Authored By: Ifeoluwa Florence Omonayin
University of Ilorin
INTRODUCTION
Nigeria has gained global recognition over the last decade as a hotbed of cyber-enabled crime, including “Yahoo Yahoo” scams, fintech-related fraud, ATM cloning, and business email (BEC)1, all of which continue to damage faith in the country’s financial digital infrastructure. Ramon Abbas, also known as Hushpuppi, was arrested in 2020, capturing global attention and revealing the scope of Nigerian cybercrime networks. The story also showed a worrying reality: although cybercriminals advance, public institutions frequently fall behind.
In response to the challenge, the Nigerian legislature enacted the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, which was the first of its kind in Nigeria, offering a legal framework that criminalized a wide spectrum of offences, from computer-related forgery and identity theft to child pornography and cyber terrorism. Despite its pioneering nature, the 2015 Act soon revealed notable gaps2. The gaps prompted the Cybercrimes (Amendment) Act, 2024, a significant legislative update aimed at modernizing Nigeria’s cybercrime framework. Key reforms included the imposition of a 72-hour deadline for reporting cyber incidents, the establishment of sector-specific Computer Emergency Response Teams (CERTs) and Security Operations Centers (SOCs), stricter Know Your Customer (KYC) obligations tied to the National Identification Number (NIN), and the creation of a cybersecurity levy to fund enforcement activities. The amendment also revised controversial provisions on cyber stalking, narrowing their scope, while broadening liability for identity theft to cover employees across both public and private sectors.3
Yet, even with these reforms, enforcement remains the weakest link, conviction rates are disproportionately low. Courts grapple with the technical complexities of admitting and assessing electronic evidence4, and many law enforcement units lack the specialised training and forensic tools required to investigate and prosecute cybercrimes effectively. Corruption and selective enforcement further undermine public trust in the system.
Critics also believe that sections like section 24 on cyberstalking risk being used against journalists and dissenters, creating human rights issues.5
This paper argues that the 2024 amendment to Nigeria’s cybercrime laws, while modernized, still suffer from enforcement issues. It will compare Nigeria’s approach to international standards, examine institutional flaws, judicial interpretation, and the legislative framework, and propose changes to enhance enforcement.
LEGAL FRAMEWORKS FOR CYBERCRIMES IN NIGERIA
- Cybercrimes (prevention, prohibition, etc.) (Amendment) Act 2024 Nigeria’s first comprehensive legislation on cybercrime was the Cybercrimes (Prohibition, Prevention, etc.) Act, 20156. The Act was enacted for combating cybercrimes such as fraud, phishing, identity theft, and financial scams that had already attracted international shame to the nation. It aimed to criminalize a broad spectrum of behavior, such as computer-based forgery, cyber stalking, cyber terrorism, tampering with Automated Teller Machines (ATM) and Point of Sale (POS) terminals, child pornography, and crimes against Critical National Information Infrastructure (CNII). The Act also recognized electronic signature imposed data retention duties on service providers and requires financial institutions to verify the identity of their customers.7
In spite of its role as a leader, the 2015 Act faced instant criticism. Practitioners and experts lamented its unclear drafting, particularly Section 24 on cyberstalking that utilized “annoyance” and “ill will” without clearly established meaning. The Act was seen as outdated due to digital payment methods and cyber threats.8
To address this gaps the Cybercrimes (Amendment) Act, 2024 was enacted modernizing the framework. One of its most significant changes was the reduction in the amount of time required to report cyber incidents. The former required reports to be sent to the National Computer Emergency Response Team (CERT) within seven days, but the amendment shortened that period to 72 hours and redirected reporting to Security Operations Centers (SOCs) or sectorial CERTs. Impersonation and identity theft charges were expanded under the amendment legislation provisions to cover both public and private sector employees.9 The purpose of this change was to enhance cooperation and enable quicker reactions to cyber threats.
