Goldsmiths Solicitors Nigeria

World IP Day 2026 Your Nigerian Brand Is Not Protected Until You Have Done This

Colin Egemonye — Fri, 24 Apr 2026 08:33:57 +0000

Every week, we hear a story about a Nigerian business owner who has just discovered that someone else has registered their brand name as a trademark. Or that the logo their designer created is legally owned by the designer, not the business. Or that the technology they licensed from a foreign company cannot be enforced because it was never registered with NOTAP.

In every case, the business owner believed they were protected. They registered their business name with the Corporate Affairs Commission. They had a contract with their designer where they signed a license agreement but none of that was enough. And the cost of fixing it where feasible is always higher than the cost of getting it right in the first place.

On World IP Day, this article explains what it actually takes to protect a brand and its intellectual property in Nigeria in 2026.

CAC Registration Is Not Trademark Protection

This is the most common IP misconception we encounter in Nigeria. A CAC business name or company registration gives you the right to trade under a name within the Nigerian corporate registry. It does not give you the exclusive right to use that name as a brand nor does it prevent anyone else from registering that name as a trademark. And it does not give you any rights that are enforceable against a third party who uses the same name in the marketplace.

Trademark registration at the Nigerian Trademarks Registry gives you the exclusive right to use the mark in Nigeria for the registered goods and services. Without this foundational brand protection enforcement, you are relying on the common law tort of passing-off which requires proof of established goodwill and reputation, is more uncertain than a registered trademark infringement claim, and is considerably more expensive to pursue.

How to Actually Protect Your Brand in Nigeria

Protecting a Nigerian brand properly requires these steps:

Step 1: Conduct a Trademark Search

Before filing a trademark application, a search of the Nigerian Trademarks Registry should be conducted to identify any prior registrations that could conflict with your mark. Filing without searching risks rejection of your application and more seriously a dispute with a prior rights holder whose claim will be stronger than yours.

Read the full update or download the PDF here.

Earth Day 2026 What Environmental Compliance Means for Nigerian Businesses

Colin Egemonye — Wed, 22 Apr 2026 06:09:32 +0000

Earth Day is a global reminder that environmental responsibility is no longer an ethical or reputational concern for businesses, it is a commercial one. For Nigerian businesses seeking international investment, DFI financing, or partnerships with multinational corporates, environmental compliance has become a fundamental prerequisite. For businesses in sectors with huge physical or operational footprints, it is a regulatory obligation backed by meaningful enforcement powers.

In Nigeria, the intersection of environmental regulation and corporate legal obligations is more consequential than most businesses appreciate. This article sets out the key environmental compliance requirements that Nigerian businesses need to understand going forward.

NESREA: Nigeria’s Primary Environmental Enforcement Agency

NESREA is the primary federal agency responsible for environmental standards and enforcement in Nigeria. It operates under the National Environmental Standards and Regulations Enforcement Agency (Establishment) (Amendment) Act and has the authority to inspect business premises, issue compliance notices, levy fines, and institute criminal proceedings against companies and individual officers for environmental breaches.

NESREA’s regulations apply across a wide range of industries like manufacturing, construction, food processing, hospitality, waste management, and any industry that generates effluents, emissions or waste. The regulations cover: ambient air quality standards; water quality standards for industrial effluents; soil contamination limits; noise pollution limits; and chemical and hazardous waste handling requirements.

Many Nigerian businesses particularly those that have grown rapidly and not updated their compliance frameworks are operating in breach of one or more of these standards without being aware of it. A NESREA inspection that reveals non-compliance can result in fines, operational shutdowns, and in serious cases, criminal liability for individual directors and officers.

Environmental Impact Assessments

The Environmental Impact Assessment Act requires that an EIA be conducted for all projects likely to have huge effects on the environment before those projects are approved and commenced. The categories of projects that require an EIA include public or private projects, including manufacturing, agriculture, mining, petroleum, and construction.

Nigerian businesses that have commenced projects that required an EIA without obtaining one face both regulatory exposure and practical risk: a project subsequently found to require an EIA can be shut down and required to undergo the process before it can recommence regardless of how much has been invested.

