Authored By: Hope Chizoba Ukpai
University of Nigeria, Nsukka.
1.0 Introduction
The World Bank reported in 2019 that small and medium-scale enterprises (SMEs) account for more than 90 per cent of businesses and about 50 per cent of global employment. Similarly, studies have shown that SMEs contribute over 40 per cent of Gross Domestic Product (GDP) in developing countries of South-East Asia and Sub-Saharan Africa, such as Nigeria. In the Nigerian context, which is the focus of this article, SMEs have not only contributed significantly to job creation but have also been identified as the dominant non-oil business sector. As of 2022, approximately 80 per cent of businesses in Nigeria were reported to be SMEs. As the years progress, the number of SMEs continues to increase. This growth can be attributed to the need to meet the rising economic demands of the nation, which motivates many citizens to establish new businesses.
Artificial intelligence (AI), on the other hand, has emerged as a rapidly growing phenomenon. A recent report by Daily Trust revealed that 93 per cent of organisations in Nigeria, including business enterprises, have adopted AI technologies. Of this number, 31 per cent have achieved advanced levels of AI integration in their business operations. This development demonstrates that Nigerian businesses are not ignoring the transformative potential of artificial intelligence. While this technological shift is worth celebrating, it also raises important legal concerns that require careful examination. What are the legal implications of AI adoption for SMEs under Nigerian law? How does the Nigerian legal framework compare with that of other jurisdictions, and in what ways can it be improved to better regulate this emerging reality?
To ensure a clear and logical flow of ideas, this article is structured into six main parts. It begins by providing a background to the relationship between artificial intelligence and business operations. It then proceeds to offer both legal and technical definitions of these key concepts. Thereafter, the article examines the regulatory framework governing the use of AI by Small and Medium-Sized Enterprises (SMEs) in Nigeria. The compliance challenges faced by these businesses are subsequently discussed, followed by an exploration of possible solutions, with reference to approaches adopted in other jurisdictions. The article then proposes practical and policy-based recommendations before bringing the discussion to a close. It is important to note that this study adopts a doctrinal research methodology.
2.0 Conceptual Clarifications and Scope
2.1 The Technical and Legal Meaning of Artificial Intelligence.
The complex and rapidly evolving nature of artificial intelligence has made it difficult to adopt a single, universally accepted definition, particularly in Nigeria where the concept is still emerging within legal and regulatory discourse. Although AI is increasingly shaping the daily experiences of individuals and organisations across the country, it remains a sensitive and powerful tool that must be approached with caution. Scholars and policymakers across the world have therefore attempted to define AI from different perspectives. John McCarthy, widely regarded as the father of artificial intelligence, described it as “the science and engineering of making intelligent machines.” He further explained that AI involves creating programs and systems capable of performing tasks that would ordinarily require human intelligence, such as learning, reasoning, problem-solving, perception, and language understanding. Similarly, the European Union, through its Artificial Intelligence Act, has adopted a more precise and functional definition. It describes an “AI system” as a machine-based system designed to operate with varying levels of autonomy, capable of adapting after deployment, and which, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
In a broader sense, artificial intelligence may be viewed as an evolving technology that produces intelligent responses, such as text, images, videos, and recommendations; to support human reasoning, enhance decision-making, improve access to information, and increase efficiency across different sectors. It is important to recognise that AI is a continuously developing concept, and as technology advances, it may soon outgrow many of the definitions presently used to describe it.
2.2 The Meaning of SMEs.
In Nigeria, there is no single statutory definition of a Small and Medium Enterprise (SME). Instead, the concept is articulated across policy instruments, regulatory frameworks and corporate legislation, each tailored to serve distinct economic or legal purposes. One influential regulatory regime comes from the Small and Medium Industries Equity Investment Scheme (SMIEIS), under which an SME is described as an enterprise with an asset base not exceeding 200 million (excluding land and working capital) and employing between ten and three hundred persons. This formulation highlights the sector’s employment and productive capacity. Likewise, historic definitions from the Federal Ministry of Commerce and Industry characterise small and medium businesses by employee numbers, turnover, and investment, reflecting their reliance on labour and modest capital structures. These enterprises are commonly run as sole proprietorships or partnerships, although some operate as incorporated entities with limited liability.