The problematic cyberstalking portion was modified when the ECOWAS Court of Justice deemed it inconsistent with free expression, but ambiguous expressions like “breakdown of law and order” remain.10
The amendment also unified payment system offenses, covered mobile wallets and contactless platforms, and reinforced KYC by tying electronic transactions to the National Identification Number (NIN).11 More synergy between cybersecurity and privacy legislation was also created by aligning cybercrime enforcement with the Nigeria Data Protection Act 2023.12
Finally, the 2024 Act altered sanctions: the contentious passport revocation penalty was eliminated, but the cybersecurity levy was strengthened, mandating 0.5% of electronic transactions and imposing harsher penalties on failing enterprises.13 Despite its intended purpose of providing long-term finance, the fee has provoked public discussion due to Nigeria’s precarious economic condition.14
Together, the 2015 Act and its 2024 modification provide a stronger foundation for tackling cybercrime. Their efficacy, however, is more dependent on persistent, impartial enforcement than on statutory innovation.
JUDICIAL INTERPRETATION
The courts has been instrumental in defining and implementing cybercrime legislation. Courts have frequently had to deal with the difficulties of interpreting new offenses and deciding whether electronic evidence is admissible, even though prosecutions under the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 have increased in frequency in recent years.
Section 24 of the 2015 Act, which made it illegal to transmit any message deemed “grossly offensive, pornographic, indecent, obscene, or menacing,” as well as to disseminate false information “for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, criminal intimidation, enmity, hatred, ill will, or needless anxiety,” has been one of the most controversial provisions and making activists and journalists vulnerable to arbitrary detention.
In Solomon Okedara v. Attorney General of the Federation (CA/L/174/18), the appellant contested the validity of Section 24(1), bringing this matter to the courts. Section 45 of the 1999 Constitution (as modified) allowed for speech limitations to be justified in the interest of morality and public order, and the Court of Appeal, Lagos Division, rejected the appeal, ruling that the language was not ambiguous. Even though human rights campaigners continued to criticize the scope of Section 24 (Okedara v. AGF, CA/L/174/18; see also The Nigeria Lawyer, 2019), the ruling essentially affirmed the government’s application of the provision.
But the debate didn’t stop there, In March 2024, the ECOWAS Court of Justice issued a pivotal ruling in a case initiated by the Socio-Economic Rights and Accountability Project (SERAP), determining that Section 24 of the 2015 Act contravened Article 9 of the African Charter on Human and Peoples’ Rights and the International Covenant on Civil and Political Rights, both of which safeguard freedom of expression. The Nigerian government was ordered by the ECOWAS Court to change the clause to comply with international human rights standards (SERAP v. Nigeria, ECW/CCJ/JUD/09/24; Premium Times, 2024).
The Cybercrimes (Amendment) Act, 2024 improved the wording of Section 24 in light of this. The revised section now restricts the offense to the dissemination of pornographic content or misinformation that endangers life or threatens to disrupt public order. Despite its amendment, reports suggest that journalists are still arrested under the clause (Daily Trust, 2024).
Section 24 is not the only statute pertaining to electronic evidence that Nigerian courts have been asked to interpret. Although the Evidence Act of 2011 (as modified) allows electronic records to be admitted, many trial courts actually face authentication challenges and chain of custody.
When combined, these court cases highlight Nigeria’s cybercrime regime’s enforcement weakness. Even though the government has reinforced the legal framework, evidentiary issues and the unsolved conflict between cybersecurity legislation and basic freedoms continue to hinder courts
REGULATION VERSUS ENFORCEMENT IN NIGERIA
The evolution of Nigeria’s cybercrime law follows a familiar pattern: over-ambitious regulation undercut by weak enforcement. On paper, the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, as amended in 2024, replicates international best practice—making provision for such offences as cyberstalking, identity theft, and computer fraud, and mandating sectoral reporting obligations and the setting up of Computer Emergency Response Teams (CERTs)15. However, in actuality, enforcement agencies, courts, and institutional frameworks persistently underperform.
