Two Nigerian Laws Require Staff Cybersecurity Training

Staff cybersecurity training is no longer optional in Nigeria. Two major regulations now require organizations to train their employees as part of their legal compliance obligations.

The Nigerian Communications Commission (NCC) and the Nigeria Data Protection Commission (NDPC) have both introduced frameworks that make staff cybersecurity training a formal requirement, not just a best practice.

If your organisation handles telecom infrastructure or processes personal data, this applies to you.

staff cybersecurity training session with employee using computer

Why Staff Cybersecurity Training Is Now Mandatory

For years, cybersecurity was treated as a technical issue handled mainly by IT teams. However, that approach no longer works, and regulators have clearly made this shift.

As a result, two key legal instruments now enforce staff cybersecurity training across organisations:

  • The NCC’s Cyber Resilience Framework for the Nigerian Communications Sector (CRF-NCS)
  • The Nigeria Data Protection Act (NDPA) 2023, supported by the General Application and Implementation Directive (GAID)

Together, these regulations extend responsibility beyond IT departments. Specifically, they now include:

  • Executives and board members
  • Technical teams
  • Non-technical staff

In short, everyone is now part of your organisation’s security posture.

The NCC Cyber Resilience Framework Explained

The NCC released the Cyber Resilience Framework in February 2026. Consequently, operators were given a 12-month compliance window to align with its requirements.

In addition, the framework applies to all licensed telecom operators, including:

  • Mobile network operators
  • Internet service providers
  • Infrastructure providers
  • Data centre operators

Although the framework is built on five pillars, one stands out for most organisations: Capacity Building and Awareness.

Importantly, this pillar explicitly requires continuous staff cybersecurity training across all levels of the organisation.

This includes:

  • Boards of directors
  • Technical personnel
  • General employees
  • Customer-facing awareness initiatives

Unlike a one-time onboarding session, this training must be ongoing, structured, and measurable. Therefore, organisations are expected to treat it as a continuous process rather than a one-off activity.

NDPA 2023: Training Is a Legal Obligation

Similarly, the NDPA 2023 reinforces staff cybersecurity training from a data protection standpoint.

In fact, any organisation that collects or processes personal data must ensure its staff understand how to handle that data securely.

Under the NDPA:

  • A Data Protection Officer (DPO) must be appointed
  • Staff must receive regular training on data protection
  • Organisations must build a culture of privacy
  • Companies are legally responsible for employee actions

This last point is particularly critical.

For example, if an employee mishandles personal data whether through negligence, lack of awareness, or a phishing attack, the organization can still be held liable.

Therefore, staff cybersecurity training becomes not just a compliance requirement but also a risk management necessity.

What Happens When Both Laws Apply

In many cases, especially for telecom operators and digital businesses, both the NCC framework and the NDPA apply simultaneously.

As a result, this creates a compounding compliance risk.

For instance, a single cybersecurity incident may trigger:

  • A 4-hour reporting obligation to the NCC
  • A 72-hour reporting requirement to the NDPC

However, if employees are not properly trained to:

  • Recognise an incident
  • Escalate it quickly
  • Follow correct procedures

Then the organisation may end up violating both regulations at the same time.

What Staff Cybersecurity Training Must Cover

Although neither regulation provides a fixed curriculum, both clearly define outcomes. In other words, staff must be capable of fulfilling their responsibilities effectively.

Therefore, training should be tailored by role.

Leadership and Executives

They need to understand:

  • Cyber risk exposure
  • Governance responsibilities
  • Regulatory consequences of breaches
Technical Teams

They must be able to:

  • Operate within security frameworks
  • Follow incident response procedures
  • Align systems with data protection requirements
General Staff

They should be trained to:

  • Recognise phishing and social engineering
  • Identify potential data breaches
  • Report incidents immediately
Data Protection Officer (DPO)

The DPO must:

  • Lead training initiatives
  • Monitor compliance
  • Stay up to date with regulatory changes

What Your Organisation Should Do Now

If you have not yet implemented structured staff cybersecurity training, then you are already behind.

Therefore, you should take the following steps:

  • First, assume the regulations apply to you—especially if you operate in telecoms or handle personal data
  • Next, ensure your DPO is fully functional, not just appointed but actively resourced
  • Then, develop role-based training programmes for different staff categories
  • In addition, integrate incident response procedures into all training modules
  • Finally, document everything, since training records are critical for proving compliance

Source Link: https://www.cbn.gov.ng/Documents/circulars.html

Contact us today to connect →

What do you think?

Insights & Success Stories

Related Industry Trends & Real Results

Former blog by mabel
c1462
c368
FAQ