A Regulator Playing the Long Game
When the Nigerian Communications Commission and the National Judicial Institute convened a two-day workshop for Supreme Court justices and high court judges in Lagos on May 14, 2026, the event could easily have been read as ceremonial. Regulators and judges sharing a stage has rarely moved enforcement needles in Nigeria. But the substance of what NCC Executive Vice Chairman Dr. Aminu Maida presented — set alongside three simultaneous regulatory moves — points toward something architecturally significant.
The framing statistic Maida cited was arresting: Nigerians consumed 1.42 million terabytes of data in March 2026, up from 995,000 terabytes in the same month a year earlier. Broadband penetration climbed from 47.7 percent to 54.3 percent over the same period. Telecom operators invested over one billion dollars in network expansion in 2025. That growth represents commercial success — and an expanding attack surface. Digital payment fraud, SIM-swap abuse, and online financial crime have scaled alongside connectivity, and the institutional infrastructure to respond had not kept pace.
Three Moves, One Framework
The Lagos workshop is the third visible piece of a coordinated enforcement architecture the NCC has been assembling since early 2026.
First: TIRMS. On March 27, 2026, the NCC announced the Telecommunications Identity Risk Management System at a stakeholder forum in Abuja. On April 21, 2026, the NCC and the Central Bank of Nigeria signed a memorandum of understanding formalising the platform — a real-time portal that lets banks and fintech firms query mobile number status before authorising financial transactions. If a number has been recently swapped, recycled, reassigned, or flagged as suspicious, the bank sees that before the funds move. Telecom operators are required to submit churned number data to TIRMS within seven days and to notify subscribers 14 days before a line is cancelled. The urgency is justified: Nigeria's Inter-Bank Settlement System (NIBSS) recorded 67,518 digital payment fraud incidents in 2025, with total losses of ₦25.85 billion.
Second: The Internet Code of Practice 2026. Published by the NCC on February 13, 2026 — revising a 2009 predecessor — the Code requires all Online and Digital Communications Platforms to submit their community rules and guidelines to the Commission within six months, setting a hard deadline of August 13, 2026. Platforms must demonstrate how those rules address harmful content, disinformation, fraudulent activities, and unlawful content. Biannual compliance reports are mandatory. This is a binding regulatory submission under the Nigerian Communications Act 2003, with enforcement authority attached, not a voluntary transparency exercise.
Third: Judicial capacity. TIRMS and the ICP 2026 only function if courts can adjudicate the cases they generate. The Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act, signed by President Tinubu on February 28, 2024, enhanced penalties for identity theft, cyberstalking, and data breaches. But statutes are inert without judges who understand digital evidence and the technical anatomy of SIM fraud. Chief Justice Kudirat Kekere-Ekun captured the institutional challenge at the workshop: "The law must respond to changing realities while preserving the principles that sustain justice and social order." NCC Board Chairman Chief Idris Olorunimbe put the ask more directly, calling on the judiciary to "move at the speed of 5G."
The Case for This Approach
It is worth stating plainly why this three-part architecture makes structural sense. Nigeria's digital fraud problem is not primarily a technology problem — it is an institutional coordination problem. SIM-swap fraud works partly because telecom identity data and banking authentication data are siloed: a bank cannot see that the number it just authenticated was reassigned 48 hours earlier. TIRMS closes that gap. Online fraud persists partly because platforms have operated in Nigeria without legal obligations to submit enforcement policies for regulatory scrutiny. The ICP 2026 changes that. And cybercrime prosecution underperforms partly because digital evidence is technically complex terrain for a judiciary trained in analogue-era law. The Lagos workshop addresses that gap directly.
Maida's approach is also not the blunt-instrument model that has characterised problematic content regulation frameworks elsewhere. The NCC is threading a needle: connect institutional data systems, set platform transparency obligations, build judicial competence, and let enforcement follow from institutional strength rather than political directive. That is a more durable foundation than a takedown regime without standards.
What Remains Unresolved
Several questions need sharper answers before this framework deserves unqualified endorsement.
TIRMS gives banks real-time visibility into whether a subscriber's number has been "flagged for suspicious activity." Who flags a line, on what criteria, and what redress process exists for wrongly flagged subscribers are questions the publicly available CBN-NCC MOU has not answered. A financial blacklist tied to telecom identity — without a defined appeals mechanism — creates serious risk for low-income subscribers, who are disproportionately caught in fraud detection dragnets and least equipped to navigate a correction process.
The ICP 2026 community-rules submission requirement is similarly underspecified on enforcement proportionality. The Code grants the NCC authority under the Communications Act, but whether a minor procedural shortfall triggers the same response as systematic non-compliance depends on discretionary judgment that has not yet been publicly exercised. The August 13 deadline will be the first real stress test of how the Commission calibrates that discretion.
The misinformation dimension warrants specific scrutiny. Maida cited online misinformation alongside cybercrime and SIM fraud as a target of the new judicial-regulatory alignment. Disinformation does cause real economic harm, and the ICP 2026 includes it within the harmful content obligations platforms must address. But "misinformation" is a legal category whose contours are far hazier than identity fraud. Once the NCC begins adjudicating whether a platform's enforcement of its own disinformation rules was adequate, the Commission is effectively exercising a speech oversight function. The standards for doing that proportionately are not yet set in public regulation, and that gap matters.
An Architecture Worth Watching
President Tinubu has designated Nigeria's telecom infrastructure as Critical National Information Infrastructure, and the NCC's posture has shifted accordingly. By Q4 2026, the combination of TIRMS, the ICP 2026 platform deadline, and a judiciary actively trained on digital law will give Nigeria — on paper — one of the more coherent multi-institutional digital enforcement frameworks in sub-Saharan Africa. Whether it produces proportionate, rights-respecting outcomes at scale will depend on how the NCC exercises the considerable discretionary authority these instruments confer. The architecture is the right one. The implementation record is still being written.