Data Localisation in Nigeria: Key Considerations for Cloud Service Providers and AI Companies

There is an increasing push for data localisation in Nigeria. Nigeria does not yet have a single, economy-wide data localisation statute. Instead, the legal framework for data localisation has developed incrementally on a sector-by-sector basis, through a combination of primary legislation, sectoral regulations, licensing conditions, and regulatory guidelines issued by agencies such as the Central Bank of Nigeria (CBN), Nigerian Communications Commission (NCC), and the Nigeria Data Protection Commission (NDPC). We highlight some of the categories of data that must be localised (or effectively localised) in Nigeria.

1. Financial and Payment Data 

In a new central banking directive issued in 2026 and effective from January 1, 2027, the Central Bank of Nigeria has mandated that all payments transaction data generated within Nigeria must be stored and managed within Nigeria. The directive is consistent with the prevailing supervisory principle under the CBN regulatory framework that banks, payment service providers, switching companies, and other payment system participants must ensure that critical financial transaction data is accessible within Nigeria and maintained in a manner that guarantees regulatory oversight, auditability, and real-time availability to the Central Bank and other supervisory authorities.

2. Telecommunications and Subscriber Data

Telecom operators are required to collect, store, and maintain subscriber data within Nigeria for regulatory supervision, national security, and lawful interception purposes. The coverage includes mandatory SIM registration and local storage of subscriber identity data, retention of call detail records (CDRs) and traffic data.

3. Government and Public Sector Data

Government and public sector data is subject to localisation requirements through policy directives and procurement rules requiring in-country hosting or sovereign control of sensitive datasets. The regulatory coverage includes, federal data systems (e.g., identity, tax, immigration) and cloud services used by government agencies.

4. Critical Infrastructure and National Security Data

Data relating to critical infrastructure is treated as national security-sensitive information. Once infrastructure meets the legal requirement for designation of CNII, it becomes subject to enhanced protection obligations. The regulatory coverage includes, energy, aviation, telecom backbone, and financial market infrastructure. 

5. Data of Particular Value or Significance (NDPA “Major Importance” Regime)

Under the Nigeria Data Protection Act (NDPA), "data of particular value or significance to the economy, society or security of Nigeria", is subject to enhanced data protection compliance requirements regardless of location. In practical terms, data of particular value or significance includes personal data processed within key sectors that are considered systemically important to Nigeria’s economy and governance architecture. These sectors include aviation, communications, education, electric power, export and import activities, financial services, health, hospitality, insurance, oil and gas, tourism, e-commerce, and public service. Data controllers and processors in these domains are subject to enhanced compliance obligations under the NDPA and increased supervisory oversight by the Nigeria Data Protection Commission.

Key Takeaways

1. Certain categories of data must be localised and managed within Nigeria, particularly in regulated sectors such as payments. For example, cloud infrastructure supporting Nigerian payment systems must now ensure the primary storage of payment transaction data within Nigeria, along with local hosting of production databases.

2. Cloud service providers must also adapt their contractual and governance frameworks, including updates to data processing agreements (DPAs) and stronger service level commitments on data residency and locality to align with Nigerian regulatory expectations.

3. The emerging legal framework for data localisation in Nigeria is driving a shift in cloud architecture, with providers increasingly expected to deploy Nigeria-specific cloud regions or availability zones, implement locally controlled encryption key management systems, and establish localized administrative layers to support regulatory oversight and compliance.