The Guidelines for the Provision of Internet Service published by the Nigerian Copyright Commission (NCC) establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Section 11 of the Guidelines, an Internet Service Provider as a content intermediary is not liable for Internet content transmission or information storage as long as it does not modify or interfere with the content and acts without delay to remove or restrict access to the information on receipt of any takedown notice, or on becoming aware that the information at the initial source of the transmission has been removed or disabled.

On 15 December 2020, the Federal Government of Nigeria (FGN) directed that all SIMs should be registered with valid National Identification Numbers (NINs). SIMs failing this requirement have to be blocked by the service providers. The National Identification Management Commission (NIMC) confirmed that the NIN registration applied to all Nigerians and legal residents in Nigeria as provided under the NIMC Act of 2007. Section 5 of the NIMC Act of 2007 empowers NIMC to create a national database, harmonise existing ones and register eligible persons. It is reported that this requirement is still in place.

It is reported that the Nigerian Communications Commission (NCC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Sections 11.1 (4) and 12.1 (4) of the Guidelines for Nigerian Content Development in Information and Communications Technology (ICT) require telecommunication companies and network service companies to host all subscriber and consumer data within the country in line with existing legislation.

Section 13.2 of the Guidelines for Nigerian Content Development in Information and Communication Technology (ICT) requires Ministries, Departments, and Agencies (MDAs) to ensure that all sovereign data is hosted locally on servers within Nigeria. The MDAs should also promote as mandatory the presence of system logs and other computer data logging technologies to aid in the effective troubleshooting and forensic investigation of events in Government systems.
Section 9.0 of the Cloud Computing Policy further stipulates that sensitive governmental and citizen data must be retained within national borders, either through internal frameworks operated by public institutions or via domestically based cloud service providers. This requirement applies specifically to data generated or managed by public sector entities.

In 2013, the National Information Technology Development Agency (NITDA) promulgated guidelines on Nigerian content in the information and communications technology sector, with amendments introduced in 2019. These guidelines are applicable to both public sector entities and private enterprises. Section 13.1 (2) of the guidelines mandates that both foreign and domestic "data and information management firms" store all data related to Nigerian citizens within Nigeria.

Sections 2.4.4.8 and 3.4.3.6 of the "Guidelines on Operations of Electronic Payment Channels in Nigeria" stipulate that all domestic payment transactions must be routed through a local switch within Nigeria.

Sections 41.1 and 43.1 of the Data Protection Act (DPA) provide that a data controller is allowed to transfer personal data from Nigeria to another country as long as there is an adequate level of protection of personal data in such country or the data subject consented to the transfer after being informed of the risk and did not withdraw the consent, the transfer is necessary for the performance of a contract to which the data subject is a party, the transfer is for the data subject's benefit, necessary for a public interest, necessary for legal action, or protect the vital interest of the data subject or third party.
Prior to the DPA, the Nigerian Data Protection Regulation 2019 (NDPR) was the go-to regulation on data protection. Although enforceable, it remains a subsidiary legislation, and there was no specific commission to oversee data protection. According to Section 2.11 of the NDPR, personal data transfers are permitted on condition that the destination country offers an adequate level of data protection. Determining the level of data protection is a prerogative of the National Information Technology Development Agency (NITDA) based on the Honourable Attorney General of the Federation's (HAGF) consideration of the foreign country’s legal system, rule of law, respect for human rights and fundamental freedoms, as well as relevant general and sector-specific legislation in public security, defence, national security, and criminal law. The countries whose levels of personal data protection are considered adequate are provided in the whitelist in Annex C of the Implementation Framework of the Data Protection Regulation and include 42 countries in addition to the EU Member States and all African countries who are signatories to the Malabo Convention 2014.
Where a transfer to a jurisdiction outside the whitelist is being sought, the Data Controller shall ensure there is verifiable documentation to conduct the transfer under one or more of the exceptions stated in Art. 2.12 of the NDPR. These include the consent of the data subject and the necessity for the performance of the contract.

Nigeria has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.

Nigeria has not joined any free trade agreement committing to open transfers of cross-border data flows.

Nigeria has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

The Data Protection Act establishes a comprehensive regime for data protection in Nigeria, providing a legal framework for safeguarding personal information and creating the Nigeria Data Protection Commission (NDPC). Aligning with international standards, the Act sets forth principles for the processing of personal data, specifying requirements for handling sensitive information and children's data. Additionally, it mandates data controllers to conduct Data Protection Impact Assessments, appoint data protection officers, notify breaches, and adhere to data security protocols. The Act also imposes restrictions on cross-border data transfers, adopting the concept of adequate protection. Furthermore, it grants data subjects rights such as the right to object, withdraw consent, data portability, and protection from decisions based solely on the automated processing of personal data.
Before the enactment of the Data Protection Act, the Nigerian Data Protection Regulation served as the primary regulation for data protection. Although enforceable, it remains a subsidiary legislation.

In 2013, the National Information Technology Development Agency (NITDA) promulgated guidelines on Nigerian content in information and communications technology, with subsequent amendments in 2019. These guidelines apply to both state entities and private enterprises. The guidelines mandate that multinational companies provide verifiable information and sign affidavits regarding the origin, safety, source, and functioning of software sold and deployed within Nigeria to "ascertain the full security of the product and protect national security." This requirement also aims to ensure the security of source code, though it remains unclear whether this could potentially result in the disclosure of the source code.

Section 38 of the CyberCrime Act requires communication service providers to keep traffic data and subscriber information for two years.

Rule 11.1 of the Lawful Interception of Communications Regulations, 2019 prohibits licensees from providing any communications services that cannot be monitored and intercepted. Further, Rule 9.1 of the same regulations states that where communication intercepted is encrypted, the communications service provider is required by the regulator to provide the key, code or access to the encrypted communication.