NCC Unveils Cyber Resilience Framework to Strengthen Nigeria’s Communications Sector

NCC Unveils Cyber Resilience Framework to Strengthen Nigeria’s Communications Sector

By Boluwatife Deborah Ekundayo and Aminat Adepoju

The Nigerian Communications Commission (NCC) on February 23, 2026, introduced the Cyber Resilience Framework for the Nigeria Communications Sector (“CRF-NCS” or the “Framework”), establishing operational baselines for the Information Security Management Systems of communications service providers. The Framework ensures alignment with key cybersecurity and policy directives, including the Nigeria Data Protection Act 2023 (NDPA) and the National Cybersecurity Policy and Strategy 2021 (NCPS), and is designed to strengthen the cybersecurity posture of the telecommunications industry while supporting national security and data integrity.

The Framework applies broadly to all telecommunications operators, from traditional operators like Global Mobile Personal Communications Providers, to third-party service providers such as Software-as-a-Service (SaaS) vendors, cybercafés, and other technology partners supporting telecommunications operations. It mandates all licensed communications service providers to develop the capacity to effectively detect, respond to, recover from, and learn from cybersecurity incidents.

Key Provisions of the Framework

The Framework imposes the following obligations on communications service providers:

• Development of cybersecurity and cyber resilience strategies that meet prescribed minimum requirements, including the appointment of designated cybersecurity officers, periodic risk assessments, annual simulation exercises, and real-time monitoring capabilities.
• Mandatory reporting of cybersecurity incidents within stipulated timelines, alongside participation in sector-wide cybersecurity research and reporting initiatives.
• Establishment of a Security Operations Centre (SOC). Where this is not feasible, the NCC’s Computer Security Incident Response Team (NCC-CSIRT) may provide support services.

Framework Structure

The Framework is structured around five pillars of cyber-resilience:

1. Governance & Compliance (GC): Implementation of governance frameworks, cybersecurity leadership, and regulatory compliance.
2. Risk Management: Asset management, threat analysis, situational awareness, and information sharing.

• Cybersecurity Posture: Addresses technical and organisational measures guaranteeing the security digital assets. This pillar incorporates data protection and vendor risk management into cybersecurity operations.

1. Incident Response, Management & Resilience: Addresses the preparedness of communications operators to detect, respond to, and recover from cyber incidents
2. Capacity Building & Awareness: Covers cybersecurity capacity building, skill acquisition, cybersecurity awareness, talent development, research, and collaborative engagements among stakeholders.

The Framework also introduces a risk-based tiered-classification system for communication service providers:

• Tier 1: service providers who own, lease, and/or operate core networks, hold spectrum licenses, or provide critical communications infrastructure (for example, Internet Exchange Points).
• Tier 2: service providers with national coverage, aggregate service, shared infrastructure providers, and other emerging technology service providers (for example, Internet Service Providers).
• Tier 3: service providers who provide support services to other communication service providers (for example, Cyber Cafés).

Tier 1 and Tier 2 are subject to annual audits conducted by the NCC or accredited third parties, while Tier 3 operators will carry out biannual self-assessments using NCC-prescribed tools. All communications service providers are required to classify incidents based on severity as Critical, High, Medium, and Low within their incident response plans.

The Framework adopts a technology-neutral and future-proof position, ensuring continued relevance in the face of evolving technologies.

Cyber Incident Reporting Obligations

A central feature of the Framework is the introduction of enhanced cyber incident reporting obligations, in addition to existing statutory requirements.

Communications service providers are required to report cyber incidents to the NCC- Computer Security Incident Response Team (NCC-CSIRT) within 4 hours of detection of such incidents, followed by formal confirmation within 24 hours. Subsequent updates must be provided every four (4) hours via designated channels, with a comprehensive follow-up report submitted within seven (7) days of the initial notification. Non-compliance may result in administrative sanctions and financial penalties.

Measures Introduced by the Framework

The Framework adopts a dual approach, combining proactive and reactive cybersecurity measures. These include governance, compliance, risk identification, system security, incident detection, response, recovery, and resilience-building processes. It also encourages the adoption of Zero Trust Architecture to enhance network security and data protection. The ‘Annexures’ contained in the later part of the Framework provide template and guidance materials to support implementation. Service providers are encouraged to rely on these annexures in designing internal cybersecurity controls and ensuring full compliance.

Implementation Timeline

The Framework is scheduled to take effect on February 23, 2027. All communications service providers are therefore required to achieve full compliance within 12 months from the date of issuance. However, the NCC retains the authority to conduct compliance reviews and mandate earlier adherence where necessary.

Conclusion

Nigeria’s communications sector remains a critical component of the digital economy, as recognised under the National Cybersecurity Policy and Strategy. The Framework therefore marks a pivotal step toward bolstering national security, and safeguarding Nigerian users’ data.

Industry stakeholders are advised to review and update their internal governance and compliance structures to align with the Framework ahead of the compliance deadline. Proactive compliance will mitigate regulatory risk, including potential financial penalties, while enhancing operational resilience in line with global best practices.

For further guidance on the Framework and full compliance, you may direct inquiries to the IT, Tech, and Telecommunications team of Babalakin and Co at techtelecom@babalakinandco.com