Environmental & Social Compliance as an Investment Prerequisite

For Nigerian businesses seeking financing from Development Finance Institutions like the Africa Finance Corporation (AFC), African Development Bank (AfDB), Proparco: Société de promotion et de participation pour la coopération économique (Private sector financing arm of the AFD Group – Agence Française de Développement) and Deutsche Investitions-und Entwicklungsgesellschaft ( DEG – German development finance institution), environmental and social (E&S) compliance is not optional. DFI loan agreements incorporate E&S standards (typically the IFC Performance Standards or the Equator Principles) as binding contractual obligations, breach of which constitutes an event of default.

These E&S standards go beyond basic regulatory compliance to address: the assessment and management of environmental and social risks; labour and working conditions; resource efficiency and pollution prevention; community health, safety, and security; land acquisition and involuntary resettlement; and biodiversity conservation. A Nigerian business seeking DFI financing that has not invested in understanding and meeting these standards is unlikely to close a transaction.

Read the full update or download the PDF here.

NIPC, CAMA and Foreign Entry in Nigeria – The 2026 Compliance Checklist

Colin Egemonye — Mon, 20 Apr 2026 13:51:43 +0000

In 2026, foreign investment into Nigeria through a wholly foreign-owned subsidiary, a joint venture with a Nigerian partner, or an equity investment into an existing Nigerian business is going to be more complex to structure and comply with. Updated regulatory frameworks for foreign business presence in Nigeria are now in place, and some international investors and their Nigerian partners may be operating on assumptions from last year that are not compliant. This regulatory update identifies five compliance areas that need to be addressed by 2026.

NIPC Registration

For companies with foreign investments, registration with the Nigerian Investment Promotion Commission (NIPC) is required before starting business in Nigeria. Failure to register is a criminal offence under the Nigerian Investment Promotion Commission Act.

For foreign-owned companies the minimum share capital thresholds are being revised in 2026. For a company with foreign participation, the minimum share capital is N100,000,000.00. This means that the share capital is not due to be paid up on incorporation – the company does not have to put the full amount in any account on that day. But all shares must be issued and allocated at the time of incorporation. For certain industries including financial services, oil and gas and defence-related companies the minimum capital thresholds are higher under sector-specific regulations. For companies registered before the threshold changes but whose paid-up share capital is now below the current minimum, advice must be sought on whether a capital increase is needed and how to go about it.

The Pioneer Status Incentive (PSI)

The Pioneer Status Incentive (PSI)scheme of the Nigerian Investment Promotion Commission has been discontinued. NIPC said it is no longer accepting PSI applications after November 10, 2025. So now they are in the Economic Development Tax Incentive Scheme – EDTI – which launched on January 1, 2026.

Compliance with the Companies and Allied Matters Act

Compliant with the Companies and Allied Matters Act, companies with foreign participation are liable for the same annual compliance obligations under the Companies and Allied Matters Act 2020 as Nigerian-owned companies, but in practice, foreign investors delegate these obligations without due process, and the compliance gap is most obvious at the worst time.

These are the three CAMA compliance areas where foreign-invested companies are most frequently in arrears: Annual returns must be filed within 42 days of the Annual General Meeting (which is itself required within six months of the financial year end). A company can be struck off the register for failure to file annual returns repeatedly.

All material decisions must be recorded in the Beneficial Ownership Register, which must include foreign investors who hold shares through intermediary holding companies, and Board resolutions must be in accordance with the company’s articles of association.

Read the full update or download the PDF here.

Nigerian Lending – Perfection. Banks and Borrowers Keep Making These 5 Mistakes

Colin Egemonye — Wed, 15 Apr 2026 10:37:52 +0000

There is no loan facility stronger than the security that underlies it. Any bank that doesn’t properly secure its assets is not a secured creditor. And a borrower that does not understand its perfection obligations might find that its representations to its lender were false. These are five security perfection mistakes we see often and every party involved in a Nigerian credit transaction needs to know about them.

