Nigeria’s National Information Technology Development Agency (NITDA) has confirmed plans to roll out a cybersecurity framework in 2025 that will set minimum cybersecurity spending requirements for organisations operating in the country. The policy responds to a surge in AI-driven cyberattacks targeting banks, payment platforms, telecom operators, and government agencies.
According to the NITDA director general, many companies currently underinvest in cybersecurity, assuming they are unlikely targets. Beyond spending thresholds, the framework will introduce mandatory breach-reporting timelines, mechanisms for sharing threat intelligence between the public and private sectors, and coordinated response protocols for major cyber incidents.
Scale of losses and the AI threat
The regulatory push comes against a backdrop of significant financial damage. Between 2017 and 2023, Nigeria lost an estimated USD 805 million to cybercrime across the banking, telecommunications, and government sectors, according to a 2025 assessment by the United Nations Office on Drugs and Crime. Losses have continued to rise as attacks grow more sophisticated and cryptocurrencies are increasingly used for money laundering.
AI-driven attacks on the country’s financial sector surged by 150% in 2024, according to Prembly, a Nigeria-based cybersecurity firm that provides digital identity verification, compliance, and security infrastructure for financial institutions. Deloitte has projected that ransomware and phishing attacks will increase further in 2025 as more services, payments, and records move online and tools previously confined to cybercriminals become widely accessible.
Instant payments as an attack vector
A particular vulnerability lies in Nigeria’s instant payment infrastructure. Near-real-time transfers leave fraud detection systems with only seconds to analyse large volumes of transactions, distinguish legitimate activity from AI-driven threats, and block suspicious transfers before they are completed. According to Prembly’s chief executive, many existing systems still struggle to keep pace with this challenge.
AI is also being deployed to craft personalised phishing messages, scan systems for weaknesses, and identify high-value targets, according to a chief information security officer at a major Nigeria-based bank. Phishing campaigns have become more convincing as a result, Deloitte noted.
Challenges ahead
Whether the new framework will be sufficient remains uncertain. A shortage of cybersecurity professionals with expertise in emerging technologies is one of the main obstacles, alongside a regulatory environment that continues to lag the pace of technological change. As one legal expert put it, regulation tends to move slower than technology, and where specific rules are absent, certain types of cybercrime remain difficult to curb.
The framework’s implementation will be closely watched across the continent. Nigeria is home to several of Africa’s fastest-growing digital finance companies, including Flutterwave and OPay, and how the country addresses its cybersecurity gaps could set a precedent for other markets navigating similar threats.