From a legal perspective under company law, the Companies and Allied Matters Act 2020 (CAMA 2020) introduces the concept of a “small company”, which carries distinct regulatory implications. Per Section 394 of CAMA, a small company must be private, have no foreign or government shareholders, and meet specific financial criteria for turnover and net assets, among other conditions. This classification affects reporting requirements and compliance obligations. The Nigeria Tax Act (NTA) 2025 also defines “small company” for tax purposes, reinforcing the functional understanding of SMEs within Nigerian law. Section 203 of the NTA describes a small company as one that earns a gross turnover of ₦50,000,000 or less per annum and has total fixed assets not exceeding 250 million provided that businesses engaged in professional services are excluded from this classification.
Consequently, this article focuses on the impact of artificial intelligence across the spectrum of Nigerian businesses, from small roadside enterprises to larger SMEs with multiple employees. It examines the legal consequences of AI adoption by these businesses, explores how the law seeks to regulate their operations, and highlights the key compliance challenges they face in integrating AI into their day-to-day activities.
3.0 Regulatory Framework for Small and Medium Enterprises Using AI
In Nigeria, there is no specific AI law that directly governs the development or deployment of artificial intelligence systems. Nevertheless, the use of AI by Small and Medium Enterprises (SMEs) is already subject to several existing legal frameworks that apply to technology use, data handling, consumer transactions, and cyber safety. These laws do not single out SMEs, but they set out obligations that every business deploying AI must meet if they operate legally and responsibly.
The foremost legal regime shaping AI use in Nigeria is the Nigeria Data Protection Act (NDPA) 2023. This Act applies across sectors, regardless of business size, and regulates the collection, processing, and storage of personal data- a core input for most AI systems. Under section 37 of the NDPA, a person must not subject a data subject to a decision based solely on automated processing that produces legal or significant effects unless there is: the data subject’s explicit consent or compliance with a contractual obligation or a legal requirement for such processing. For SMEs using AI to automate customer decisions (e.g., credit scoring, personalised offers, employment screening), this means they must ensure human oversight and legal bases for such decisions, not merely relying on algorithms. Moreso, The General Application and Implementation Directive (GAID) 2025 issued by the Nigeria Data Protection Commission clarifies how the NDPA’s provisions apply to AI systems, including requirements for: privacy by design and privacy by default, conducting Data Protection Impact Assessments (DPIAs) for high‑risk AI processing, protecting children and vulnerable groups and safeguards for cross‑border data flows and transparency. These obligations require an SME deploying AI to implement technical and organisational measures that reflect data minimisation, purpose limitation, and accountability when processing personal data.
On another hand, is The Federal Competition and Consumer Protection Act (FCCPA) 2018 which does not mention AI explicitly. Its prohibition on misleading or deceptive trade practices extends to AI‑generated content used in marketing, branding, pricing, or service descriptions. If an SME uses generative AI to create promotional material that misrepresents goods or services, it may be held responsible under the FCCPA for false or misleading trade descriptions. This means business owners must review AI outputs carefully and ensure that automated content does not mislead consumers, as ignorance of an AI tool’s error is not a defence under consumer protection law. Also, Cybercrimes (Prohibition, Prevention, etc.) Act 2015 makes it a criminal offence to engage in unauthorised access to computer systems, data, or networks. Although the law was not drafted for AI, its provisions apply whenever AI tools are used to process, transmit, or control data without proper authorisation. For SMEs, this translates into a duty to secure AI systems against misuse, hacking, or unauthorised access, and to report breaches where required. Poor cybersecurity practices involving AI can attract both criminal sanctions and civil liabilities.
Additionally, Nigeria’s Copyright Act 2022 protects original works of authorship. SMEs that deploy AI to generate or repurpose creative content must ensure they do not infringe existing copyright (e.g., training models on data they are not licensed to use). While the Act does not yet define AI authorship, it still safeguards original works and may expose businesses to liability if AI is used to infringe these rights. In regulated sectors like finance, telecommunications, or healthcare, additional rules may apply. For instance, financial services firms using algorithmic tools (including AI) must still comply with Central Bank of Nigeria guidelines, SEC robo‑advisory rules, and other industry‑specific compliance regimes that emphasise transparency, risk management, and consumer protection. Claiming “AI did it” does not exempt a business from meeting these professional standards.
