TL'DR: Lagos State released a voluntary cybersecurity framework on April 19, 2026, covering small businesses, large enterprises, and government agencies. Ignoring it does not trigger a direct fine, but the framework aligns with the Nigeria Data Protection Act and the Cybercrime Act, both of which carry real penalties. Every organisation in Lagos should review four areas this quarter: access controls, data protection processes, staff awareness, and risk management.
Frequently Asked Questions (FAQs)
No. The document explicitly states that its recommendations are practical tools, not regulatory mandates. However, the guidelines reinforce existing federal laws, including the Nigeria Data Protection Act and the Cybercrime Act, which are mandatory and carry real penalties.
The guidelines were officially released on April 19, 2026, by Commissioner Gbenga Omotoso on behalf of the Lagos State Government. There is no separate compliance deadline since the framework is voluntary.
The guidelines are addressed to three groups operating in Lagos: small and medium enterprises, large corporations and multinationals, and Ministries, Departments, and Agencies (MDAs). Recommendations are scaled to the size and complexity of each group.
The Nigeria Data Protection Act is a federal law focused specifically on personal data, enforced by the Nigeria Data Protection Commission with fines of up to ₦10 million or 2% of annual gross revenue. The Lagos Guidelines are a voluntary state-level framework that covers broader cybersecurity practice, including access controls, staff training, and risk management.
A small business with fewer than 20 staff can typically reach baseline compliance for ₦150,000 to ₦500,000 in the first year. This covers an audit, basic security configuration, an SSL certificate, a privacy policy, and staff training.
There is no direct penalty for ignoring the Lagos Guidelines themselves. However, businesses that fail to apply reasonable security practices may face investigation under the NDPA, which carries fines of up to 2% of annual gross revenue, or under the Cybercrime Act, which carries fines and prison sentences.
The full framework is publicly available at lagosstate.gov.ng/cybersecguide. It is free and written in accessible, non-technical language.
The guidelines are designed for organisations operating in Lagos State. However, businesses that serve Nigerian users from anywhere are still subject to the Nigeria Data Protection Act, which applies extraterritorially to any organisation processing the personal data of people in Nigeria.