The first obstacle is the lack of institutional competence. Suspects of cybercrime, especially those involved in “Yahoo Yahoo” online fraud16, are often taken into custody by organizations like the Nigeria Police Force Cybercrime Units and the Economic and Financial Crimes Commission (EFCC).² Conviction rates are still disproportionately low, though.17 Due in large part to evidentiary obstacles, Nigerian courts have had difficulty consistently using section 84 of the Evidence Act 2011, which permits the acceptance of electronic documents. Because investigators lack the technological know-how to verify authenticity and dependability, digital evidence is frequently rejected.18 Nigerian courts have faced challenges in consistent application. Frequently, digital evidence is excluded due to investigators’ insufficient technical expertise to verify authenticity and reliability19.
Furthermore, the lack of adequate digital forensic infrastructure hampers investigations. Nigeria possesses only a limited number of certified cyber forensic laboratories, primarily located in major cities like Lagos and Abuja20. Consequently, cases in rural areas or state high courts frequently depend on obsolete investigative techniques, undermining the efficacy of prosecutions. In contrast, countries such as the United Kingdom maintain specialized cyber units within the National Crime Agency, equipped with advanced forensic tools and staffed by trained professionals21. Additionally, corruption and selective prosecution diminish deterrence; while low-level cyber fraudsters are aggressively pursued, cases involving politically exposed individuals or prominent corporate cyber fraud often stall or disappear from court dockets.22 This selective methodology engenders public skepticism and sustains impunity. As noted by Transparency International, corruption within law enforcement agencies frequently incentivizes the protection of offenders from legal action23.
Additionally, a significant issue arises from the misuse of cyberstalking regulations under section 24 of the Cybercrimes Act. Despite the 2024 amendment that refined the definition, journalists and dissenting individuals continue to encounter arrests due to the ambiguous terminology regarding “false information” and “offensive messages.”24 Civil society organizations, including SERAP, have consistently contended that these provisions violate the right to freedom of expression as enshrined in the 1999 Constitution (as amended) and Article 9 of the African Charter on Human and Peoples’ Rights25. Indeed, the ECOWAS Court of Justice in SERAP v Nigeria (2024) determined that certain elements of section 24 ignore global human rights standards, inviting Nigeria to amend its law.26
Lastly, the Nigerian system does not have effective international cooperation mechanisms. While the 2024 amendment introduces reporting requirements and CERTs, Nigeria has yet to implement a centralised cybercrime coordination centre effectively to improve cross-border cooperation.27
This lack of harmonization makes investigations more difficult because a lot of cybercrimes come from outside, especially financial fraud that is transmitted through foreign servers. Furthermore, Nigeria is unable to take advantage of expedited mutual legal aid in cybercrime investigations as it has not ratified the 2001 Budapest Convention on Cybercrime.28
All of these issues point to the paradox of Nigerian cybercrime law: a thorough and modern legislative framework that is primarily in place on paper, but ineffectual in reality due to enforcement flaws, institutional flaws, and political meddling. Nigeria’s cybercrime legislation runs the danger of becoming a symbolic deterrent rather than an operational protection if this regulatory-enforcement gap is not closed.
RECENT DEVELOPMENT:
Nigeria’s cybercrime environment is changing quickly due to new laws, public debate, and legal issues. There are two noteworthy developments in particular:
- Controversial Cybersecurity Levy Implementation and Suspension: In May 2024, the Central Bank of Nigeria (CBN) sent a directive to banks to charge a 0.5% cybersecurity levy on every electronic transaction, to be paid to the National Cybersecurity Fund.29 Civil society groups, including SERAP and BudgIT, filed lawsuits against the levy, claiming it violated constitutional provisions and exceeded the CBN’s authority.30
The government suspended the levy within days due to public and political pressure, including media backlash and legislative scrutiny. 31 The Information Minister confirmed this development, citing concerns.32
- Institutional and Policy Shifts
The National Cybersecurity Policy and Strategy (2021) informs revisions, notably the 2024 amendment’s sectoral CERTs and SOCs under the 2024 amendment.33 The policy framework remains crucial to the fundamental changes in cybersecurity governance.
Meanwhile, the CBN has published risk-based cybersecurity guidelines for Deposit Money Banks and Payment Service Providers, requiring them to meet basic cybersecurity criteria, such as the appointment of Chief Information Security Officers (CISOs)34. Although these guidelines are a significant step forward, their uniformity in application remains dubious.