4.0. Compliance Difficulties Faced by Nigerian SMEs Using AI
Despite the growing interest in artificial intelligence as a tool for boosting productivity and competitiveness, many Nigerian SMEs struggle with limited legal and regulatory awareness. A significant number of small business owners are unaware of the detailed provisions of the Nigeria Data Protection Act 2023 (NDPA) and the expectations it creates around lawful data processing, consent, and automated decision-making. This low level of awareness means SMEs may inadvertently fail to implement required safeguards such as privacy notices, lawful bases for processing, or data subject rights, increasing the risk of regulatory breaches when they deploy AI systems. Another major compliance difficulty for SMEs lies in the financial and technical costs associated with meeting regulatory requirements. Conducting data protection impact assessments, investing in secure data storage or encryption, hiring data protection officers, and building privacy-by-design features into AI systems all demand resources that many small businesses lack. These costs are often cited as prohibitive, particularly when juxtaposed against other pressing operational expenses such as power, infrastructure, and staffing, widening the divide between compliance demands and SME capacity.
Closely related to cost is the skills and expertise gap that SMEs face. AI deployment and data protection compliance both require specialised knowledge in machine learning, cybersecurity, or regulatory understanding which many small businesses do not possess internally. This challenge is compounded by the fact that most SMEs rely on external vendors or generic software packages without fully understanding how these tools process personal data or generate automated decisions, making it difficult to fulfil oversight obligations or explain AI outputs to regulators and customers. In addition, infrastructure limitations and weak enforcement ecosystems exacerbate compliance difficulties. Many SMEs operate in environments with unreliable electricity, poor internet connectivity, and limited access to cybersecurity tools, undermining their ability to maintain secure AI systems or to monitor and report breaches effectively. At the same time, enforcement agencies may lack the technical capacity or resources to provide clear guidance or support, leaving SMEs in regulatory limbo about practical compliance steps and expectations.
Finally, the regulatory ambiguity around AI with overlapping laws on data protection, cybercrime, and consumer protection but no standalone AI statute creates uncertainty for SMEs. Business owners may be unclear about how existing provisions translate into practical obligations for AI use, such as when DPIAs are required or how to balance innovation with privacy rights. This uncertainty often leads SMEs to adopt a cautious or reactive stance, hindering responsible AI adoption and exposing them to legal risks if regulators interpret compliance more strictly than anticipated.
5.0 Recommendations
Nigeria’s emerging regulatory framework for artificial intelligence provides a timely opportunity to adopt a balanced, risk-based model that protects consumers while allowing innovation by SMEs. A useful comparative reference is the European Union’s AI Act, which classifies AI systems by risk level and imposes stricter obligations only on “high-risk” systems, while allowing low-risk tools to operate with minimal regulatory burden. This approach has been widely acknowledged as a pragmatic way to avoid over-regulation of small businesses while still ensuring accountability. In the Nigerian context, a similar philosophy is already reflected in ongoing policy debates, where scholars and regulators have cautioned against importing foreign frameworks wholesale but have still endorsed risk-based classification as a guiding principle.
The proposed National Artificial Intelligence Bill further reinforces this direction by introducing regulatory oversight mechanisms such as registration, licensing, and risk assessment for AI technologies. If enacted, this Bill would provide SMEs with clearer legal expectations and a formal compliance pathway, particularly when deploying AI systems that process personal data or make automated decisions. Importantly, the draft framework is expected to align with the Nigeria Data Protection Act 2023, ensuring consistency across data protection, automation, and accountability obligations. This harmonisation is essential for SMEs, as fragmented regulation often increases compliance costs and legal uncertainty.
To further support SMEs, Nigeria should consider regulatory tools such as AI sandboxes, which allow businesses to test new technologies under regulatory supervision before full market deployment. This strategy has been encouraged within Nigeria’s broader digital governance discourse as a way to balance innovation with public safety. Such mechanisms would allow small businesses to innovate responsibly without the fear of immediate sanctions for technical non-compliance. In addition, government-led capacity-building initiatives; such as simplified compliance guides and sector-specific AI standards would significantly reduce the regulatory burden on SMEs and promote lawful AI adoption across the economy.
