On June 26, 2026, President Bola Tinubu signed the National Identity Management Commission (NIMC) Act 2026 into law, repealing the 2007 statute that had governed Nigeria's identity system for nearly two decades. NIMC Director-General Abisoye Coker-Odusote called that gap stark: "For 19 years, the legal framework governing Nigeria's identity management system remained unchanged while the digital landscape evolved rapidly," she said at the signing ceremony (State House, Abuja).
The replacement is not a modest update. It designates NIMC as the Root Certification Authority for Nigeria's national Public Key Infrastructure and Digital Public Infrastructure — the trust anchor validating every digital signature, government e-service login, and electronic transaction built on the National Identification Number (NALTF). In the same statute, it hands NIMC court-authorized powers to search premises, seize evidence, decrypt data, and arrest suspects in identity-fraud and data-trafficking cases, working alongside the police and other security agencies (Punch). Penalties for identity offences rise sharply: up to ₦20 million for corporate violators and a minimum five-year prison term for unauthorized database access, multiple registration, or impersonation — increases Tinubu himself described as "up to 100 times" the old regime (Punch). The Act also formally binds NIMC's data handling to the Nigeria Data Protection Act, closing a gap where the identity database had operated outside the country's main privacy statute (Biometric Update).
The Case For It
The strongest argument for this bundling is that Nigeria's identity ecosystem was genuinely fragmented and genuinely abused. A 2007-era commission with no enforcement teeth and no statutory tie to a data-protection regime was poorly positioned to police a system now underpinning banking, passports, pensions, and land records. Centralizing enforcement authority in the body that issues and verifies the credential — rather than routing every case through slow, under-resourced police units — is a coherent response to a real fraud problem, and the NDPA linkage is an unambiguous improvement on the status quo. Officials point to NIMC-Interpol database coordination in the arrest of Boko Haram and ISWAP commanders returning from Mecca as evidence the integration model works, though security analysts have disputed how much credit the identity system itself deserves for that outcome (Zikoko).
The Concentration Problem
The design flaw is architectural, not rhetorical. Root Certification Authority status and law-enforcement power are supposed to be separated in any well-run digital trust system, precisely because the entity vouching for everyone's digital identity should not simultaneously be the entity deciding who to investigate, search, and arrest using that same identity data. Collapse the two functions into one commission and you remove the institutional friction that normally checks abuse — no independent body has to sign off before the trust authority turns its own database into an evidence source against the people it certifies. Every additional PKI root, DPI rail, and enforcement mandate NIMC absorbs also raises the cost of a single point of failure: a breach or an overreach at NIMC no longer just leaks identity records, it can compromise the digital-signature layer that banks, telcos, and government portals all rely on to trust each other.
Does Identity Infrastructure Actually Stop Crime?
Nigeria has already run this experiment once, with mixed results. The NCC's NIN-SIM linkage program — the closest precedent for using identity infrastructure as a security tool — verified tens of millions of subscribers, yet security analysts note that kidnapping and banditry rings continued largely undisturbed, because criminals used stolen NINs, proxy registrations, and deceased people's identities to register anyway, and inter-agency coordination remained too slow to trace calls in real time. Security analyst Kehinde Giwa's assessment of the new Act's crime-fighting ambitions was blunt: it risks "treating a gun problem with more paperwork," addressing an identification gap rather than the enforcement and intelligence gaps that actually let criminals operate (Zikoko). Handing NIMC arrest powers does not, by itself, fix the coordination and prosecution bottlenecks that undermined the SIM-linkage program.
What Proportionate Would Look Like
None of this argues against modernizing a 19-year-old statute, expanding NDPA coverage, or building serious DPI trust infrastructure — Nigeria needed all three, and this Act delivers them. The problem is sequencing and separation. A digital-trust root authority should answer to an independent technical oversight body, not double as an investigative agency judging its own cases. Nigeria's National Assembly and the Nigeria Data Protection Commission should insist on a statutory firewall — formal division between NIMC's certification function and its enforcement arm, with judicial warrants (already required on paper) audited publicly rather than left to internal discretion. Given the NIN-SIM program's track record, lawmakers should also demand an independent evaluation of whether the new arrest powers reduce identity fraud before renewing or expanding them, rather than assuming infrastructure equals outcomes. Proportionate regulation means matching power to demonstrated need — not granting a single commission both the keys to the kingdom's digital trust and the authority to knock down its doors.