Unregistered Charges at the CAC

Charges by a Nigerian company over its assets must be registered with the CAC within 90 days under the Companies and Allied Matters Act 2020. An unregistered charge is void against a liquidator, administrator, or any other creditor, so the secured lender is essentially on par with all other unsecured creditors in an insolvency or enforcement situation.

We know this is a requirement, but it is often not met, especially in transactions where several parties move very quickly, where the borrower’s lawyers are doing all the perfecting without the lender being involved in the process, or where post-closing perfection undertakings are given but never enforced.

A documented perfection checklist, under lender counsel supervision, with CAC registration evidence gathered and verified before drawdown – that’s the solution. The principle is simple: There is no registration and there is no drawdown.

Missed or Incorrect Stamp Duty

Loan agreements, debentures and mortgages in Nigeria are subject to Stamp Duty. In Nigerian courts, an unstamped or inadequately stamped document is not admissible as evidence. The document does not disappear; the parties remain obligated to each other. It removes the possibility that those obligations can be enforced in courts.

In many cases, the stamp duty position on complex instruments such as debentures with multiple asset classes, syndicated facilities with multiple lenders, and cross-border security packages is not clear, and Nigerian stamp duty law has not kept up with the pace of modern lending transactions. Lenders and their advisers should not rely on precedent or think that what was accepted in a previous transaction will be accepted here. Specific advice on the position of each instrument before execution is the standard.

DEFECTIVE DEBENTURES

Debentures with defects create both fixed and floating charges on a company’s assets. But the scope and enforceability of those charges depends entirely on how the debenture is written – and badly written debentures are very common in Nigerian lending transactions.

The most common defects are:

It fails to mention the asset classes that bear the primary security value.
Use of ambiguous descriptions of charged assets.
Not including important provisions for the crystallization of the floating charge into a fixed charge.

Debenture provisions that violate the company’s articles of association are unlikely to be fit for purpose. That goes for FinTechs, technology companies and businesses whose assets are intangible.

Read the full update or download the PDF here.

CBN Fintech Licensing 2026 – It’s The Nigerian Founder Who Keeps Confusing The World With Their 3-Licenses

Colin Egemonye — Fri, 10 Apr 2026 08:53:01 +0000

Most FinTech founders are aware they need a Central Bank of Nigeria license. But very few know which one to apply for – and the difference between applying for the wrong license and the right one is huge. A rejected application, wasted time, and regulatory exposure – and sometimes even a breach of existing commitments to clients and investors – are all examples of wasted time and regulatory exposure.

And in 2026, the revised payments framework makes the distinctions between license categories easier to understand and the consequences of operating in the wrong category more severe. Here are the three most commonly confused license categories for Nigerian FinTechs and the key questions to ask when choosing one.

License Category 1: Mobile Money Operator (MMO)

FinTechs that sell mobile wallet services and e-money directly to end users need a mobile money operator license. In an MMO, customers load money onto their wallets, which are held in trust by the MMO and are returned on demand.

Key characteristics:

You are providing direct financial services to consumers.
You hold customer funds temporarily or in trust.
Your product involves issuing or redeeming e-money.
You are responsible for full KYC and anti-money laundering obligations for your end users.

Currently, the minimum capital requirements for Tier 1 MMO licenses is N2 billion. This makes the MMO licence unobtainable for most early-stage FinTechs and many opt for the PSSP route instead – though their product technically needs an MMO licence.

License Category 2: Payment Solution Service Provider (PSSP)

So a Payment Solution Service Provider (PSSP) is an independent payment Solution Provider.

Those who provide payment infrastructure, gateway, and processing services mainly to merchants require a payment service provider license. And a PSSP does that without storing customer money the way an MMO does.

Key characteristics:

KeepsThe key difference between an MMO and a PSSP is that you are providing financial services to end consumers (MMO) versus payment infrastructure to businesses (PS).
Your KYC and AML obligations are for your merchant clients, not for the end consumers making payments through your platform.

There are many Nigerian FinTechs that have product features that have quietly moved them into the MMO territory without needing a license change.

Read the full update or download the PDF here.