6.0 Conclusion
Artificial intelligence now plays a growing role in how Nigerian SMEs operate, from automated customer service systems to data-driven marketing tools. However, this technological shift also introduces legal responsibilities under Nigeria’s evolving regulatory landscape. Without clear compliance structures, many SMEs remain vulnerable to regulatory breaches, reputational damage, and civil liability. Drawing from comparative frameworks such as the EU’s risk-based AI model and Nigeria’s own draft legislation, it is evident that a balanced regulatory approach that prioritises accountability without stifling innovation is both necessary and achievable. With clearer legal guidance, institutional support, and adaptive regulation, Nigerian SMEs can safely harness AI as a tool for growth while maintaining public trust and legal compliance.
BIBLIOGRAPHY
Legislation (Statutes and Regulations)
Companies and Allied Matters Act 2020 (CAMA 2020) s 394(3).
Nigeria Data Protection Act 2023 s 37.
Nigeria Tax Act 2025 s 203.
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L series, art 3.
Securities and Exchange Commission, Rules on Robo-Advisory Services (executed 30 August 2021) [https://sec.gov.ng/documents/1292/Rules-on-Robo-Advisory-Services_Executed-30-August-2021.pdf](https://sec.gov.ng/documents/1292/Rules-on-Robo-Advisory-Services_Executed-30-August-2021.pdf) accessed 1 February 2026.
Small and Medium Industries Equity Investment Scheme (SMIEIS), CBN Guidelines – Enterprise with Asset Base ≤ 200 million (excluding land and working capital) and staff of ≥10 ≤300 [https://www.cbn.gov.ng/OUT/PUBLICATIONS/GUIDELINES/DFD/2004/SMIEIS.PDF](https://www.cbn.gov.ng/OUT/PUBLICATIONS/GUIDELINES/DFD/2004/SMIEIS.PDF) accessed 31 January 2026.
Journal Articles
Balas H and Shatnawi R, ‘Legal Framework for AI Applications’ (2024) F1000Research 1 [https://doi.org/10.12688/f1000research.147019.1](https://doi.org/10.12688/f1000research.14701 9.1).
Chiappini D, ‘The Legal Definition of Artificial Intelligence: A Comparative Perspective’ (2024) 11(3) European Journal of Comparative Law and Governance 360 [https://doi.org/10.1163/22134514-bja10071](https://doi.org/10.1163/22134514-bja10071).
Ebenibo L, Enyejo JO, Addo G and Olola TM, ‘Evaluating the Sufficiency of the Data Protection Act 2023 in the Age of Artificial Intelligence’ (2024) IJSRR[https://srrjournals.com/ijsrr/sites/default/files/IJSRR-2024-0044.pdf](https://srrjournals.com/ijsrr/sites/default/files/IJSRR-2024-0044.pdf).
Kolawole KD, ‘Small and Medium Enterprises (SMEs) as Engines of Economic Growth and Macroeconomic Stability in Nigeria: Evidence from FMOLS’ (2025) 12(23) International Journal of Social and Educational Innovation [https://doi.org/10.5281/zenodo.17999529](https://doi.org/10.5281/zenodo.17999529).
Okereafor G, Eke AC and Ahaiwe E, ‘Adoption of Artificial Intelligence by Small and Medium-Scale Enterprises in Emerging Economies: An Exploratory Insight’ (2025) 10(2) Journal of Contemporary Marketing.
Books, Reports and Professional Commentary
Ayoola H, Nigeria Data Protection Act, 2023 (NDPA): Restrictions on Automated Data Processing and Artificial Intelligence (Adeola Oyinlade & Co, 18 August 2025) [https://www.adeolaoyinlade.com/en/nigeria-data-protection-act-2023-ndpa-restrictions-on-automated-data-processing-and-artificial-intelligence/](https://www.adeolaoyinlade.com/en/nigeria-data-protection-act-2023-ndpa-restrictions-on-automated-data-processing-and-artificial-intelligence/) accessed 1 February 2026.
Federal Ministry of Commerce and Industry, *Small and Medium-Sized Enterprises (SMEs): An Assessment to Its Inclusion in Nigeria Trade* [https://www.wtcabuja.com/latest-news/trade-services/small-and-medium-sized-enterprises-smes-an-assessment-to-its-inclusion-in-nigeria-trade/](https://www.wtcabuja.com/latest-news/trade-services/small-and-medium-sized-enterprises-smes-an-assessment-to-its-inclusion-in-nigeria-trade/) accessed 31 January 2026.
