NIMC Act 2026: What the New Law Means for Your NIN, Data and Identity Security

President Bola Tinubu signed the National Identity Management Commission (NIMC) Act 2026 into law on Friday, June 27, ending nearly two decades of legal stagnation in Nigeria’s identity management system. The old framework, the NIMC Act of 2007, had not been touched in 19 years, even as mobile banking, e-government portals, digital SIM registration and a dozen other technologies reshaped how identity works in daily life. That gap is now closed.

The signing took place at the State House in Abuja, with Senate President Godswill Akpabio, Deputy Speaker Benjamin Kalu, the Attorney General Lateef Fagbemi, Interior Minister Olubunmi Tunji-Ojo, a World Bank representative and NIMC Director-General Dr Abisoye Coker-Odusote all in attendance. It was a deliberately high-profile occasion, and the government’s messaging made clear why: this is not a routine amendment. It is a wholesale replacement of the legal basis on which every Nigerian’s identity data is held.

Why the 2007 Act Was No Longer Enough

When the original NIMC Act passed in 2007, the iPhone had just launched in the United States. Nigeria had no e-ID enrolment infrastructure, no biometric database at scale, and no digital economy to speak of. The concept of linking your NIN to a bank account, a mobile line or a passport application would have sounded futuristic.

By 2025, things looked very different. NIMC’s database had grown to cover tens of millions of Nigerians. The NIN became mandatory for SIM registration, international passport applications, bank account opening and voter registration. Digital services multiplied. So did the threats: identity theft, fraudulent NIN registrations, phishing of biometric data and enrolment agents who registered non-Nigerians for money.

The 2007 law simply had no provisions for any of that, not for digital credentials, not for cybersecurity obligations, not for how private companies should handle NIN-linked data. The NIMC Act 2026 was written to fix that.

NIMC Becomes Nigeria’s Digital Trust Authority

The single biggest structural change in the new Act is the designation of NIMC as the Root Certification Authority for Nigeria’s National Public Key Infrastructure (PKI) and Digital Public Infrastructure (DPI).

If that sounds technical, here is what it means in practice: NIMC now controls the digital “keys” that make online transactions trustworthy. Every digital signature, every encrypted government document, every secure identity verification carried out online will flow through infrastructure that NIMC manages and certifies. The commission described its new role as the “trusted authority responsible for secure digital identity, authentication and electronic trust services across government and private-sector digital platforms.”

This is the architecture that makes a digital economy actually work. Without a central, state-backed certification authority, online services cannot reliably verify that the person on the other end of a transaction is who they claim to be. With NIMC in that role, Nigeria now has the legal and institutional foundation to build that trust at scale.

What Happens to Your NIN

Your National Identification Number is not going anywhere. What the new Act does is cement it further as the single foundational credential for identity in Nigeria. The principle of “One Person, One Identity” is explicitly reinforced in the law.

More concretely, the Act formally recognises both physical and digital identity credentials linked to the NIN. So your physical NIN slip, your e-ID card and your digital ID on the NIMC mobile app all now carry explicit legal standing. The General Multipurpose Card, NIMC’s polycarbonate e-ID card, is specifically positioned in the law as a “versatile identity credential for nationwide identity verification.”

The NIN is also now explicitly mandatory for a wider list of services. According to Roving Reporters, the Act makes NIN mandatory for passports, voter registration, banking, land transactions, telecoms, pensions and tax payments, among other key services. None of this is new in practice, but the Act puts it on a clearer legal footing.

For Nigerians in the diaspora, the law includes a specific guarantee of “wider, easier and more convenient access to identity services wherever you are in the world.” Tinubu addressed this directly, saying diaspora Nigerians would not be left out. Practically, this means continued expansion of licensed diaspora enrolment agents and potentially simpler renewal processes through embassies and consulates.

Data Protection: The Real Shift

This is where the 2026 Act has the most direct effect on ordinary Nigerians. The old law had almost nothing to say about how your personal data should be handled once it was collected. The new Act brings NIMC’s data practices in line with the Nigeria Data Protection Act (NDPA) and international privacy standards.

In practice this means your data, biometrics, address, date of birth, linked credentials, must now be processed, stored and protected under legally defined standards. NIMC and any private organisation that accesses NIN-linked data through NIMC’s verification infrastructure is now bound by these obligations.

NIMC Director-General Coker-Odusote was explicit about enforcement: the commission will “implement the legislation with transparency, professionalism and strict data protection standards,” and will intensify audits of enrolment partners and third-party integrators. Only software approved and certified by NIMC will be permitted within the commission’s ecosystem.