How Nigerian Businesses Fall Behind in Growth and What Most Founders Miss in Legal Fixes

Colin Egemonye — Wed, 08 Apr 2026 07:31:00 +0000

Your product is validated, you have end users, your revenue is growing, and your team is getting bigger. And then it stops, and the founders can not understand why. This does not happen because the market changes or because the product fails. It’s because legal and structural foundations were built for a startup, and nobody updated the structures for a growing company. Every day, we see these problems in growth-stage Nigerian businesses, but these five are the most consistent, and we fix each one.

A COMPANY STRUCTURE THAT HAS OUTGROWN THE BUSINESS

Having outgrown the business, many Nigerian growing or growth-stage businesses are operating in a corporate structure designed for their founding context: Two equally invested co-founders, with no institutional investors, a simple CAC registration, and annual returns handled by a company secretary. That structure worked well from the start. This was unsuitable for Series A.

Companies face new investors with specific governance requirements, senior hires who need equity, new business lines with different regulatory requirements, potential international expansion etc. Here the original structure creates additional problems such as:

A capitalization table is not compatible with institutional investment.
Articles of association are not suitable for series A or B governance.
Share classes that do not represent the economic reality of the company.
No way to issue options or warrants to key employees.

A structural review of the articles of association, shareholder register, corporate governance framework, and if a new holding structure is required, the most tax-efficient way to reorganize is through the new Nigeria Tax Act 2025. More quickly and easily, this review can be done.

CONTRACTS DESIGNED FOR A MUCH SMALLER OPERATION

Contracts designed for much smaller operations are signed by larger counterparties for larger values, but many of these businesses are still using the same contract templates they drafted (or downloaded from the internet when they started out). The exposure from inadequate commercial contracts grows as the business expands. Among the business-prone gaps that we observe in Nigerian growth-stage business contracts are:

Uncovered liability provisions that give the business unlimited financial risk in a single contract.
Intellectual property clauses, which assign the most valuable assets of the company to clients, suppliers, or contractors.
Paying on long credit terms creates cash flow frictions – especially in contracts with large corporates or government entities.

Force majeure clauses that were last updated in 2019 are now standard and do not cover the full spectrum of disruptions that are now commonplace, making them unworkable in a real dispute.

Read the full update or download the PDF here.

What Every Nigerian Board Should Know About Shareholders’ Agreements in 2026

Colin Egemonye — Wed, 01 Apr 2026 12:53:54 +0000

A poorly drafted shareholders’ agreement is a time bomb waiting to happen and we have seen it happen in boardrooms across ownership disputes, deadlocked decisions and exits gone wrong. Not because the business failed but because the legal foundation was not built to last.

Over time, the patterns we see are remarkably consistent: agreements drafted on templates, never reviewed after signing, and completely inadequate for the company that now exists. This article addresses the clauses that matter and the questions every board should be able to answer about the agreement that governs their company.

Pre-Emption Rights: Who Gets the First Right to Buy?

Pre-emption rights give existing shareholders the first opportunity to acquire shares before they can be sold to a third party. Without them or with poorly drafted versions, a shareholder can sell to anyone, including a competitor or simply someone the remaining shareholders would never have chosen.

The critical questions your agreement must answer are: What triggers the pre-emption obligation? Is it any proposed transfer or only certain categories? What is the valuation mechanism – a price agreed between the parties, an independent valuation or a formula? How long does the pre-emption window last? What happens if the pre-emption price is disputed?

An agreement that is silent or ambiguous on these points will fail at the exact moment it is most needed especially when a shareholder wants to exit the company.

Drag-Along Provisions: Can the Majority Force an Exit?

A drag-along clause allows a majority shareholder or a specified percentage of shareholders acting together to compel all other shareholders to sell their shares on the same terms in a company sale. The purpose is to allow a majority to execute a clean exit without a minority holdout blocking an otherwise agreed transaction. Without a drag-along, a minority shareholder can derail an acquisition by simply refusing to sell.

Read the full update or download the PDF here.