Forvis Mazars, Finance Act 2020 and Its Impact on Small and Medium Scale Enterprises [https://www.forvismazars.com/ng/en/insights/publications/local-insights/finance-act-2020-and-its-impact-on-smes](https://www.forvismazars.com/ng/en/insights/publications/local-insights/finance-act-2020-and-its-impact-on-smes) accessed 1 February 2026.
Research Affairs, Small and Medium Industries Equity Investment Scheme [https://researchaffairs.com.ng/2025/02/17/small-and-medium-industries-equity-investment-scheme/](https://researchaffairs.com.ng/2025/02/17/small-and-medium-industries-equity-investment-scheme/) accessed 31 January 2026.
Ugochukwu LF, AI Regulations in Nigeria: Current Laws, Draft Policies and What Comes Next (AIBase, 26 November 2025, updated 8 January 2026) [https://aibase.ng/ai-ethics-policy/ai-regulations-in-nigeria/](https://aibase.ng/ai-ethics-policy/ai-regulations-in-nigeria/) accessed 1 February 2026.
Newspaper and Online Commentary
Akinwande N, ‘Why Nigeria Must Not Import AI Regulatory Frameworks From Abroad’ Guardian Nigeria (10 December 2024) [https://guardian.ng/technology/tech/why-nigeria-must-not-import-ai-regulatory-frameworks-from-abroad](https://guardian.ng/technology/tech/why-nigeria-must-not-import-ai-regulatory-frameworks-from-abroad) accessed 1 February 2026.
Chima A, ‘Nigeria’s Copyright Law Is Not Ready for Artificial Intelligence’ TheCable (15 January 2026) [https://www.thecable.ng/nigerias-copyright-law-is-not-ready-for-artificial-intelligence/](https://www.thecable.ng/nigerias-copyright-law-is-not-ready-for-artificial-intelligence/) accessed 1 February 2026.
Eleanya F, ‘Nigeria’s AI Bill Nudges Country Toward Regulatory Oversight’ TechCabal (6 November 2025) [https://techcabal.com/2025/11/06/nigeria-ai-bill/](https://techcabal.com/2025/11/06/nigeria-ai-bill/) accessed 1 February 2026.
Eniola J, ‘Regulating Artificial Intelligence in Nigeria’ BusinessDay NG (12 November 2025) [https://businessday.ng/news/legal-business/article/regulating-artificial-intelligence-in-nigeria/](https://businessday.ng/news/legal-business/article/regulating-artificial-intelligence-in-nigeria/) accessed 1 February 2026.
‘Nigeria Set to Pass Sweeping AI Rules’ Africa Briefing [https://africabriefing.com/nigeria-set-to-pass-sweeping-ai-rules/](https://africabriefing.com/nigeria-set-to-pass-sweeping-ai-rules/) acessed 1 February 2026.
Oluoje OK, ‘Beyond the Hype: The Real Challenges of AI Adoption for Nigerian SMEs’ BusinessDay NG (28 January 2025) [https://businessday.ng/opinion/article/beyond-the-hype-the-real-challenges-of-ai-adoption-for-nigerian-smes/](https://businessday.ng/opinion/article/beyond-the-hype-the-real-challenges-of-ai-adoption-for-nigerian-smes/) accessed 1 February 2026.
‘Protecting Nigerians from Data Breaches’ BusinessDay NG (Opinion, 23 January 2026) [https://businessday.ng/opinion/article/protecting-nigerians-from-data-breaches/](https://businessday.ng/opinion/article/protecting-nigerians-from-data-breaches/) accessed 1 February 2026.
Zakariyya A, ‘93% Organisations Use AI in Nigeria, 31% in Advanced Usage – Report’ Daily Trust (Abuja, 8 September 2025) [https://dailytrust.com/93-organisations-use-ai-in-nigeria-31-in-advanced-usage-report/](https://dailytrust.com/93-organisations-use-ai-in-nigeria-31-in-advanced-usage-report/) accessed 31 January 2026.
