According to Section 4.4.8 of the Guidelines on Point-of-Sale Card Acceptance Services, all domestic transactions in Nigeria, including but not limited to POS and ATM transactions, must be switched using the services of a local switch and shall not under any circumstance be routed outside Nigeria for switching between Nigerian issuers and acquirers.

According to Section 3.6.1 of the Guidelines on International Money Transfer Services, there is a limit of USD 2,000 per transaction for foreign transfers, subject to periodic review by the Central Bank of Nigeria. It is reported that entrepreneurs are not able to accept credit card payments over the Internet due to legal and business concerns.

It is reported that Nigerian banks have reduced the monthly international spending limit on debit cards in Nigerian naira. The monthly dollar spending limit went from USD 100 to between USD 50-20 per month (depending on the month). Therefore, customers cannot use their naira debit cards to pay for transactions of more than USD 20 or USD 50 per month. In addition, some banks suspended international ATMs and point of sales (POS) transactions. In late 2022, this restriction was partially lifted by allowing purchases in USD through selected platforms such as Paystack.

Nigeria does not implement any de minimis threshold, which is the minimum value of goods below which customs do not charge duties. However, it is reported that there is an informal threshold of USD 250.

Within Section 2.3 of the Value Added Services and Aggregator Framework of 2018, any company in Nigeria is barred from offering any Value Added Service without an appropriate license by the Nigerian Communications Commission (NCC). In the Framework, the definition of Value Added Service is any network-based service other than voice conversation that is provided in the form of text, video, graphics, picture, multimedia or data for the purpose of conveying information or executable content either downloaded or accessed online and normally at extra cost. The following classes of services are recognised as value-added services:
- Information services/Content: news, updates, data, quizzes, games, ringtones, video streaming, alerts, product information, call centre, database access;
- Interactive services/ applications: charting, contest participation, e-voting, e-government, text-to-win, polls and surveys, coupons, online games, promotions, prepaid calling card service, call directory, location-based services;
- Commerce: e-banking, mobile money, e-health, telemarketing, e-ticketing.
This provision is in line with the Nigerian Communications Act, 2003 (Section 31.1), which mandates that a communications system or facility provider operate under a specific license unless exempted under the Act.

According to Section 4 of the Insurance Web Aggregators Operational Guidelines, the provision of Web-based insurance business, as well as Insurance Web aggregators services, is subject to licensing by the National Insurance Commission of Nigeria (NAICOM). A web aggregator is defined in Section 2 as any website that provides resources and information on products and pricing of insurance companies and offers leads to an insurance company.

Section 10 of the Guidelines for Nigerian Content Development in Information and Communication Technology stipulates that indigenous software development and software-enabled products and services register their products, capabilities and organisation at the National Digital Marketplace (NDP) and NITDA portal for International Software Vendors.

Pursuant to Section 28 of the Data Protection Act, data controllers are mandated to perform a privacy impact assessment when the processing of personal data is likely to result in significant risks to the rights of data subjects. Should the assessment reveal that the processing poses a high risk to the rights and freedoms of data subjects, the data controller must seek consultation with the Nigeria Data Protection Commission prior to commencing such processing activities.

Under Section 32 of the Nigeria Data Protection Act, data controllers classified as being of significant importance are required to appoint a Data Protection Officer (DPO). This officer may either be an employee or an external consultant contracted to provide such services. The DPO's primary responsibilities include advising data controllers and processors on the proper handling of personal data, monitoring compliance with the Act, and serving as the liaison with the Nigeria Data Protection Commission concerning data processing matters.
Prior to the enactment of the Act, the Nigerian Data Protection Regulation (NDPR) functioned as the principal framework for data protection. While it remains enforceable, it is considered subsidiary legislation. Art. 4.1 of the Regulation mandates that both data controllers and processors must appoint a DPO. Furthermore, Art. 3.1(7) stipulates that, prior to collecting personal data from a data subject, the controller is required to provide the subject with the DPO’s contact information.
The NDPR’s Implementation Framework further clarifies the obligations of data controllers regarding DPO appointments. According to Section 3.4.1, a data controller must designate a DPO within six months of commencing business operations or within six months of the framework’s issuance, provided one or more of the following conditions are met:
- The entity is a government organ, ministry, department, institution, or agency.
- The organisation's core activities involve processing the personal data of more than 10,000 individuals annually.
- The organisation regularly processes sensitive personal data as part of its operations.
- The organisation holds critical national information infrastructure—defined by the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or subsequent amendments—containing personal data.
Section 3.5 of the Implementation Framework further requires multinational corporations operating in Nigeria, and meeting one or more of the criteria in Section 3.4.1, to appoint a DPO based within the country to oversee compliance.

Under Section 70 of the Nigerian Communications Act, the Nigerian Communications Commission (NCC) can issue regulations and guidelines on any matter where the Act makes express provision. According to the sixth guideline of the Guidelines for the Provision of Internet Service issued by the NCC, “Internet service providers must provide any service-related information requested by the Commission or other legal authority, including information regarding particular users and the content of their communications, subject to any other applicable laws of Nigeria.” It is reported that the Guidelines do not include oversight mechanisms, creating the potential for abuse.

Section 8 of the Lawful Interception of Communications Regulations of 2019 provides grounds for law enforcers to access data from service providers without obtaining a warrant. This is particularly where: (a) one of the parties to the communication has consented to the interception, provided that incontrovertible proof of such consent is available ; (b) it is done by a person who is a party to the communication and has sufficient reason to believe that there is a threat to human life and safety; (c) in the ordinary course of business, it is required to record or monitor such communication.
In Section 11, licensees are prohibited from providing any communications services that cannot be monitored and intercepted. Section 19 mandates agencies which order interceptions to keep a logbook of all interceptions and to submit reports to the Attorney General in the first quarter of every year. The penalty for failure to render interception assistance to government agencies is a fine equivalent to USD 12,273 or license revocation.

The Guidelines for the Provision of Internet Service published by the Nigerian Copyright Commission (NCC) establishes a safe harbour regime for intermediaries for copyright infringements. According to Section 11 of the Guidelines, an Internet Service Provider as a content intermediary is not liable for Internet content transmission or information storage as long as it does not modify or interfere with the content and acts without delay to remove or restrict access to the information on receipt of any takedown notice, or on becoming aware that the information at the initial source of the transmission has been removed or disabled.

The Guidelines for the Provision of Internet Service published by the Nigerian Copyright Commission (NCC) establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Section 11 of the Guidelines, an Internet Service Provider as a content intermediary is not liable for Internet content transmission or information storage as long as it does not modify or interfere with the content and acts without delay to remove or restrict access to the information on receipt of any takedown notice, or on becoming aware that the information at the initial source of the transmission has been removed or disabled.

On 15 December 2020, the Federal Government of Nigeria (FGN) directed that all SIMs should be registered with valid National Identification Numbers (NINs). SIMs failing this requirement have to be blocked by the service providers. The National Identification Management Commission (NIMC) confirmed that the NIN registration applied to all Nigerians and legal residents in Nigeria as provided under the NIMC Act of 2007. Section 5 of the NIMC Act of 2007 empowers NIMC to create a national database, harmonise existing ones and register eligible persons. It is reported that this requirement is still in place.

Section 2.3 of the Framework and Guidelines for Public Internet Access mandates Public Internet Access Providers (PIAPs) to ensure that every user goes through a registration process to acquire an access code for the purpose of public Internet access after verification through the user’s mobile number which is the unique Login ID. This measure eliminates anonymity for those who utilise free internet connections.