A Review of the Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act, 2024
Introduction
In today’s digital world, cyberspace plays a central role in communication, commerce, governance, and national security. As cyber threats increase in sophistication and frequency, countries are racing to reinforce their legal frameworks to combat them. Nigeria, which enacted the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 as a landmark legislation on cybersecurity, has taken a further legislative step with the Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act, 2024. This amendment is aimed at closing the loopholes in the 2015 Act, enhancing enforcement, refining ambiguous provisions, and aligning the law with international standards and evolving realities.
The amendment is part of the Federal Government’s broader reform initiative, which includes the National Cybersecurity Policy and Strategy of 2021. This policy document identified core issues such as cyber incident reporting, regulation of service providers, and the enforcement of penalties. The Amended Act responds to many of these challenges.
Some key provisions of the Amended Act
- Extended Scope of Electronic Signatures
The 2015 Act excluded the use of electronic signatures in relation to vital records such as wills, birth and death certificates. While the Amended Act retains this limitation, it introduces a carve-out such documents may now be electronically signed if legally verified in certified true copies. Recognizing the difficulty of prosecuting cyber offences, the amendment provides clearer rules for:
a) Admissibility of metadata, server logs, and IP addresses as evidence
b) Cooperation of service providers in preserving digital evidence
c) Provisions for chain of custody and digital forensics
- New Timeline and Protocol for Reporting Cyber Threats
The Amended Act alters the reporting structure of cybersecurity incidents. Previously, reports were directed to the National Computer Emergency Response Team (CERT). Now, reports must be made through sectoral CERTs or Security Operations Centres (SOCs).
Even more significantly, the reporting timeline has been shortened from seven (7) days to seventy-two (72) hours. This change aligns with global best practices and enhances the responsiveness of cybersecurity governance. Organizations now face increased urgency in detecting and reporting incidents, which should, in turn, prompt the development of better internal cybersecurity systems.
- Broadened Definition of Identity Theft and Impersonation
Under the 2015 Act, only financial institutions’ employees could be prosecuted for identity-related offences if they used privileged information to commit fraud. This left a regulatory gap for other sectors. The Amended Act has expanded the scope to include employees of all public and private organisations. This change is timely, as identity theft is no longer confined to the banking sector but occurs across e-commerce, healthcare, insurance, and telecoms. Employers in these sectors must now prioritise employee access management and client data protection.
- Reform of the Cyberstalking Offence
Section 24 of the 2015 Act attracted widespread criticism for being vague, overbroad, and weaponised against journalists and social commentators. Words like “inconvenience,” “annoyance,” and “ill will” lacked clear legal thresholds and opened the door to arbitrary arrests.
The Amended Act revises this provision by limiting the offence to the transmission of pornographic or false information that could cause a breakdown of law and order or pose a threat to life.
- Expansion of the Offence of Conspiracy, Aiding, and Abetting
The Amended Act now permits the prosecution of employees in all sectors, not just those in financial institutions, who conspire or assist in cybercrimes. This adjustment reflects the reality that cyber fraud schemes are often cross-sectoral and require a unified legal response.
It ensures accountability for bad actors regardless of where they operate, reinforcing organisational responsibility and encouraging compliance through broader legal exposure.
- Expansion of Payment Technology Manipulation Offence
In addition to the criminalisation of the manipulation of ATM and POS terminals, the Amended Act now includes all forms of payment technology, such as mobile banking apps, e-commerce gateways, and contactless payments, under this offence.
This expansion is commendable. It future-proofs the law against emerging financial technologies and curtails fraudsters’ attempts to exploit digital payment innovations. Financial institutions must now strengthen monitoring tools across all transaction channels, not just traditional ones.
- Mandatory Use of National Identification Number (NIN)
To enhance customer verification, the Amended Act mandates that NIN must be used for issuing debit/credit cards and similar electronic devices. Previously, generic documents such as utility bills and passports were acceptable for KYC compliance.
This policy shift strengthens identity validation and is likely to reduce financial fraud.
- Alignment with the Nigerian Data Protection Act (NDPA)
While the 2015 Act loosely referenced data protection, the Amended Act now expressly requires compliance with the Nigerian Data Protection Act, 2023. This integration reflects a growing global trend toward harmonising cybersecurity and data protection regimes.
Service providers are now required to store and secure user data, including traffic and subscriber information, for two years, in accordance with NDPA and Nigerian Communications Commission (NCC) guidelines. This provision enhances accountability and ensures privacy compliance in digital ecosystems.
- Provisions for Critical National Information Infrastructure (CNII)
Organisations classified as Critical Information Infrastructure providers (e.g., telecoms, electricity grid operators, and financial switching companies) are now mandated to:
a) Conduct quarterly vulnerability assessments
b) Submit compliance reports to the National Cybercrime Centre
c) Appoint a Cybersecurity Compliance Officer (CCO)
- Elimination of Passport Seizure Provisions
The Amended Act repeals the controversial Section 48(4) of the 2015 Act, which authorised the cancellation of passports of Nigerians and the withholding of passports of foreigners convicted under the Act. This repeal is a welcome human rights–aligned development, considering the lack of a rational nexus between cybercrime and freedom of movement.
Cybercrime Act and International Compliance
Nigeria’s Cybercrimes Act draws inspiration from the Budapest Convention on Cybercrime, 2001, which provides a legal framework for international cooperation on combating cybercrime.
Key areas of convergence include:
a) Unauthorized access to and interference with computer systems
b) Use of malicious tools
c) Cyber fraud and forgery
d) Offences relating to child pornography
e) Corporate liability for cybercrimes
f) Preservation and sharing of electronic evidence
Recommendations for Compliance
To stay ahead of the curve, organisations should consider:
a) Conducting cybersecurity audits to assess vulnerabilities and readiness.
b) Reviewing contracts with IT vendors and cloud service providers to include clauses on data protection, liability, and breach response.
c) Training staff and clients on phishing awareness, password hygiene, and data handling procedures.
d) Engaging external counsel or consultants for guidance on emerging cyber compliance issues.
Conclusion
The Cybercrimes (Amendment) Act 2024 is a timely and necessary update to Nigeria’s cybersecurity law. By broadening the scope of offences, improving enforcement mechanisms, and introducing new compliance obligations, the law strengthens the country’s ability to combat cyber threats. However, businesses, especially those in the financial and technology sectors, must act proactively to ensure compliance. Legal practitioners also have a role to play in guiding clients through the changing landscape and helping to shape a balanced interpretation of the law that protects both national interests and civil liberties.