By Adeola Osifeko

In an era where digital innovation drives economic growth, cybersecurity has become a fundamental concern for startups and small and medium enterprises (SMEs) in Nigeria. As businesses increasingly rely on digital platforms for productivity, customer engagement, and market expansion, they face escalating cyber threats that could undermine their operations. The legal implication of cybersecurity breaches, coupled with the evolving regulatory terrain, requires a careful examination of the rights, obligations, and liabilities of Nigerian startups and SMEs under extant laws.

The Legal Issues

Cyberattacks can result in significant legal liabilities, including regulatory penalties, contractual breaches, and reputational damage. The unauthorized exposure of sensitive customer data can trigger enforcement actions under the Nigeria Data Protection Act, 2023 (NDPA), while financial losses from cyber fraud may lead to legal disputes under contract law. Additionally, failure to report cyber incidents within statutory timelines, as mandated under the Cybercrimes (Prohibition, Prevention, Etc.) Amendment Act, 2024, could attract sanctions.

Under the Cybercrimes (Amendment) Act, 2024, businesses must comply with several cybersecurity requirements, including: Payment of a 0.5% cybersecurity levy on electronic transactions, mandatory reporting of cyber incidents within 72 hours and implementation of sector-specific cybersecurity measures through Computer Emergency Response Teams (CERTs).

Similarly, the Nigeria Data Protection Act, 2023, imposes obligations such as obtaining consent before processing personal data; implementing security safeguards against data breaches and registering with the Nigeria Data Protection Commission (NDPC) if handling large data volumes.

Failure to comply with these regulations may result in significant financial and legal consequences.

Protecting Nigerian SMEs

While the Cybercrimes (Amendment) Act, 2024, the NDPA, and sector-specific guidelines provide a foundation for cybersecurity governance, gaps remain. Many SMEs struggle with the financial burden of compliance, while enforcement mechanisms for cybersecurity regulations remain inconsistent. Furthermore, the absence of tailored cybersecurity incentives for SMEs places them at a disadvantage compared to larger corporations with greater resources for compliance.

Legal measures

To reduce exposure to cyber threats and legal liabilities, startups and SMEs should conduct regular cybersecurity risk assessments, adopt multi-factor authentication and encryption for sensitive transactions, establish internal cybersecurity policies aligned with regulatory requirements, engage cybersecurity professionals or consultants to ensure compliance with applicable laws and maintain robust incident response protocols to report breaches within the statutory timeframe.

Cybersecurity is no longer a discretionary concern but a legal and operational necessity for Nigerian startups and SMEs. The increasing sophistication of cyber threats, coupled with stringent regulatory obligations, mandates that businesses proactively safeguard their digital infrastructure.

While existing laws provide a robust framework for cybersecurity, financial and technical barriers hinder effective compliance of startups and SMEs.

To foster a resilient digital economy, the government must complement legal mandates with supportive policies, including tax reliefs and public-private collaborations. Startups and SMEs, in turn, must prioritize cybersecurity measures to protect their assets, maintain regulatory compliance, and sustain consumer trust. Through collective action, Nigeria can create a safer digital ecosystem conducive for economic growth and innovation.

*Osifeko is the managing partner, AEO Law Practice