Regulatory Compliance Strategies for Navigating Cybersecurity Risks and Threats in Nigeria

Colin Egemonye — Tue, 24 Mar 2026 08:48:41 +0000

In today’s increasingly digital environment, cybersecurity has become a critical issue for organizations across the globe, including Nigeria. As organizations continue to rely heavily on digital systems and infrastructures for communication, financial transactions, data storage, and operational processes, they are becoming increasingly vulnerable to cyberthreats and breaches such as data theft, ransomware attacks, phishing schemes, and unauthorized system access. These threats not only expose companies to financial losses but can also damage corporate reputation, disrupt business operations, and result in regulatory penalties. In Nigeria, several regulatory frameworks such as the Nigeria Data Protection Act, 2023 and other sector specific compliance regulations place increasing obligations on companies to protect and safeguard sensitive information and implement effective cybersecurity measures.

As a result of the above, it has become imperative for companies to adopt proactive and practical risk management strategies aimed at identifying vulnerabilities, strengthening internal controls, and mitigating potential cyber threats. At the heart of these are legal and compliance issues which companies have to comply with in a world of increasing cyber security risks. To effectively manage cyber risks, organizations must first understand the modern forms cyber threats and risks may take. Some of the most prevalent threats include the following:

1. Phishing Attacks: Phishing is one of the most common and dangerous cyber threats to businesses, responsible for many data breaches. It occurs when attackers pretend to be trusted contacts and trick employees into clicking malicious links, downloading harmful files, or revealing sensitive information such as passwords or financial details. Modern phishing attacks are highly sophisticated, including corporate email compromise, where criminals steal the email credentials of executives and send fraudulent payment requests. Because phishing targets human behavior rather than technical systems, it is usually difficult to stop. Businesses can reduce the risk by using email security gateways, post-delivery protection tools, and security awareness training to help employees identify and report suspicious emails.

2. Malware Attacks: Malware refers to harmful software such as viruses and trojans that hackers use to access networks, steal data, or damage systems. It often spreads through infected websites, spam emails, or compromised devices. Small businesses are especially vulnerable because malware can damage devices, cause costly repairs, and expose sensitive business or customer data. To prevent malware attacks, organizations should implement endpoint protection systems and web security tools that block malicious downloads and prevent access to dangerous websites.

3. Ransomware: Ransomware is a cyberattack where hackers encrypt a company’s data and demand payment to restore access. It has become increasingly common because it is highly profitable for cybercriminals. Businesses that are often targeted are the ones that lack strong security systems or reliable backup systems. When important data is locked, organizations may face major operational disruptions and financial losses. To reduce this risk, businesses should install strong endpoint protection across all devices and implement secure cloud backup systems. Reliable backup systems allow companies to recover their data without paying ransom demands.

4. Insecure Passwords: Weak or easily guessed passwords are a major cybersecurity risk for many businesses. Employees often reuse passwords across multiple accounts or create simple passwords that attackers can easily guess. This can allow hackers to gain unauthorized access to sensitive company systems and information. The problem often occurs because employees are unaware of the risks associated with poor password practices. Businesses should use password management tools to generate and store strong passwords securely. In addition, multi-factor authentication (MFA) should be implemented to add an extra layer of security protection.

5. Insider Threats: Insider threats arise from individuals within the organization, such as employees, former staff, contractors, or partners who have access to company systems. These threats may occur intentionally due to malicious motives or unintentionally due to negligence or lack of awareness. Because insiders already have authorized access, they can cause serious data breaches or security incidents. The risk increases when employees have access to systems or information, they do not need for their roles. Businesses can reduce insider threats by promoting cybersecurity awareness, providing regular employee training, and limiting system access based on job responsibilities.

Key Compliance Obligations for Companies in Nigeria.

As cyber threats continue to evolve, several legal and regulatory frameworks impose specific obligations on companies to safeguard digital systems and personal data. To remain compliant and avoid regulatory sanctions, organizations must prioritize the following key compliance obligations.

