Nigeria’s data protection regime has entered a new and more assertive phase. With the Nigeria Data Protection Act (NDPA), 2023, firmly in force and the General Application and Implementation Directive (GAID) scheduled to take effect on 19th September 2025, the Nigeria Data Protection Commission (NDPC) (” Commission”) is no longer content with policy pronouncements. It has begun deploying its full investigative and enforcement powers.
The Commission’s most recent step, a sector-wide compliance notice, marks a clear turning point. On Monday, 25th August 2025, the Commission, through its official channels, publicly released the names of organisations in the financial, insurance, pension, and gaming sectors, issuing them a 21-day ultimatum to demonstrate their compliance status. For organisations and their boards, the message could not be clearer: data protection obligations are now a matter of regulatory urgency.