Path To A Digital Economy: Navigating Nigeria's Data Centre And Cloud Ecosystem

Introduction

Data is now the backbone of modern economies, and Nigeria's rapid digital transformation has placed it at the centre of Africa's data and cloud infrastructure conversation. Rising internet penetration, accelerating use of artificial intelligence, and widespread digitisation of commerce and public services have driven a sharp increase in demand for local data centres and cloud capacity. With over 107 million internet users and the digital economy contributing an estimated 20% of GDP¹, Nigeria is consolidating its position as West Africa's leading digital hub. Government policy has reinforced this trajectory, most notably through ongoing efforts to invest approximately USD 2 billion in expanding national fibre infrastructure from about 35,000 km to 125,000 km². These developments are unlocking significant opportunities for infrastructure developers, cloud service providers, and long-term capital investors.

This article seeks to examine three core issues shaping Nigeria's data centre and cloud market: (i) the regulatory landscape, (ii) key ecosystem challenges and mitigation strategies, and (iii) emerging investment opportunities.

The Regulatory Landscape for Data Centres and Cloud Infrastructure Services

The regulatory framework governing digital services in Nigeria is both complex and multi-faceted. Nigeria currently does not have a specific law that governs data centre and cloud services. Instead, the sector is regulated through a multi-layered framework spanning data protection, telecommunication, cybersecurity, consumer protection, licensing, and local content.

The principal regulators are the Nigerian Communications Commission (the "NCC"), the Nigerian Data Protection Commission (the "NDPC"), the National Information Technology Development Agency (the "NITDA") and the Federal Competition and Consumer Protection Authority ("FCCPA").

The NCC occupies a pivotal position in the regulatory landscape by virtue of its supervisory authority over telecommunications infrastructure. Although the operation of a data centre in Nigeria does not, at present, necessitate a dedicated NCC licence, ancillary activities falling within the ambit of telecommunications services may give rise to NCC licensing obligations. In particular, the deployment of fibre infrastructure or the provision of services such as internet access or infrastructure colocation would constitute the offering of telecommunications services and, accordingly, require the procurement of the relevant NCC licence.

NITDA is responsible for the regulation and development of information technology in Nigeria and plays a key role in its development. The NITDA Guidelines for Nigerian Content Development in ICT (the "NITDA Guidelines") encourages the growth of the local ICT sector and prioritizes the use of indigenous products and services. It also mandates all data and information management companies to register their products, capabilities, and organization on the NITDA portal³.

The NDPC regulates the processing of personal data in Nigeria under the Nigerian Data Protection Act (the "NDPA"). Data centres and cloud service providers meet multiple criteria for being classified as Data Controllers or Data Processors of Major Importance ("DCMIs/DPMIs")⁴ and are required to register with the NDPC and comply with other obligations under the NDPA.

Further Compliance Obligations to Consider

Beyond licensing, data centres and cloud operators must also comply with national security and data sovereignty mandates. Key considerations include:

1. Data localisation: Frameworks such as the Nigeria Cloud Computing Policy, NITDA Guidelines, NCC and Central Bank of Nigeria (CBN) regulations all embed localisation principles into Nigeria's data governance regime. Sovereign data⁵, certain subscriber and consumer data, bank verification number (BVN) are also required to be stored locally.

2. Data Security Measures: Data security obligations are layered across multiple laws and sectoral standards. The Cybercrimes (Prohibition, Prevention, etc.) Act 2015⁶, NDPA, sector-specific frameworks such as the CBN Risk Based Cybersecurity Framework for Banks and Payment Processors all mandate security incident reporting, periodic audits and executive responsibility for cybersecurity strategy.

3. Local Content Requirement: NITDA's Guidelines set local content thresholds for IT service providers to support procurements by Ministries, Departments and Agencies (MDAs) of the Federal Government. For instance, an indigenous original equipment manufacturer is required to maintain at least 40% local content value and volume in any segment of the product value chain⁷, an indigenous original design manufacturer may maintain 70%⁸. Although the local content thresholds are not mandatory for all IT service providers operating in Nigeria, the NITDA Guidelines mandate MDAs to procure IT services locally. As such, based on the Guidelines, only IT service providers that are incorporated in Nigeria and are at least 51% owned Nigerians are eligible to provide IT services to MDAs.⁹

4. Certifications and Industry Standards: Although not statutorily mandated, industry certifications serve as de facto compliance indicators. Regulators such as NITDA, NDPC, and the CBN expect cloud service providers and data centre providers to adopt globally recognised standards e.g. the International Standards Organisation ISO 27001, Code of Practice for Cloud Privacy ISO/IEC 27018¹⁰ or similar standards.

5. Interception of Data: Regulatory authorities may lawfully intercept data in Nigeria. The NCC¹¹, National Security Adviser (NSA) and the State Security Services (SSS)¹² are all empowered under their respective enabling statutes to intercept communications¹³ or request disclosure of such communication or records as deemed necessary in cases of public emergency or in the interest of public safety.¹⁴

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.