1. Risk Management Requirements: Nigerian companies must continually evaluate and mitigate risks to ensure that they avoid any potential breaches that may occur from cybersecurity threats and risks. Central Bank of Nigeria (CBN) Guideline on Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks, 2024 mandates that Nigerian financial institutions move beyond basic security to a structured, continuous risk lifecycle. Under this guideline, companies must execute these four core risk management activities:
• Risk Identification: Organizations must identify all information assets and the specific threats or vulnerabilities associated with their confidentiality, integrity, and availability.
• Risk Assessment: A formal risk assessment must be conducted at least annually. Also, new assessments are required immediately following major changes, such as mergers, acquisitions, or the deployment of new technology and it also requires that the findings be recorded in a Cybersecurity Risk Control Self-Assessment report.
• Risk Measurement: Institutions are now required to quantify the financial loss and reputational damage that could result from identified cyber risks.
• Risk Mitigation & Treatment: Security measures such as encryption or multi-factor authentication must be implemented in direct proportion to how critical the asset is and based on the assessment, management must explicitly choose to reduce, accept, avoid, or transfer (e.g., through insurance) each identified risk.

2.Registration as a Data Controller / Processor with the NDPC: Pursuant to section 44 of the Nigeria Data Protection Act 2023 (NDPA), organisations that process personal data in Nigeria are required to register with the Nigeria Data Protection Commission (NDPC) as a Data Controller or Data Processor, particularly where they process personal data on a large scale or process sensitive personal data. Registration enables the NDPC to ensure compliance with applicable data protection obligations. Organisations are generally required to provide details of their data processing activities, the categories of personal data processed, and the security measures implemented to protect such data. Failure to register where required may expose organisations to regulatory sanctions and administrative penalties under the NDPA.

3. Conducting Data Protection Impact Assessments (DPIAs): Prior to the commencement of any project or data processing activity in Nigeria, an organization must identify its objectives and determine the necessity of a Data Protection Impact Assessment (DPIA). Under Section 28 of the Nigeria Data Protection Act (NDPA) 2023, a data controller is legally mandated to carry out a DPIA where processing is likely to result in a high risk to the rights and freedoms of data subjects. The NDPA General Application and Implementation Directive (GAID) 2025 clarifies these high-risk circumstances. A DPIA is mandatory when evaluating or scoring (profiling) data subjects, when engaging in automated decision-making with legal or similar significant effects, when conducting systematic monitoring and when sensitive or highly personal data is involved etc. Adherence to Section 28 of the NDPA 2023 and the GAID 2025 is a mandatory prerequisite for high-risk data processing. Failure to conduct a DPIA where required not only invites significant regulatory sanctions from the NDPC but also compromises the organization’s commitment to Data Protection.

4. Appointment of Data Protection Officers: Pursuant to section 32 of the Nigeria Data Protection Act 2023 (NDPA), a data controller of major importance is required to designate a Data Protection Officer (DPO) with expert knowledge of data protection law and practices and the ability to carry out the tasks prescribed under the Act. The Act further provides that a data controller or data processor must ensure that its Data Protection Officer is involved, properly and in a timely manner, in all issues relating to the protection of personal data. The duties of the DPO include informing the organisation and its employees of their legal obligations under applicable data protection laws, overseeing internal data protection policies and audits, and preparing periodic internal compliance reports for management, which may be integrated into the organisation’s Record of Processing Activities (RoPA).

5. Filing of Annual Compliance Audit Returns (CARs): Under the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025, data controllers and processors of major importance are required to conduct an annual audit of their data protection practices. It mandates the filing of a Compliance Audit Return (CAR) with the Nigeria Data Protection Commission (NDPC) to demonstrate accountability and transparency, the deadline for this filing is 31st March of each year. The audit must be conducted and the CAR filed through a licensed Data Protection Compliance Organisation (DPCO), which provides an independent verification statement to the Commission. Failure to file the CAR by the prescribed deadline may result in penalty.

6. Breach Notification Obligations: Under Section 40 of the Nigeria Data Protection Act (NDPA) 2023, organizations are strictly required to report personal data breaches to the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of an incident likely to result in a risk to the rights and freedoms of individuals. Where a breach is categorized as high risk, the data controller must also notify the affected data subjects immediately in plain and clear language. The GAID 2025 further clarifies that these notifications must include a description of the breach, the categories of data affected, likely consequences, and the mitigation measures taken.

