Nigeria: Milestone In Electronic Commerce: How The Cybercrime Act 2015 Impacts Businesses

Last Updated: 11 March 2019
Article by Femi Olubanwo and Oluwatoba Oguntuase

Globalisation, a characterising feature of the 21st Century, is fast shrinking the world into a borderless global village. This trend is being facilitated by advancement in technology by which people and information residing miles apart are readily accessible through one or few clicks on a simple digital device, such as a smartphone or the iPad. A new digital revolution is said to be underway in which about 30% of global population is actively living in the cyberspace, in real terms.

Today, virtually all business transactions and other daily human endeavors (teaching, learning, sales and promotional activities, commercial transactions, shopping, procurement, supply, payments, banking, insurance and professional services) take place via online platforms. The world's growing cyberspace is driven by new innovations which are increasingly being aided by modern computer technologies, the Big Data phenomenon and the Internet of Things (IoT).

Since activities which, before the computer age, took place only in the physical spheres like land, air and the sea (but are now taking place over the cyberspace) are governed by laws made to handle the peculiar natures of those spaces; it is imperative that cyber laws are enacted in order to cater to the needs of, as well as the problems emanating from, doing business through the cyberspace.

Many advanced countries of the world had long enacted their respective cyber laws. However, online transactions continued in Nigeria for a long time without any specific governing law, thereby posing great risks to individuals, businessmen, organisations and even the government; some of whom in many instances in the past, had fallen victims to cybercrimes without any concrete legal regime for seeking redress. Succour, however, came in May 2015 when the Cyberc rime s (Prohibition, Prev ention, etc.) Act 2015 (the "Cyber crime s Act") – was signed into law.

Apart from criminalising certain acts, prescribing punishments for their commission and creating an institutional and enforcement framework, the Cybercrimes Act addresses most of the lacunae which had hitherto rendered the Nigerian cyberspace unsafe for transacting business. However, in addition to potentially improving investors' confidence in the Nigerian e-business environment, the Cybercrimes Act has also generated fresh risk management issues.

This article takes an analytical look at why the enactment of the Cybercrimes Act is considered a milestone in electronic commerce and the potential major impacts it may have on domestic and international commercial transactions undertaken in Nigeria.


A review of the legal regime before the enactment of the Cybercrimes Act can best be done by understanding how electronic/online business transactions fared in the periods before 2011 and thereafter (but before the enactment of the Cybercrimes Act). In the first period (that is, before 2011), no recognition was given to electronic or computer generated documents in our evidential law. The main effect of this situation was that where disputes arose out of commercial deals concluded by e- mails or via online platforms, the computer-generated contract documents were not competent for proving their contents in the court of law (even where they were admitted for "relevancy" sake); as it was not clear whether they should be treated as primary or secondary evidence under the Eviden ce Act, Cap. E14, Laws of the Federa tion of Nigeri a, 2004 (the "Old Eviden ce Act").

Besides, there was the challenge of proving the authenticity and/or the identity of the owner of an electronic signature appearing on any computer or online print-out of contractual terms. Under the Old Evidence Act, procedure for proving the sealing of a document required actual "writing" on a tangible medium by the person alleged to have executed such document; so as to examine his signature or finger impression see sectio ns 100, 102 and 108 of the Old Evide nce Act. This legislation did not envisage the now widespread use of electronic signature in e-mail transactions, cryptographic codes on internet platforms and biometric system in financial institutions (such as the current use of Bank Verification Number (BVN) in the banking system).

However, the enactment of the Evide nce Act 2011 (the "New Evide nce Act") which resulted in substantial improvements on the Old Evidence Act, ushered in the second period of the previous legal regime. Sectio ns 84 and 93 of the New Eviden ce Act provide for the admissibility of computer- generated documents, the recognition of electronic signature and waiver of its proof by means of writing on a tangible medium. This was the first major boost to e-commerce in Nigeria prior to the coming into force of the Cybercrimes Act.

However, despite improvements on the evidential value of electronically-generated documents since 2011, many cybercrimes which undermine the confidence of parties to online transactions and deter, ipso facto, the growth of e-commerce still went unchecked. This was due to certain circumstances, including:

(i)     the fact that common fraudulent and harmful electronic and internet activities such as scamming, cybersquatting, cyberattack, PIN theft, hacking, phishing etc. were not defined in any statute and therefore were somewhat "unknown" to the Nigerian legal system. It is trite that an action will only constitute a crime in Nigeria where it is stated, by a statute, to be a crime and the penalty thereof is prescribed in a written law see section 36(12 ), Constitut ion of the Federa l Republic of Nigeri a 1999, as amende d.

(ii)    neither any court with designated jurisdiction to prosecute cybercrimes nor a body with the needed specialised skill and machinery for properly investigating alleged commission of same (other than the Economic and Financial Crimes Commission and the Police Force, which are trained to generally deal with conventional criminal matters) existed.


