On May 5, 2026, Rep. Akintunde Rotimi introduced the Cybercrimes (Amendment) Act, 2026 in Nigeria's House of Representatives. The bill rewrites three of the most abused provisions of the 2015 statute. Section 24's cyberstalking offence would be narrowed so that a charge requires the intentional transmission of a communication causing demonstrable harm and placing a person in fear of death, violence, or bodily harm. Disputes over public-interest publications would be routed to civil rather than criminal courts. A redrafted Section 27 exempts journalists and whistleblowers handling confidential information in the course of lawful investigative reporting, and an amended Section 38 requires judicial approval before law enforcement accesses or intercepts a journalist's data, embedding tests of legality, necessity, and proportionality.
This is, on its face, exactly the kind of proportionate, speech-protective reform a tech-policy framework should aspire to. It is also overdue — and the harder question is whether redrafting the text will change anything on the ground.
The flaw the bill targets
Section 24 of the original Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 criminalised any message that was "grossly offensive, pornographic or of an indecent, obscene or menacing character," or a message known to be false sent "for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, ill will or needless anxiety." Conviction carried up to three years' imprisonment or a fine of up to ₦7 million. Those terms — "annoyance," "insult," "ill will" — are not legal standards; they are invitations to prosecute speech a powerful person dislikes.
Nigeria's neighbours noticed. In a March 2022 judgment in a suit brought by the Socio-Economic Rights and Accountability Project (SERAP), the ECOWAS Court of Justice declared Section 24 "arbitrary, vague and repressive," found it incompatible with Article 9 of the African Charter on Human and Peoples' Rights and the ICCPR, and ordered Nigeria to amend it.
The government complied — eventually, and incompletely. The Cybercrime (Amendment) Act 2024 narrowed Section 24 to messages "known to be false, for the purpose of causing a breakdown of law and order or posing a threat to life." That dropped the worst of the subjective language. But as the Centre for Journalism Innovation and Development noted, the new phrase "breakdown of law and order" is itself undefined — a smaller loophole, not a closed one.
The case for keeping teeth
Before arguing the reform should pass, it is worth stating the strongest case for caution. Online fraud, coordinated harassment, and deliberate disinformation are real harms in Nigeria, where digital banking is now mainstream and impersonation scams are common. Defamation dressed up as journalism is not a fiction either: in September 2024, four journalists were charged under Sections 24(1)(b) and 27 over reporting that implicated the CEO of Guaranty Trust Bank in an alleged ₦1 trillion fraud — and the bank itself confirmed it sought the charges, calling the reporting defamatory. A state that strips itself of any tool against malicious falsehood leaves genuine victims, including private citizens, without recourse. The question is never whether to regulate online harm, but how precisely and with what safeguards.
The 2026 bill answers that well. Requiring demonstrable harm plus a credible fear of violence tracks the ECOWAS Court's reasoning almost exactly. Pushing reputational disputes into civil court — where the burden, remedies, and incentives are calibrated for speech — is the orthodox liberal-democratic settlement. And conditioning access to journalists' data on a judge's order is a basic check that should be uncontroversial in any system that takes source confidentiality seriously.
Why text alone hasn't worked
Here is the uncomfortable evidence. At least 25 journalists faced prosecution under the Cybercrimes Act before the February 2024 amendment, and at least five more have been prosecuted since the reform took effect, per the Committee to Protect Journalists — including reporters jailed for nearly six months before being freed by an out-of-court settlement. Reporters Without Borders counts at least eight journalists summoned, detained, arrested, or prosecuted under the law after the amendments entered into force. CPJ puts the cumulative total at no fewer than 29 since 2015. As recently as late 2025, three journalists were detained on cybercrime allegations over governance reporting.
In other words, the 2024 rewrite narrowed the words and the prosecutions continued. Police and complainants simply shifted to the residual ambiguity, or used arrest and pre-trial detention — not conviction — as the punishment. The lesson is that the misuse of Section 24 was never purely a drafting defect. It was an enforcement culture in which a charge, however weak, achieves its goal the moment a critic is detained.
The fix that would make it stick
The 2026 bill is the most precise version of Section 24 yet proposed, and it deserves to pass. But to break the pattern, the statutory text needs procedural muscle around it. Three additions matter most. First, the "demonstrable harm" standard should be paired with a fast judicial gatekeeping step — a magistrate's confirmation that a complaint clears the threshold before an arrest, not after months in custody. Second, the Section 38 data-access safeguard needs a remedy: evidence obtained without the required judicial approval should be inadmissible, or the protection is advisory only. Third, the bill's drafters should define "breakdown of law and order" rather than carry that ambiguity forward.
Nigeria does not need a weaker cybercrime law; it needs a sharper one that distinguishes a fraudster from a reporter on the law's own terms. The 2026 amendment moves decisively in that direction. Whether it changes outcomes will depend on what happens after a complaint is filed — and that is a test for courts and police, not just for parliamentary draftsmen.