7. Legal Consequences: Cybersecurity incidents can expose organizations to significant legal, financial, and reputational consequences. Under the Cybercrimes (Prohibition, Prevention, etc.) Act, unauthorized access to computer systems, cyber fraud, identity theft, and related cyber offences attract criminal penalties, including fines and imprisonment for offenders. Organizations that fail to implement adequate safeguards may also face regulatory scrutiny, particularly where their systems are exploited to facilitate cybercrime. In addition, the Nigeria Data Protection Act empowers the Nigeria Data Protection Commission to impose administrative fines and corrective measures on organizations that fail to adequately protect personal data or comply with statutory data protection obligations.

Strategies for Strengthening Cybersecurity Compliance.

To effectively manage regulatory obligations and reduce cybersecurity risks, companies and organisations operating in Nigeria should consider adopting the following strategies:
1. Conduct Regular cybersecurity Risk Assessments: Organizations should carry out periodic cybersecurity risk assessments tailored to their specific operational and technological environment. A structured and tiered risk management approach enables companies to identify vulnerabilities, prioritize the protection of critical assets, and allocate resources efficiently.

2. Develop and Maintain an Incident Response Plan: Companies should establish a comprehensive incident response plan outlining procedures for the detection, containment, investigation, and remediation of cyber incidents. The plan should also include clear protocols for notifying regulatory authorities and affected stakeholders within the timelines required by law.

3. Implement Regular Cybersecurity Training for Employees: Human error remains one of the leading causes of cybersecurity incidents. Regular training programs focusing on phishing awareness, secure data handling, and general cybersecurity best practices can significantly reduce vulnerabilities and promote a culture of security within the organization.

4. Ensure Continuous Compliance Monitoring and Reporting: Organizations should actively monitor developments in cybersecurity regulations and guidelines, both within Nigeria and internationally. Continuous compliance monitoring enables companies to remain aligned with evolving regulatory standards and to respond proactively to emerging legal requirements.

5. Leverage Technology and Automation for Security Management: The use of advanced cybersecurity technologies, including automated monitoring tools and artificial intelligence-driven threat detection systems, can significantly strengthen an organization’s security posture. Automated systems can detect anomalies, flag potential threats, and initiate rapid responses, thereby enhancing both regulatory compliance and operational resilience.

Conclusion

Cybersecurity has become an essential priority for organizations operating in today’s digital economy. As businesses increasingly rely on digital systems for their operations, they must also recognize the growing risks posed by cyber threats such as phishing, ransomware, malware, and insider attacks. These threats not only cause financial and operational disruptions but may also expose companies to regulatory penalties and reputational damage.

In Nigeria, legal frameworks such as the Nigeria Data Protection Act and the Cybercrimes (Prohibition, Prevention, etc.) Act place clear obligations on organizations to safeguard personal data and maintain secure digital systems. Consequently, companies must adopt proactive cybersecurity practices, including risk assessments, employee training, incident response planning, and continuous compliance monitoring. By strengthening internal controls and prioritizing cybersecurity governance, Nigerian organizations can better protect their systems, maintain regulatory compliance, and build long-term trust with customers and stakeholders.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com or contact:

Highlight of the Key Provisions of Executive Order No. 9

Goldsmiths Solicitors — Fri, 20 Feb 2026 14:28:47 +0000

On 13 February 2026, the Nigerian President signed the Presidential Executive Order to Safeguard Federation Oil and Gas Revenues and Provide Regulatory Clarity, 2026 (“Executive Order No. 9 of 2026”), aimed at preventing revenue losses and unconstitutional deductions to ensure more funds are available for the federal, state, and local governments.

The Executive Order restores the constitutional revenue entitlements that were altered by the enactment of the Petroleum Industry Act (PIA), 2021.

Read the full update or download the PDF here.

How to Obtain Internet Service Provider’s (ISP) License in Nigeria

Colin Egemonye — Thu, 19 Feb 2026 09:23:01 +0000

Introduction

The Nigerian telecommunication sector has continued to experience exponential growth by attracting interests from local and international investors. With a teeming youth population, increase in remote work, online streaming, Nigeria presents immense opportunity for investments in the telecommunication sector especially the provision of internet services.
An Internet Service Provider (ISP) is a company that provides access to the internet through various technologies including fibre-optics, satellite and cable, to individuals and organisations and may also provide other related services such as web hosting, etc.

