Professional Assessment of Nigeria’s Cybersecurity Policy Framework and Its Implementation Gaps

Nigeria's National Cybersecurity Policy and Strategy provides the normative framework for government cybersecurity governance, but a professional assessment of its implementation gaps reveals significant discrepancies between policy aspiration and operational reality that must be addressed to protect critical national information infrastructure. This study professionally assessed Nigeria's National Cybersecurity Policy and Strategy 2021 implementation across five critical infrastructure sectors: banking and finance, telecommunications, energy, health, and government administration. A policy implementation assessment methodology was employed, combining documentary analysis of NGFIN Annual Cybersecurity Reports, NITDA compliance audit summaries, and sector-specific security incident reports from 2021 to 2023, with structured interviews with 18 sector CISOs and 6 NITDA regulatory officials. Assessment showed that cybersecurity incident response capacity was rated as adequate in only two of five sectors. National CERT-NG operational integration with sector-level CERTs was functional in three of five sectors. Mandatory cybersecurity baseline compliance was certified in fewer than 30 percent of assessed public sector entities. Cyberattack reporting obligations were fulfilled by only 22 percent of private sector entities as required under the Cybercrimes Act 2015. Critical infrastructure protection designations remained undeclared for 47 percent of qualifying facilities. The study recommends a mandatory sectoral CISO appointment regulation, CERT-NG integration incentives, and a National Critical Infrastructure Protection Registry as immediate implementation priorities.

Keywords: cybersecurity policy, NITDA, critical infrastructure, Nigeria, cybersecurity governance