The NITDA Digital Economy Policy Review 2026: What Every Nigerian Technology Business Should Know

Introduction

The regulatory environment for Nigeria’s digital economy is on the cusp of its most significant shift in more than ten years. This article outlines the implications of the National Information Technology Development Agency (NITDA) 2026 policy review on businesses and the immediate steps required to achieve compliance. It is updated to incorporate recent legal and regulatory developments as of May 2026.

The NITDA Digital Economy Policy Review 2026 is an ongoing regulatory process establishing the ground rules for Nigerian technology businesses, FinTechs, software providers, digital platforms, e-commerce companies, AI developers and all other organisations leveraging digital infrastructure for the period beginning 2027. With Nigeria’s digital economy set to balloon to $18.3 billion in 2026, from $9.97 billion in 2021, the regulatory stakes for technology firms have never been higher. Under the National Information Technology Development Agency Act and the National Digital Economy Policy and Strategy, 2020 – 2030, NITDA is the principal regulator for Nigeria’s digital economy. The 2026 policy review will build upon recent advances in AI governance, data localisation and protection, the amendment of the digital tax regime, the Nigeria Startup Act 2022, the Nigeria Data Protection Act 2023 and NITDA’s expanding licensing regime. In particular, the expected passage of the National Digital Economy and E-Governance Bill which will position NITDA as a ‘super-regulator’ for Nigeria’s digital economy raises a warning flag, signalling an immediate need for all Nigerian tech businesses to achieve compliance.

In this article, we have discussed s the five (5) top priority areas within the NITDA 2026 policy review and how organisations should proceed immediately.

1. AI Governance

The current regulation of AI in Nigeria has primarily drawn on general principles of the law, such as contract, data protection and product liability, rather than on AI-specific legislation. The NITDA 2026 policy review marks the end of this era. Nigeria has already launched its National AI Strategy (2024) and will likely transpose this into law via the National Digital Economy and E-Governance Bill. Subject to expected enactment in 2026, following a public hearing in November 2025, the Bill will render NITDA as Nigeria’s ‘super-regulator’ for digital technology. It will also position Nigeria as the first in Africa to establish a holistic, enforceable regulatory framework for AI. Key implications for companies deploying AI are:

• Risk-based approach and structured classification for AI systems where AI deployed in public administration, finance, automated decision-making or surveillance is subject to mandatory annual audits and stricter scrutiny or regulation;
• Mandatory licensing/registration of AI developers before AI system deployment within the Nigerian digital market;
• Organisations must explain how automated systems make decisions and disclose same to the people affected by those decisions.
• Requirement for human oversight of high-risk AI systems defined as AI systems with the potential to impact individual rights, financial standing or access to services;
• Monetary fines up to NGN10,000,000 or 2% of the AI provider’s total annual Nigerian turnover;
• A parallel framework will operate alongside the Nigeria Data Protection Commission (NDPC), which has previously announced its intent to establish AI regulatory sandboxes under the NDPA 2023.

Nigerian technology businesses using AI to automate services, for credit scoring or for fraud detection will need to assess how they implement and govern the relevant systems. Documentation will be crucial. An inventory of AI systems, their training data sources, testing procedures and human oversight mechanisms will be required by NITDA and will position companies in a stronger compliance stance.

2. Data Protection and Localisation

The Nigeria Data Protection Act (NDPA) 2023 has superseded the previous NDPR 2019 and is now directly implemented by the March 2025 General Application and Implementation Directive (GAID). The GAID, which became operative from 19 September 2025, expressly supersedes the NDPR and its Implementation Framework as the authoritative regulatory instruments.

The NDPA establishes a stand-alone enforcement authority in the shape of the Nigeria Data Protection Commission (NDPC), an enforcement agency with broad powers of investigation and penalisation. Evidence of this enforcement is already mounting; the NDPC imposed a NGN766.2M penalty against Multichoice Nigeria and a $220M fine against Meta Platforms in Q2 2025 and has also already launched 1,368 broad sector investigations into companies in the insurance, pension, banking and gaming sectors as of August 2025. The GAID sets out tiered data controller and data processor classifications based on the nature of the personal data being processed:

• Data Controller/Processors of Major Importance (DCMI/DPMI) and their sub-classifications based on an ultra-high, extra-high and ordinary high-level classifications are required to:
• Have a local Data Protection Officer registered with the NDPC.
• Undergo annual data protection audits within 15 months of operation.
• File Compliance Audit Returns (CARs) with the NDPC. The deadline for submitting CARs for 2025 was extended to 30 May 2026 and this should be viewed as an immediate priority.
• Revisit and update cross-border data transfer mechanisms to ensure compliance with formal transfer impact assessments and contractual safeguards required by the GAID.

The NITDA 2026 policy review looks set to expand existing data localisation obligations even further than mandated by the NDPA. A likely extension of what would be classified as personally identifiable information and data falling under localisation rules, will include data that touches on finances, health and government data. NITDA will likely also strengthen its audit powers of the relevant tech businesses. For any Nigerian FinTechs or tech companies utilising international cloud platforms (such as AWS, Microsoft, Google) without leveraging Nigerian-based infrastructure, the need to consider data localisation will become critical. NITDA is expected to develop an updated data classification framework which will clarify the residency requirements associated with categories of data-businesses should begin assessing likely classification categories immediately.

3. Digital Taxation

Since the Finance Act 2021 established the basis for Significant Economic Presence (SEP), a landmark piece of legislation, the Nigeria Tax Act 2025 (NTA 2025) has revised and further enhanced the rules governing digital taxes in Nigeria.  Key digital tax obligations applicable to Nigerian technology businesses and international entities with a digital presence in Nigeria include:

• Value Added Tax on digital services: Nigeria Revenue Service (NRS) may levy VAT on services provided to persons in Nigeria, even where rendered by a non-resident supplier. Where the recipient of the digital service is in Nigeria and not registered for VAT, the recipient is obliged to withhold and remit the VAT amount to the NRS under the NTA 2025.
• Withholding Tax on digital services: Software, Cloud services, technical support and similar services purchased from non-resident tech companies will attract WHT at prescribed rates, which are specified in the updated Deduction of Tax at Source (Withholding) Regulations (effective 1 January 2025). NRS has provided implementation guidelines for these regulations.
• Companies Income Tax on a significant economic presence (SEP): The NTA 2025 solidifies the existence of an SEP where a non-resident company is deriving income attributable to activities conducted within Nigeria through a digital platform, above a threshold of NGN25 million and is presumed to be deriving 6% deemed profit tax based on attributed turnover.