NCC Mandates 4-Hour Cyber Incident Reporting for Telecom Operators
Telecom service providers have been given 12 months from the framework’s release on February 23, 2026 to achieve full compliance with the new standards, although the NCC noted that it may begin compliance reviews earlier if necessary.
The Nigerian Communications Commission (NCC) has introduced a new Cyber Resilience Framework for the Nigerian Communication Sector (CRF-NCS) requiring major telecom operators to report significant cybersecurity threats and incidents within four hours of detection. The directive is part of efforts to strengthen the country’s digital infrastructure against increasingly sophisticated cyberattacks and improve coordinated responses across the telecom ecosystem.
Under the framework, licensed service providers—including major mobile operators such as MTN Nigeria, Airtel Nigeria, and Globacom—must report cybersecurity breaches to the NCC’s Computer Security Incident Response Team (CSIRT). For high-severity or critical incidents, operators are required to submit an initial notification within four hours, followed by a more detailed post-incident report once the issue has been contained.
The framework also introduces a standardized reporting process, requiring operators to submit incident details using an official cybersecurity incident notification template. The report must include the type of threat—such as distributed denial-of-service (DDoS) attacks or ransomware—the systems affected, and the initial containment measures implemented.
The directive applies to communication service providers across three operational tiers. Tier 1 includes major operators such as mobile network operators, Universal Access Service License holders, and data centre operators. Tier 2 covers Internet service providers, value-added service aggregators, and shared infrastructure providers, while Tier 3 includes support service providers such as terminal equipment vendors and cyber cafés.
According to the NCC, the new reporting requirement is designed to enhance sector-wide cyber resilience, allowing the regulator to quickly coordinate responses and prevent threats from spreading across interconnected networks. The move also aims to protect Critical National Information Infrastructure (CNII) and safeguard consumer data as digital services continue to expand across Nigeria.
Telecom service providers have been given 12 months from the framework’s release on February 23, 2026 to achieve full compliance with the new standards, although the NCC noted that it may begin compliance reviews earlier if necessary.
