Nigeria’s ambitious directive for banks, fintechs, and payment service providers to localise the storage of payment transaction data, set to take effect from January 1, 2027, faces significant headwinds due to the nation’s persistent data protection weaknesses. While the Central Bank of Nigeria (CBN) aims to bolster oversight of the burgeoning digital payments ecosystem, enhance data sovereignty, and stimulate investment in local infrastructure, a coalition of civil society organisations (CSOs) has sounded a stark warning: inadequate enforcement of existing data protection laws could render the mandate vulnerable.
The CBN’s directive is intended to grant authorities greater control over critical data infrastructure, facilitating easier access for audits, compliance enforcement, and investigations, particularly in criminal matters, thereby mitigating delays associated with cross-border data intermediation. Beyond data sovereignty, the move is projected to spur investment in domestic data centres and cloud storage, potentially stemming the estimated over N60 billion lost annually to hosting data on foreign servers.
However, a report by the coalition, including Media Rights Agenda, Paradigm Initiative, Digital Rights Lawyers Initiative, and Accountability Lab Nigeria, titled “Protected From the State, Not By It: Nigeria’s Data Protection Crisis Is a Crisis of Implementation,” highlights a critical gap between legislation and execution. The CSOs contend that regulators have failed to effectively enforce data protection laws, contributing to a rise in digital fraud and the illicit trade of sensitive personal information. This failure is underscored by documented instances of sensitive data leaks, including alleged unauthorised access to the Independent National Electoral Commission’s (INEC) Continuous Voter Registration (CVR) database. While INEC’s preliminary findings indicated no external breach, the CSOs argue the incident exposed a lack of oversight, demonstrating how sensitive information can be exfiltrated from secure government systems.
The coalition further criticises regulators for not mandating human rights impact assessments for public surveillance systems before deployment, advocating for uniform compliance requirements for both public and private entities. This asymmetry, they argue, leaves citizens inadequately protected from data abuse while exposing them to excessive state monitoring.
Compounding these domestic concerns are global trends in cyber threats. Visa’s Mid-year 2026 Biannual Threats Report, released in Lagos, identifies Artificial Intelligence (AI)-enabled scams as the fastest-growing category of consumer payment fraud globally. The report notes that from July to December 2025, nearly one billion dollars in scam-related activity was identified, with fraudsters increasingly leveraging AI and social engineering to manipulate consumers into authorising fraudulent transactions. This shift from direct system compromises to exploiting human trust necessitates a robust defence strategy, especially as cybercriminals adapt to stronger network-level security. Visa’s report also indicates a 26% rise in global ransomware activity during the review period, though the percentage of victims paying ransoms has fallen to its lowest level on record.
In parallel, Kaspersky’s 2024–2025 Sustainability Report details the company’s efforts to enhance digital resilience. Kaspersky highlights its cooperation with global law enforcement agencies, contributing to operations that led to the arrest of over 2,600 suspected cybercriminals. The company has also formalised a five-year cooperation agreement with AFRIPOL and provided cybersecurity training to law enforcement representatives across 23 African countries, aiming to bolster independent threat detection and response capabilities.
Kaspersky’s commitment to innovation is reflected in its 155 patents granted during the reporting period, 135 of which are AI-related. The company’s research output and adherence to responsible innovation frameworks, such as the European Commission’s AI Pact and the UN Global Digital Compact, aim to mitigate risks associated with AI deployment. Their “Cyber Immunity” approach, embedded in KasperskyOS, focuses on architectural resilience rather than reactive patching, reducing systemic vulnerabilities in digital infrastructure.
However, even as cybersecurity firms advance their technologies, new attack vectors emerge. Kaspersky researchers have identified a malware distribution campaign exploiting Steam Workshop and Wallpaper Engine, a popular Steam application. Malicious wallpaper packages, downloaded by thousands of users primarily in China and Russia, were found to contain executable files, DLLs, and scripts, or malware hidden within password-protected archives. The primary objective of these attacks was to steal gaming accounts and deploy additional malware, demonstrating the evolving tactics of cybercriminals in exploiting legitimate platforms for malicious purposes. This underscores the critical need for the CBN’s directive to be underpinned by a robust and effectively enforced data protection framework, capable of withstanding both domestic implementation challenges and the escalating sophistication of global cyber threats.
... Data Protection Deficiencies Threaten CBN’s Local Data Hosting Mandate for Financial Sector ... Naijaonpoint.