A Sweeping Circular, With Data Localisation as the Headline
On June 15, 2026, the Central Bank of Nigeria's Payments System Supervision Department issued Circular PSS/DIR/PUB/CIR/001/004, signed by department director Dr. Rakiya O. Yusuf. It bundles three obligations into one instrument: caps on market concentration (no single firm may hold more than 25% of card issuing or 15% of merchant acquiring within a 12-month window), mandatory disclosure of ultimate beneficial owners across the payments industry, and a hard data-localisation deadline. Every deposit money bank, microfinance bank, mobile money operator, switching and processing company, payment terminal and solution service provider, and super-agent must store and manage all payment transaction data generated in Nigeria on Nigerian infrastructure by January 1, 2027 (Enebeli & Partners; Aluko & Oyebode). That leaves roughly six and a half months for institutions currently running on AWS, Azure, Google Cloud or IBM Cloud to either migrate transaction data wholesale or negotiate in-country availability zones with those same hyperscalers.
The Steelman: Sovereignty Over Systemic Rails
The strongest case for the CBN isn't novel — it's consistency. Nigeria's payments system now clears roughly ₦1.07 quadrillion ($702 billion) a year in electronic transactions (TechCabal), and a regulator responsible for systemic stability has a legitimate interest in knowing that the ledgers underpinning that flow aren't subject to a foreign court order, a hyperscaler outage, or a sanctions regime it doesn't control. The CBN is also not acting in isolation: NITDA's National Cloud Policy 2025 already requires sovereign data, certain subscriber data, and Bank Verification Numbers to sit on Nigerian servers (Mondaq; NITDA). Viewed that way, the payments circular closes a sectoral gap rather than inventing a new doctrine, and the AML/CFT-linked beneficial-ownership provisions in the same circular suggest financial-crime oversight, not mere protectionism, is genuinely part of the motivation.
Where the Case Overreaches
But the CBN's own general data-protection framework doesn't support blanket localisation as the default rule — it supports something more calibrated. The Nigeria Data Protection Act 2023, in Sections 41–43, prohibits cross-border transfer by default but explicitly builds in adequacy decisions, binding corporate rules, standard contractual clauses, and consent as lawful routes around that prohibition, precisely so Nigerian firms aren't cut off from global cloud infrastructure (Nigeria Data Protection Commission). The CBN circular doesn't use any of that architecture. It imposes a flat mandate through supervisory power, with a compressed deadline, and — going by the public text of the circular as reported by legal counsel — without publishing a defined sanctions schedule for non-compliance, which leaves banks and fintechs to guess at their exposure while they plan capital spending.
That matters because Nigeria's data-centre market, while real, is neither large nor evenly distributed. Commercial capacity ranges between roughly 50-56 MW live today, rising toward 124 MW with committed expansions, according to TechCabal's review of the sector, while OADC's CEO puts current domestic capacity nearer 136.7 MW, projected to reach about 279.4 MW by 2030 on the back of roughly $2 billion in committed investment (Nairametrics; TechCabal). Both figures describe a market concentrated overwhelmingly in Lagos, dominated by a handful of hyperscale operators — Equinix, OADC, Rack Centre, Airtel's Nxtra. OADC's own CEO insists there's no capacity shortfall for "high-quality" facilities, but that reassurance is aimed at the country's largest banks, not the microfinance banks and small payment solution service providers the circular also covers, which have neither the balance sheets nor the negotiating leverage to book premium local capacity on a six-month clock.
What Proportionate Regulation Would Look Like
None of this means the CBN should abandon the goal. Financial-data sovereignty is a defensible policy objective, and Nigeria's cloud sector, still expanding toward 2030, will eventually be able to absorb this demand. The problem is sequencing and proportionality. A rule modelled on the NDPA's own transfer mechanisms — allowing hyperscaler local availability zones, contractual safeguards, or phased compliance tied to institution size — would achieve the sovereignty goal without forcing the smallest licensees into a costly, rushed migration of live payment rails that tens of millions of Nigerians depend on daily. The CBN should also publish the sanctions regime it intends to enforce, rather than leaving institutions to price compliance risk in the dark. Coordinating explicitly with NITDA and the Nigeria Data Protection Commission — rather than layering a third, stricter sectoral standard on top of two existing ones — would also reduce the compliance fragmentation that Mondaq's review of the data-centre landscape already flags as a burden on operators navigating overlapping NITDA, NCC, and CBN rules. Nigeria doesn't need to choose between data sovereignty and a functioning digital payments market. It needs a deadline and an enforcement posture that reflect the size of the smallest firm the rule binds, not just the largest.