The Nigerian Communications Commission (NCC) has issued a directive that requires all telecommunications companies to report cyber attacks within four hours of detection.
The directive, which can be found in the newly released Cyber Resilience Framework for the Nigeria Communication Sector (CRF-NCS) dated February 2026, is targeted at promoting national security and safeguarding the data of subscribers across the digital infrastructure of the country.
The CRF-NCS complements the Revised Internet Code of Practice 2026, which already permits telcos to notify affected subscribers of data breaches within 48 hours. The goal of the NCC is to create a real-time situational awareness map to mitigate systemic risks before they impact the national economy.
Operators are obliged to notify the NCC via a dedicated portal within four hours of detecting a threat, followed by status updates every four hours and a full report within 24 hours.
All telcos, including MTN, Airtel, and Globacom, must establish a dedicated Cyber Security Operations Centre (SOC) to monitor and detect malicious activities continuously. The NCC has provided a one-year grace period, starting in February 2027.
“The framework aims to foster a unified and resilient cybersecurity stance while strengthening the protection of telecom infrastructure against cyberattacks… enabling service providers to effectively respond to, recover from, and also learn from cybersecurity events” – NCC
Telecom operators have twelve months grace period to integrate these requirements into their internal structures.