Public Response and Media Analysis
The public was largely opposed to the fee. Media outlets, civic society, and individuals regarded it as just another hefty levy in an already shaky economy, generating a strong response that prompted a policy change.35 Critics questioned the legal foundation for the CBN’s engagement in tax implementation, stating that revenue collection is outside of its statutory mandate.36
SUGGESTIONS
- Judicial and Evidentiary Reforms
Specialized training for judges and prosecutors on how to handle digital evidence is required to reduce contradictory findings under Section 84 of the Evidence Act. Fast track cybercrime courts may also increase conviction rates.37
- Capacity Development for Enforcement Agencies
The EFCC, Police Cybercrime Units, and CERTs require ongoing investment in forensic laboratories, cutting-edge equipment, and international-standard training. This would resolve investigative flaws that jeopardize convictions.38
- Narrowing Overbroad Provisions
Section 24 (cyberstalking) should be revised further to ensure that it is not used to target journalists or dissenters. Clearer definitions would help enforcement comply with constitutional and human rights commitments.39
- Legislative and policy coordination
A centralized cybercrime enforcement body might bring agencies’ overlapping missions into harmony. Ratifying the Budapest Convention on Cybercrime would improve cross-border collaboration.40
- Civil Society and Public Engagement.
Civil society should continue to monitor enforcement, litigate violations, and raise awareness. Public faith in cyber laws can only be maintained if individuals perceive them as protective rather than punishing.41
CONCLUSION
Nigeria’s cybercrime legislation has seen substantial evolution since the 2015 Act, with the 2024 amendments implementing progressive changes like obligatory incident reporting, sector-specific CERTs, and enhanced KYC requirements. However, the persisting enforcement gap undermines these advancements. Low conviction rates, insufficient forensic competence, corruption, and court difficulty in accepting electronic evidence all contribute to the law’s limited effectiveness.
The conflict between regulation and enforcement demonstrates that law alone cannot prevent cybercrime. A sustained response necessitates strong institutional capability, judicial consistency, legislative clarity, and vigorous civil society participation. Unless these parts are addressed, Nigeria risks having a well-drafted cybercrime framework that serves as more of a symbolic deterrent than a useful weapon of justice.
Bibliography
Legislation
Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (Nigeria).
Cybercrimes (Amendment) Act 2024 (Nigeria).
Evidence Act 2011 (Nigeria).
African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014).
Council of Europe Convention on Cybercrime (Budapest Convention, ETS No 185, 2001). Cases
Socio-Economic Rights and Accountability Project (SERAP) v Federal Republic of Nigeria ECW/CCJ/JUD/09/24 (ECOWAS Court of Justice, 2024).
Books and Journals
Adeoluwa Adeniji, ‘Digital Forensics in Nigeria: Challenges and Prospects’ (2022) Nigerian Journal of Cybersecurity 22.
R Abdulkadir, ‘Gaps in Nigeria’s Cybercrime Regulation’ (2021) 12 Nigerian Journal of Cyber Law 45.
Policy Documents and Reports
Central Bank of Nigeria, Circular on Cybersecurity Levy (6 May 2024). Economic and Financial Crimes Commission, Annual Report on Cybercrime Prosecutions in Nigeria (2023).
Federal Republic of Nigeria, National Cybersecurity Policy and Strategy (2021). International Telecommunications Union, Global Cybersecurity Index 2023 (2023).
Websites and Civil Society Reports
Socio-Economic Rights and Accountability Project (SERAP), ‘Cybercrime Law and Freedom of Expression in Nigeria’ (2023) https://serap-nigeria.org accessed 23 August 2025
1 International Telecommunications Union (ITU), Global Cybersecurity Index 2023 (2023).
2 R Abdulkadir, ‘Gaps in Nigeria’s Cybercrime Regulation’ (2021) 12 Nigerian Journal of Cyber Law 45.
3 s 24. Of Cybercrimes (prohibition, prevention etc.) amendment act 2024
4 Evidence Act 2011 (Nigeria), s 84; see also EFCC, Annual Report (2023).
5 SERAP v Federal Republic of Nigeria ECW/CCJ/JUD/09/24 (ECOWAS Court of Justice, 2024).
6 Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (Nigeria).
