Art. 3.4.1 of the Nigeria Data Protection Regulation mandates the appointment of a Data Protection Officer (DPO) within six months of commencement of business if one or more of the following conditions apply:
- The entity is a Government organ and Ministries, Departments and Agencies (MDAs);
- The core activities of the organisation relate to usual processing of large sets of personal data (10,000 data subjects per annum);
- The organisation processes sensitive personal data in the regular course of its business;
- The organisation processes critical national databases consisting of personal data.

Under Section 70 of the Nigerian Communications Act, the Nigerian Communications Commission (NCC) can issue regulations and guidelines on any matter where the Act makes express provision. According to the sixth guideline of the Guidelines for the Provision of Internet Service issued by the NCC, “internet service providers must provide any service related information requested by the Commission or other legal authority, including information regarding particular users and the content of their communications, subject to any other applicable laws of Nigeria.” It is reported that the Guidelines do not include oversight mechanisms, creating the potential for abuse.

Section 38 of the CyberCrime Act requires the communication service providers to keep traffic data and subscriber information for two years.

Nigeria has not joined any free trade agreement committing to open transfers of cross-border data flows.

The country has implemented a comprehensive framework for data protection under the Nigeria Data Protection Regulation (NDPR) 2019. The framework takes cognizance of emerging data protection laws and regulations within the international community, in a bid to protect privacy, identity, lives and property as well as fostering the integrity of commerce and industry in the data and digital economy.

According to Section 2.11 of the Nigeria Data Protection Regulation (NDPR) of 2019, personal data transfers are permitted on condition that the destination country offers an adequate level of data protection. Determining the level of data protection is a prerogative of the National Information Technology Development Agency (NITDA) based on the Honourable Attorney General of the Federation's (HAGF) consideration of the foreign country’s legal system, rule of law, respect for human rights and fundamental freedoms, as well as relevant general and sector-specific legislation in public security, defense, national security, and criminal law. The countries whose levels of personal data protection is considered adequate are provided in the whitelist in Annex C of the Implementation Framework of the Data Protection Regulation and includes 42 countries in addition to the EU Member States and all African countries who are signatories to the Malabo Convention 2014.
Where transfer to a jurisdiction outside the whitelist is being sought, the Data Controller shall ensure there is verifiable documentation to conduct the transfer under one or more of the exceptions stated in Art. 2.12 of the NDPR. These include the consent of the data subject and the necessity for the performance of the contract.

In 2013, the National Information Technology Development Agency (NITDA) released guidelines on Nigerian content development in information and communications technology, subsequently amended in 2019. One of the requirements in Section 13.1 (2) is that "data and information management firms", both foreign and domestic, are required to store all data concerning Nigerian citizens in Nigeria. It is reported that these requirements raise costs for foreign businesses seeking to invest in the Nigerian market and create an intractable barrier to market entry for firms that distribute their data storage and processing globally. Further, such requirements prevent Nigerian businesses from taking advantage of cloud computing services supplied on a cross-border basis.

Pursuant to Section 4.4.8 of the Guidelines on Point-of-Sale Card Acceptance Services of the Central Bank of Nigeria, all domestic transactions in Nigeria, including but not limited to POS and ATM transactions, must be switched using the services of a local switch and shall not under any circumstance be routed outside Nigeria for switching between Nigerian issuers and acquirers.

Section 11.1 (4) and 12.1 (4) of the Guidelines for Nigerian Content Development in Information and Communications Technology (ICT) requires telecommunication companies and network service companies to host all subscriber and consumer data within the country in line with existing legislation.

Section 13.2 of the Guidelines for Nigerian Content Development in Information and Communication Technology (ICT) requires Ministries, Departments & Agencies (MDAs) to ensure that all sovereign data is hosted locally on servers within Nigeria. The MDAs should also promote as mandatory the presence of system logs and other computer data logging technologies to aid in the effective troubleshooting and forensic investigation of events in Government systems.

It is reported that the Nigerian Communications Commission (NCC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

According to Art. 31 of the Nigerian Communications Act, no person is allowed to operate a communication system or facility nor provide communication service in Nigeria, unless authorized to do so. Internet Service Provision and Internet Exchange licences authorise the provision of data services. On the other hand, the provision of voice over Internet Protocol (VoIP) does not require a license.
However, in order to operate in the Nigerian telecom market, promoters or investors have to register a company in Nigeria whose entity is separate and distinct from its parent company. The locally incorporated branch or subsidiary, in accordance with the provisions of Section 20 of the Nigerian Investment Promotion Commission Act, must apply to the Nigerian Investment Promotion Commission ("NIPC") for company registration and other necessary authorizations and licenses to allow foreign participation.

Nigeria has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that Nigeria mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market.

In December 2014, Nigeria's National Council on Privatisation (NCP) approved the sale of Nigerian Telecommunications (NITEL) and its mobile arm (M-Tel) to NATCOM Consortium. The government still owns 25% of the NITEL (the incumbent). The government announced it plans to return to the market to sell the remaining 25% to Nigerians through Initial Public Offering (IPO).