Nigeria loses over $500 million to cybercrime every year. That figure, cited by the National Information Technology Development Agency (NITDA) and equivalent to roughly ₦250 billion, has been floating around policy circles for a while. What’s new is that Lagos State has finally done something concrete about it.
On April 19, 2026, the Lagos State Government officially released its Cybersecurity Guidelines, a structured framework covering businesses of all sizes, government agencies, and residents. The announcement came from Commissioner for Information and Strategy Gbenga Omotoso, who framed it plainly: Lagos is expanding fast, the digital attack surface is growing with it, and the state cannot afford to keep treating cybersecurity as someone else’s problem.
If you run a business in Lagos, whether a fintech startup in Victoria Island, an SME in Ikeja, or a legacy enterprise with government contracts, these guidelines affect how you should operate. Here’s what you need to know.
Why Lagos Moved Now
Lagos is not just Nigeria’s commercial capital. It is, by most measures, the fastest-growing technology ecosystem on the African continent. That status comes with a cost: a large, dense, digitally active economy is an attractive target.
The cybercrime losses aren’t abstract. They show up as business email compromise scams that drain company accounts, ransomware that locks hospitals out of patient records, and phishing attacks targeting employees at banks and telecoms. The state’s rapid smart-city ambitions, digital government services, connected infrastructure, and cashless payment systems expand the attack surface with every upgrade.
Commissioner Omotoso put it directly in the announcement: the same digital growth that creates economic opportunity also “brings heightened vulnerability to cyber threats.” The guidelines are the government’s response to that tension.
What the Guidelines Actually Are
One thing worth being clear about upfront: these are not regulations. The document explicitly states that the recommendations are “not regulatory mandates but practical tools designed to empower stakeholders with context-specific cybersecurity measures.”
That matters. Non-compliance won’t trigger a fine or prosecution under the Lagos guidelines themselves. What it will do is leave your organisation exposed to both real cyber risk and scrutiny under national laws that carry penalties.
The framework is published on the Lagos State Government website at lagosstate.gov.ng/cybersecguide and covers three broad categories of stakeholders:
- Small and medium enterprises (SMEs)
- Large corporations and multinationals
- Ministries, Departments, and Agencies (MDAs) — i.e., public sector bodies
The guidelines were developed by the Lagos State Cybersecurity Advisory Council, chaired by Prof. Fene Osakwe, with support from Commissioner for Innovation, Science and Technology Tubosun Alake. The involvement of a dedicated advisory council matters; it signals that the document has technical grounding, not just political intent.
The Four Core Practice Areas
Based on the framework’s recommendations, businesses are expected to address four interconnected areas.
1. Access Controls
Who has access to what, and how is that access managed? Weak access controls remain one of the most common entry points for attackers. The guidelines push organisations to tighten authentication, enforce least-privilege principles, and review who holds administrative rights. For a small business, this might mean enabling multi-factor authentication on email and accounting software. For a large enterprise, it means proper identity and access management (IAM) across systems.
2. Data Protection Processes
This is where the Lagos guidelines directly intersect with national law. Nigeria’s Data Protection Act (2023) already requires organisations that process personal data to implement appropriate safeguards. The Lagos guidelines reinforce this by urging businesses to formalise the ways they collect, store, transmit, and dispose of sensitive data. Encryption, data classification, and clear retention policies are the practical outputs expected here.
3. Staff Awareness and Training
Most breaches don’t start with sophisticated hacking. They start with an employee clicking the wrong link. The guidelines recognise this and call for regular cybersecurity training to ensure staff can identify phishing attempts, handle data responsibly, and know what to do when something goes wrong. This is an area where many Lagos businesses, particularly SMEs, have historically underinvested.
4. Risk Management Strategies
This is the systemic piece. Organisations are encouraged to conduct regular risk assessments, identify their most valuable digital assets, map potential threats, and build response plans before an incident happens, not after. A business that has never mapped its cyber risk has no reliable way to know what it’s defending or whether its defences are in the right place.