The Act also strengthens NIMC’s power to enable “secure, interoperable and seamless data exchange” among government ministries, departments and agencies, and private organisations. On its face this is an efficiency measure, agencies should no longer be running parallel, disconnected databases. But the flip side is that more organisations will have access to NIN-linked data, which makes the privacy safeguards in the new law more important, not less.

Stiffer Penalties for Identity Fraud

This is where the law gets blunt. Tinubu’s words at the signing ceremony left little room for interpretation: “For those who think they can exploit the system, those who forge identities, register multiple times, or steal the identities of others, hear me clearly.”

The Act introduces what the President described as “stiffer sanctions” against identity fraud and related offences. Specifically, it targets multiple NIN registrations, impersonation, and fraudulent enrolment. The law also addresses identity theft more broadly in a way the 2007 Act never did.

This came just days after the Independent Corrupt Practices Commission (ICPC) separately warned NIMC’s front-end enrolment partners that fraudulent NIN registrations, including registering non-Nigerians, attract a seven-year jail term. “If you abuse the privilege you have been given, that amounts to abuse of office,” ICPC’s Mark Faison said at a security briefing. The new Act gives that kind of enforcement a much stronger legal foundation.

Under the previous framework, conducting certain specified transactions without a NIN already carried a minimum fine of ₦50,000 or six months’ imprisonment. For corporate entities, the minimum jumped to ₦1,000,000. The 2026 Act tightens these provisions further and extends them to digital-era offences the 2007 law never anticipated.

Security and the Real-World Impact

Interior Minister Olubunmi Tunji-Ojo made a striking point at the signing. He revealed that NIMC’s identity database, now linked to the immigration database and to Interpol in real time, had been used to identify and arrest terrorists attempting to re-enter Nigeria after the Hajj pilgrimage. “This is only possible because NIMC’s ID is already connected with the immigration database, and it’s already speaking to even the Interpol 24/7,” he said.

Tunji-Ojo also noted what has already changed under the current integration: “Today, you can’t get a Nigerian passport without pulling data from NIMC.” The contrast with where things stood before Tinubu came to office, disconnected systems where a passport and a driving licence had no relationship to the identity database, illustrates how far the infrastructure has come. The 2026 Act gives this architecture a proper legal home.

Inclusion for Vulnerable Nigerians

One provision that has received less coverage but matters: the Act includes special enrolment measures for vulnerable groups. The details of how these measures will be implemented are still to come through regulation, but the recognition in the law itself, that not everyone can walk into a NIMC enrolment centre and complete a standard biometric registration, is an important step.

This covers people with disabilities, the elderly, those in remote areas with limited access to enrolment infrastructure, and potentially internally displaced persons. Whether these provisions are implemented effectively will be a key test of how seriously the new framework is taken in practice.

A Restructured Governing Board

The Act also reconstitutes NIMC’s Governing Board with representatives from 14 government institutions, including INEC, the Nigeria Police Force, the DSS, the EFCC, the Central Bank of Nigeria, the National Population Commission and the Office of the National Security Adviser.

That list tells you something about how the government sees NIMC now, not just as a registration agency but as critical infrastructure sitting at the intersection of security, financial regulation, elections and population data. The board’s composition reflects the breadth of what the NIN database is now used for.

What Does This Mean for You Right Now?

If you already have a NIN and your details are current, the immediate practical impact is limited. The Act does not introduce a new registration requirement or deadline. What it does is change the legal environment around your data and raise the floor on how that data is supposed to be protected.

If you have been putting off getting your NIN or updating your records, this is a good time to act. The law’s provisions making NIN mandatory for more services are not new in principle, but they now sit within a legal framework that is harder to sidestep.

For businesses, banks, telecoms operators, insurers, fintechs, government contractors, the compliance picture has changed. Any organisation that uses NIN-linked data for identity verification is now operating under a more defined legal framework, with clearer obligations around data handling and clearer consequences for getting it wrong.

For enrolment agents and NIMC partners, the message from both the Act and from the recent ICPC briefing is consistent: the days of slack oversight are over. Audits will intensify, and fraudulent registrations carry serious criminal exposure.

Nigeria’s digital economy aspirations, particularly the Tinubu administration’s stated goal of a one-trillion-dollar economy, depend on a functioning, trusted identity infrastructure. The 2007 Act was a reasonable starting point for a different era. What the country has now, if it is properly implemented and enforced, is a legal foundation that can actually support what Nigeria is trying to build.

The real work starts now.