria’s digital services continue to evolve.
Telecom service providers are expected to achieve complete compliance with the new standards within 12 months of the framework’s introduction. However, the NCC has indicated that it may commence compliance reviews sooner if deemed necessary.