How It Fits with National Law
The Lagos guidelines don’t exist in a vacuum. They’re designed to complement three national-level instruments that businesses in Lagos are already legally subject to:
The Cybercrime (Prohibition, Prevention, etc.) Act 2024 is Nigeria’s primary cybercrime statute. It criminalises a broad range of offences, including unauthorised access, cyberstalking, identity theft, and attacks on critical infrastructure. Penalties are significant, with custodial sentences and fines attached to multiple offences.
The Nigeria Data Protection Act (NDPA) 2023 brought Nigeria into closer alignment with international data protection standards. It requires organisations that process personal data to register with the Nigeria Data Protection Commission (NDPC), appoint data protection officers where applicable, and implement measurable security controls. The NDPA has real teeth, the agency has been active in enforcement.
The National Cybersecurity Policy and Strategy (NCPS) 2021 sets the federal government’s priorities across sectors, including finance, health, and critical infrastructure. The Lagos guidelines build on that strategic foundation rather than contradict it.
If your business already has data protection compliance processes in place under the NDPA, you’re part of the way there. The Lagos guidelines help fill in the operational gaps.
What This Means for SMEs Specifically
Small businesses get a version of the guidelines scaled to their reality. That’s intentional, and useful, because most cybersecurity frameworks are built for enterprises with dedicated IT teams and six-figure security budgets.
For an SME in Lagos, the practical starting point is straightforward: secure your email, use strong and unique passwords across accounts, back up data regularly (and test that the backups actually work), and train whoever handles your systems to recognise common threats. These aren’t glamorous measures, but they account for the vast majority of successful attacks against small businesses.
The guidelines also push SMEs toward a mindset shift: cybersecurity is not a one-time IT project but an ongoing operational concern. A business that secured its systems in 2023 and hasn’t revisited them since has probably already drifted.
What Large Enterprises and Government Agencies Should Do
For larger organisations and MDAs, expectations are higher. The guidelines call for formalised governance structures, not just good practices, but documented policies, clear accountability, and regular audits.
Government agencies face particular pressure here. As Lagos continues to build out digital public services, the MDAs managing those systems hold large volumes of citizen data. A breach at that level doesn’t just harm an organisation; it erodes public trust in digital government broadly. The guidelines effectively put state agencies on notice that the government expects them to lead by example on cybersecurity, not lag behind the private sector.
For large private enterprises, the message is similar: the size of your organisation doesn’t just increase your resources, it increases your responsibility and your risk. A data breach at a Lagos bank or major telecoms provider has systemic consequences.
Will the Guidelines Be Enforced?
Not directly, in the legal sense. But that framing probably undersells their significance.
Businesses that adopt the Lagos guidelines will be better positioned if they ever face scrutiny under the NDPA or the Cybercrime Act, because they’ll have documented evidence of reasonable security practices. Businesses that ignore them won’t have that cover.
There’s also a commercial dimension. Investors, international partners, and larger clients increasingly require evidence of cybersecurity posture before signing contracts. Aligning with a government-endorsed framework provides a defensible baseline.
The government has also committed to reviewing and updating the guidelines as threats evolve — which is the right approach, given how quickly the threat landscape changes. A static document issued once and never revisited would quickly become irrelevant.
Getting Started
The full guidelines are publicly available at lagosstate.gov.ng/cybersecguide. They’re free to download and, by design, written to be accessible rather than technical.
A sensible starting approach for any business: read the document, compare its recommendations against your current practices, and identify the biggest gaps. For most organisations, access controls and staff training are where the immediate wins are. Risk management and data protection processes take longer to build properly, but should be on a defined roadmap.
The Lagos Cybersecurity Guidelines won’t make your business impenetrable. Nothing will. What they do is give every organisation in the state, from a two-person agency in Surulere to a multinational with a regional HQ on Lagos Island, a practical, government-backed starting point for taking digital security seriously.
In a city doing $500 million in damage every year from cybercrime, that starting point has been overdue.
Leave a Reply