The Nigerian Communications Commission (NCC) is the regulatory authority with the responsibility of licensing Internet Service Providers in Nigeria. NCC has over the years, issued ISP licenses to some notable internet service providers in Nigeria while ensuring that the Nigerian telecommunication market remains competitive through strict regulations and supervisory oversight of licensed entities. Any entity desirous of providing internet services as an ISP in Nigeria must comply with all the licensing and technical requirements and be issued a license by NCC before it can legally operate in Nigeria.
This article discusses the regulatory requirements and processes for obtaining an Internet Service Provider’s license from the NCC in Nigeria.

Requirements for Obtaining Internet Service Provider’s License

An Internet service provider’s license is an individual license which means that the licensing terms, scope of operation and limitation, obligations, etc. are specific to the service being provided. This is distinct from a class license which has its terms and conditions and the obligations of the licensees common to all the holders. Therefore, to apply for an internet service provider’s license in Nigeria, the applicant must satisfy the conditions for obtaining individual license. These requirements include the following:

1. Company incorporation: The company laws in Nigeria, require that a local company must first be incorporated with the Corporate Affairs Commission (CAC) in Nigeria. There is no minimum share capital requirement for an Internet Service provider’s license, however, where the company has foreign participation, the minimum share capital requirement is N100,000,000 (One Hundred Million Naira) as required by the Federal Ministry of Interior. The corporate documents of the company including the certificate of incorporation, certified true copy of the memorandum and articles of association and status report are required to be submitted to NCC.
2. Tax Registration: Upon incorporation with CAC, the company must be registered with the Federal Inland Revenue Service (FIRS) and obtain its Tax Identification Number (TIN), Tax Clearance Certificate (TCC), etc. which are required to be submitted to NCC for obtaining an ISP license.
3. Security Clearance: An applicant for an ISP license may be required to obtain security clearance from the State Security Service (SSS) for the proposed service and provide NCC with the report on the company and its directors to NCC.
4. The applicant must meet the technical requirements including type approval of telecommunication equipment for operating ISP license as stipulated by NCC.
5. Evidence of sufficient financial resources to provide long-term services to the satisfaction of NCC.
6. Feasibility report of proposed services.
7. Any other document or information that NCC may require from the applicant.

Internet Service Provider’s Licensing Process
Upon satisfying the requirements for obtaining an ISP license, the applicant is required to submit an application to NCC for ISP license, supported by the required documents. The applicant must pay a non-refundable application fee which is 5% of the applicable ISP license fee. Upon the satisfactory review and approval of the application, NCC shall require the payment of the license fee within 30 days. Upon the payment of the license fee, the applicant would therefore be issued with an ISP license authorizing it to provide internet services in Nigeria subject to the terms and conditions stated in the license and compliance with all applicable laws and regulations.

License Validity and Renewal
The internet service providers license is usually valid for 5 years and subject to renewal before the expiration of the license. The application for the renewal of an ISP license must be submitted to NCC at least six months before the expiration of the license. The licensee must also have complied with the terms and conditions of the license including the payment of the annual operating levy to be eligible for the renewal of the license.

Conclusion
Nigerian teeming youth population, growing internet penetration, coupled with increase in remote work and online streaming, presents immense opportunity for investments in its telecommunication sector especially the provision of internet services. ISP license is issued by NCC which is the regulatory authority that regulates the Nigerian telecommunication sector. ISP license allows the provision of internet services through either fibre-optic, satellite or cable to individuals and organisations. Only companies incorporated in Nigeria can apply for ISP license after satisfying other licensing and technical requirements stipulated by NCC. If NCC is satisfied with the application for ISP license, it issues approval to the applicant and requires the payment of the full license fee to be paid within 30 days. Once the applicant pays the license fee, NCC issues the applicant with the license authorising it to provide internet services in Nigeria subject to the terms and conditions of the license and compliance with applicable laws and regulations.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com or contact: