On 30 March 2026, the Central Bank of Nigeria issued a directive that extends mandatory cybersecurity self-assessment to institutions not previously within its regulatory scope.
If your institution is a Microfinance Bank, Payment Service Provider, Finance Company, or Development Finance Institution, this applies to you directly. The CBN is not consulting. It is requiring compliance, with fixed submission timelines that started running from the date of the directive.
This article explains what the directive contains, who it covers, what the submission requires, and what your institution should do before the deadline arrives.
"The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions."
01 — The Directive
What the CBN Has Required
The CBN Compliance Department issued this directive on 30 March 2026 under reference CMD/DIR/PUB/ESSD/001/2026, formally deploying a Cybersecurity Self-Assessment Tool across the Nigerian financial sector.
The CSAT is a structured supervisory instrument. It covers cybersecurity governance, risk management practices, technology and third-party risk controls, incident response capabilities, and overall operational resilience. This is not a voluntary questionnaire. It is a mandatory regulatory submission completed through a dedicated CBN portal.
Access credentials and submission guidance will be communicated directly to Chief Information Security Officers at each institution. If your CISO has not received those credentials since 30 March, that requires immediate attention.
Institution Type
Submission Deadline
Deposit Money Banks
3 weeks — approx. 20 April 2026
Companies, Development Finance Institutions
5 weeks — approx. 4 May 2026
All submissions must be fully completed and accompanied by relevant supporting documentation. The data cut-off date for the assessment period is 31 December 2025. Institutions requiring clarification should contact CBN’s Enterprise Security Supervision Division at cmd.enterprisesecurity@cbn.gov.ng.
Scope
The directive explicitly names Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions. This is materially broader than prior CBN cybersecurity frameworks, which focused primarily on commercial banks and payment service banks.
02 — Why This Matters
The Regulatory Shift Behind This Directive
The CBN has been tightening cybersecurity oversight since its Risk-Based Cybersecurity Framework came into force in July 2024. This directive signals a deliberate expansion of that oversight architecture to a much wider set of regulated institutions.
Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions collectively process enormous volumes of customer financial data. Many have not historically operated under the same cybersecurity governance expectations as commercial banks. That changes now, formally and with a fixed deadline.
The CBN established a dedicated Enterprise Security Supervision Division in September 2025, with cybersecurity, data protection, and third-party risk explicitly assigned to it. This directive comes from that division and signals that CBN intends to treat cybersecurity compliance with the same rigour it applies to prudential and AML requirements.
Nigeria’s financial sector faces 4,718 cyberattacks per week, according to Check Point Software’s 2024 African Perspectives on Cybersecurity Report, the highest frequency of any sector in the country. Nigerian financial institutions lost N52.26 billion to fraud in 2024 alone, according to the Nigeria Inter-Bank Settlement System, a sharp increase from the previous year. A missed or inadequate CSAT submission becomes a formal non-compliance event on the CBN supervisory record, one that will be interrogated in the next examination cycle.
03 — Assessment Areas
What the CSAT Measures
The CBN describes the CSAT as covering five core areas. Here is what your institution will need to demonstrate across each.
Board-level oversight of cybersecurity, a formally appointed CISO with documented authority and budget, and cybersecurity policies approved at board level. An institution that has appointed a CISO in title but without the authority or resources the role requires will be exposed here.
A documented cybersecurity risk framework integrated into the institution’s overall risk management structure. Risk assessments must be current. Historical documents not reviewed or updated will not satisfy this requirement.
Every vendor and FinTech integration must be covered by a formal assessment, compliance monitoring programme, and business continuity plan. Institutions with large partner ecosystems frequently cannot produce this documentation on request.
A documented, tested incident response procedure covering escalation paths, communication templates, and regulatory reporting formats. A written plan that has never been run is not a tested procedure.
Evidence that the institution can continue to operate and recover from a significant cyber event. Business continuity planning, recovery time objectives, and tested recovery procedures are required, not just documented intentions.
04 — Recommended Actions
What Your Institution Should Do Before the Deadline
The five-week window is short. If documented controls are not already in place across the five CSAT areas, they cannot be built from scratch before the deadline. What can be done is an honest internal assessment, a credible remediation plan, and the most complete submission your institution can produce.
On the Data Cut-Off
The directive specifies that CSAT data must cover the period ending 31 December 2025. Your evidence and documented controls must reflect what your institution had in place as of that date. The preparation window is about documentation and positioning, not about implementing new controls to include in the submission.
