Nigeria to Require Minimum Cybersecurity Spending as AI-augmented Attacks Grow

Nigeria is shifting from ad hoc defenses to a formal regulatory posture after a wave of automated, AI-assisted intrusions inflicted substantial financial and operational harm across public and private sectors. The National Information Technology Development Agency (NITDA) has signaled a national cybersecurity framework will be enacted within the year that mandates baseline spending levels for entities operating in the country. Officials say the change responds to attacks that leverage machine learning and automation to scale, evade traditional controls and target critical services. The framework is intended to standardize minimum technical safeguards, incident reporting, and investment benchmarks so that compliance becomes mandatory for critical sectors rather than optional best practice. Banks, large companies, government units and digital payments platforms are specifically highlighted as both frequent victims and high-impact targets; regulators argue coordinated minimum spending will reduce systemic risk. For firms, the policy introduces a direct compliance cost and will force capital reallocation toward defensive tools, audits, third-party risk management and staff training. The timing coincides with parallel supervisory tightening in the digital payments and fintech sectors, which could amplify compliance burdens and alter competitive dynamics between incumbent banks and startups. That regulatory overlap creates transition risk: smaller fintechs and low-margin service providers may face higher barriers to market or choose consolidation and partnerships with regulated banks to meet new requirements. International vendors and local cybersecurity providers should see heightened demand, while less-resourced businesses could struggle without scaled or phased requirements. Implementation details remain scarce — thresholds, timelines and enforcement mechanisms are to be specified in later regulations — and that ambiguity will determine how smoothly organizations can plan and budget. Success will depend on clear measurement, proportional thresholds that scale by size and risk, and active coordination between NITDA and financial sector supervisors to avoid duplicate or contradictory rules. If designed and sequenced well, the framework could move Nigeria from reactive incident response toward resilient baseline investment, lowering incident-driven losses and stabilizing critical services; if poorly coordinated, it risks increasing costs, encouraging regulatory arbitrage or pushing activity offshore.