Lagos’ Cybersecurity Guidelines is a tiered, practical blueprint, but will it stick?

Lagos is not just Nigeria’s commercial nerve centre but also the undisputed heartbeat of Africa’s technology ecosystem. From the bustling startup clusters in Yaba to the sleek fintech headquarters across Victoria Island, the city breathes innovation. However, with rapid digitisation comes formidable cyber threats. According to the National Information Technology Development Agency (NITDA), Nigeria loses at least $500 million (₦600 billion) annually to cybercrime. 

In a decisive move to secure its digital borders, the Lagos State Government, through Commissioner Gbenga Omotoso, announced the state’s first dedicated Cybersecurity Guidelines for Businesses in Lagos State. This 14-page document, quietly released months earlier and now live on the state’s portal under the banner “Lagos CyberSafe 2026”, represents a crucial pivot in local tech governance.

Unlike the flood of lofty national policies that often gather digital dust, this document reads structured as a practical guide. Prepared by Gbemisola Kayode-Bolarinwa, Head of Project Management for the Lagos State Cybersecurity Advisory Council, it is explicitly not a law. There are no punitive fines and no aggressive audits. Instead, it offers “recommended best practices” tailored to three distinct audiences: small businesses (SMEs), medium-to-large enterprises, and state ministries, departments, and agencies (MDAs). It is timely and relevant considering the recent news of data breaches of several government agencies, including the Corporate Affairs Commission by malicious actors.

The document dovetails neatly into the Cybercrime Act 2024, the Nigeria Data Protection Act 2023, and the National Cybersecurity Policy and Strategy 2021. More importantly, it speaks Lagos’ own language of hustle, limited budgets, and hypergrowth.

The document opens with a stark but honest introduction: Lagos is evolving into a SMART city, home to 22 million digital users and thousands of enterprises, yet “substantial cyber risks” loom large. Phishing, ransomware, insider threats, and unpatched systems are everyday realities for founders and IT managers alike.

The true genius of the guidelines, however, lies in their tiered structure. The drafters do not pretend that a roadside POS operator has the same resources as a fintech unicorn or that a newly launched startup operates like a government portal handling sensitive citizen NIN data.

Lagos’ Cybersecurity Guidelines for Businesses

1. For SMEs, the undisputed backbone of Lagos commerce, the advice is disarmingly simple and immediately actionable. The guidelines strip cybersecurity down to its absolute essentials: no jargon and no six-figure enterprise tools required.

The advice includes conducting regular staff training to spot phishing and social engineering, enforcing strong, unique passwords with multi-factor authentication (MFA) across all platforms, and ensuring automatic software updates. It also champions the classic 3-2-1 backup rule (three copies, two media types, one offsite) and basic network hygiene, such as changing default router passwords and segmenting guest Wi-Fi. A written incident response plan is highly recommended, alongside strict adherence to the 72-hour breach reporting window to ngCERT.

2. Medium and large enterprises get the next layer of complexity: formal governance, rigorous risk assessments, and dedicated security budgets. At this tier, the state encourages adopting recognised global frameworks like NIST or ISO 27001.

Companies are advised to deploy identity and access management (IAM) solutions enforcing least-privilege rules. The guidelines emphasise network segmentation, Security information and event management (SIEM) tools, and simulated phishing campaigns to keep staff continually alert. Data Protection Impact Assessments (DPIAs) and privacy-by-design concepts become mandatory in spirit, if not by law. Crucially, third-party vendor risk management enters the picture, acknowledging the harsh reality that a cloud provider’s hidden weakness can quickly become an enterprise’s headline-making crisis.

3. MDAs handling Critical National Information Infrastructure (CNII) and sensitive citizen data face the strictest expectations of all. The guidelines outline the need for full governance committees, privileged access management, and functional security operations centres (SOCs).

There is a heavy focus on continuous threat intelligence sharing and rigorous third-party risk programmes equipped with ironclad contract clauses and offboarding protocols. Application security receives its own deep dive, mandating a secure software development lifecycle (SSDLC), OWASP Top 10 adherence, web application firewalls, and regular penetration testing. Public notification protocols during incident response are explicitly required, prioritising transparency with citizens.

According to the document, “Businesses that adopt these recommendations are not only protecting themselves; they’re actively contributing to a secure digital ecosystem that fosters innovation, investment, and public confidence.”

The strengths of this policy leap off the page. The tiered, scalable approach is genuinely innovative for Nigeria, acknowledging resource gaps instead of punishing them. By aligning tightly with existing national laws while remaining voluntary, it dramatically lowers the barrier for adoption, especially critical given that 72% of the SMEs flagged in the document are currently unprepared. Empowering businesses through training, backups, and MFA targets the low-hanging fruit responsible for the vast majority of breaches.

Yet, blind spots remain. There are no ready-made self-assessment checklists or maturity metrics, an odd omission for a document that urges organisations to “monitor and evaluate”. Emerging threats like AI-powered deepfakes or quantum risks receive zero mention, keeping the focus strictly on today’s ransomware. Furthermore, implementation guidance is exceptionally light on timelines or success indicators. Because it is purely voluntary, early sceptics have already asked the valid question: Will busy business owners actually take the time to read the 14 pages and implement these changes?

Still, this isn’t just a standalone PDF; it sits inside a broader push by Commissioner Tubosun Alake’s Ministry of Innovation, Science and Technology and the Advisory Council chaired by Prof. Fene Osakwe. The state has promised ongoing updates to keep pace with rapidly evolving threats. 

In a nation where cyber losses can easily rival state budgets, Lagos is choosing collaboration over coercion. It is a pragmatic bet that public-private trust, rather than top-down mandates, will finally move the needle on cyber resilience.