7 ibid ss 6–25, 17
8 R Abdulkadir, ‘Gaps in Nigeria’s Cybercrime Regulation’ (2021) 12 Nigerian Journal of Cyber Law 45.
9 Cybercrimes (Amendment) Act 2024 (Nigeria) ss 21A, 36(4).
10 SERAP v Federal Republic of Nigeria ECW/CCJ/JUD/09/24 (ECOWAS Court of Justice, 2024).
11 Cybercrimes (Amendment) Act 2024 ss 33, 43B.
12 Nigeria Data Protection Act 2023 (Nigeria)
13 Cybercrimes (Amendment) Act 2024 ss 45, 57.
14 Controversy Trails Implementation of Cybersecurity Levy’ The Guardian Nigeria (Lagos, 10 May 2024).
15 Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act 2024.
16 Economic and Financial Crimes Commission (EFCC), Annual Report 2022 (EFCC, Abuja 2023).
17 ‘EFCC’s Uneven Fight against Cybercrime’ The Guardian (Lagos, 15 June 2023)
18 Evidence Act 2011 (Nigeria), s 84.
19 Chinenye Udeh, ‘Electronic Evidence and the Nigerian Courts’ (2020) 6(2) Nigerian Journal of Technology Law 45
20 Adeoluwa Adeniji, ‘Digital Forensics in Nigeria: Challenges and Prospects’ (2022) Nigerian Journal of Cybersecurity 22.
21 UK Crown Prosecution Service, Cybercrime: Guidance for Prosecutors (2022)
22 Sahara Reporters, ‘High-Profile Cybercrime Cases That Went Nowhere’ (Abuja, 10 May 2023)
23 Transparency International, Corruption Perceptions Index 2023: Nigeria Country Report (2024).
24 ‘Cybercrimes Act: Despite Amendment, Clampdown on Journalists Persists’ Daily Trust (Abuja, 12 April 2024)
25 African Charter on Human and Peoples’ Rights (adopted 27 June 1981, entered into force 21 October 1986) 1520 UNTS 217, art 9.
26 SERAP v Federal Republic of Nigeria ECW/CCJ/JUD/09/24 (ECOWAS Court of Justice, 2024).
27 Federal Republic of Nigeria, National Cybersecurity Policy and Strategy (2021
28 Convention on Cybercrime (Budapest Convention) (adopted 23 November 2001, entered into force 1 July 2004) ETS No 185.
29 Central Bank of Nigeria, Circular on Cybersecurity Levy (6 May 2024).
30 SERAP, BudgIT & 136 Nigerians v CBN, FHC/L/CS/822/2024; ‘SERAP, BudgIT, Others Sue CBN, Want Cybersecurity Levy Stopped’, Premium Times (12 May 2024)
31 Victor Ayeni, ‘How Citizens’ Anger, Pressure Forced FG to Suspend Controversial Cybersecurity Levy’, Punch (15 May 2024)
32 Nigeria suspends cybersecurity levy amid cost of living crisis, Reuters (14 May 2024)
33 Federal Republic of Nigeria, National Cybersecurity Policy and Strategy (2021)
34 ICLG, Cybersecurity Laws and Regulations – Nigeria Chapter (6 November 2024)
35 Premium Times and Punch articles cited above; public and political backlash documented.
36 ThisDayLive, ‘Cybersecurity Levy: Matters Arising’ (14 May 2024)
38 Adeoluwa Adeniji, ‘Digital Forensics in Nigeria: Challenges and Prospects’ (2022) Nigerian Journal of Cybersecurity 22.
39 SERAP v Federal republic of Nigeria ECW/CCJ/JUD/09/24 (ECOWAS Court of Justice, 2024).
40 Convention on Cybercrime (Budapest Convention) ETS No 185 (2001).
41 SERAP, ‘Cybercrime Law and Freedom of Expression in Nigeria’ (2023),