The coming into force of the Cyberc rime s Act changed the Nigerian legal landscape significantly, with the overall effects of better securing and further expanding the scope of e-business transactions. Some of the specific provisions of the Cybercrime Act which are expected to impact investments and general commercial activities in Nigeria include:

1. Creation of the concept of "Critical Infrastructure" (see section 58 of the Cyberc rimes Act) and the empowerment of the President to designate any computer system as Critical National Information Infrastructure – see section 3 of the Cyberc rime s Act

2. Presumption of regularity and binding effect of electronic signatures in respect of many common business transactions – see section 17(1) of the Cyber crim es Act

3. Creation of new offences by criminalising certain fraudulent activities done through electronic devices and the internet, which were not previously defined as crimes in the country's regular penal laws – see Part III (section s 5-36), section 46 and genera lly secti on 58 of the Cybercr imes Act – and the creation of both individual and corporate liabilities and penalties such as committal of the directors of affected companies to various terms of imprisonment, as well as imposition of heavy fines on affected organisations.

4. Protection of organisations' copyrights in trademarks and domain names

5. Obligation of business entities to report incidences amounting to cyber threats – see section 21 of the Cyberc rime s Act

6.Duty of service providers to collaborate with law enforcement agents (including by providing access to data stored) in relation to electronic transactions – see sectio ns 38, 39 & 40 of the Cyberc rime s Act

7. Establishment of institutions for the enhancement of cybersecurity – see sections 42 & 44 of the

Cyberc rime s Act

8. Obligation of financial institutions to ascertain and secure identities of customers that are provided with "Access Devices" for computer transactions, and the prohibition of the vesting of posting and authorising access in a single employee –  see sections 37 & 19 of the Cyberc rime s Act

9. Provision for a well-coordinated system of administration and enforcement of the cybercrimes law

see section s 41, 42, 44, 47 & 49 of the Cyberc rime s Act

10. Vesting of jurisdiction to try offences in the Federal High Court and provision for trans-border cooperation on investigation, prosecution and enforcement of court judgements in   respect of cybercrimes – see sections 50, 51 & 52 of the Cyberc rime s Act


Height ened risk mana gement function

Business entities are going to tighten their belts in the area of risk management as it affects corporate information security. This will enhance the sanctity of electronic commercial transactions under the new legal regime because substantial breach of information security will not only affect customers/subscribers but will also be costly for business organisations.

Business organisations such as financial institutions, internet service providers ("ISPs") and communication companies, among others, hold critical data of private and corporate citizens in their computer systems/programs or networks which may now be considered as "Critical Infrastructure". Such data are vital to the country, and any incapacity or destruction of, or interference with, such system and assets could have a debilitating impact on national or economic security, national public health and safety, or any combination of those matters.

Where these entities are attacked (or are susceptible to attacks) by cybercriminals in a way that may pose serious threat to the resilience of the financial system as a whole; the President may, on the recommendation of the National Security Adviser, designate such computer systems/programs or networks as constituting Critical National Information Infrastructure ("CNII"). Given the level of technical know-how in the country, it is most likely that some business entities may be caught in the CNII web. Any affected company or business would no longer have private control of its computer system or network but would be compelled to take instructions from the government with respect to how the system or network could be accessed or data transferred therefrom.

Another risk issue for business entities is the new position that all electronic signatures on documents (with the exception of certain critical transactions listed under section 17(2) of the Cybercrimes Act) are legally presumed to be valid. The burden of proving that any electronic signature appearing on a document, evidencing a company's transaction or contract, is forged rests squarely on that company. Therefore, it will be imperative for corporate organizations and persons to invest in cybersecurity apparatus and techniques in order to fortify their computer systems/programs against hacking or other electronic identity-theft practices.

A new challenge is created, by the Cybercrimes Act, for business organisations as a result of the obligation imposed on them to report cyber threats on their computer systems. The new position is that all  organisations operating a computer system or network must "immediately inform the National Computer Emergency Response Team's ("National CERT") coordination center of attacks, intrusions and other disruptions likely to hinder the functioning of another computer system or network, so that the National CERT can take the necessary measures to tackle the issues; which measures may involve the isolation of such computer system or network till the issues are resolved. Failure to make the report within 7 days of the occurrence of the threats attracts the penalty of internet services denial with the compulsory payment of N2,000,000 into the National Cyber Security Fund ("NCSF"). As a result of these new requirements, businesses are going to be faced with the challenge of determining the optimal decision to make when confronted with cyber threats; for instance whether they should (i) immediately report such occurrences to the National CERT, a decision that may have adverse impacts on their operations (e.g. their systems/networks being declared as CNII); or (ii) first attempt to deal with the threat internally before reporting same (a situation that may make them liable to penalties if such internal actions eventually fail)?

Further, ISPs are required to report to relevant authorities or law enforcement agents, when requested, whatever traffic data and subscriber information which they are lawfully required as the case may be to intercept, record, retain and protect. This will be another important risk factor for other business organisations that are clients of the ISPs. It is likely that firms/companies will begin to demand the inclusion in their internet service agreements, clauses that will compel ISPs to notify them whenever any data that relate to their operations are requested by third parties such as law enforcement agents.

Improved confid ence, more trans actions

There is hope that the new legal regime will boost the confidence of individuals, firms and companies to transact more businesses and render services online, without the fear of falling victims to identity theft, plagiarism or copyright violation. For instance, the Cybercrimes Act criminalises cybersquatting, that is any act which amounts to "the acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain name" is an existing and legally registered trademark or is confusingly similar or identical to it; or similar and identical to the name of a person; or acquired without right or with intellectual property in it.

The widespread confidence which the new regime is likely to engender, to the extent that one will most likely be dealing with the real person/entity as represented in any online business proposal, negotiation or actual transaction; should significantly raise the volume of e-business in the country.

The establishment of institutions which are going to work together to enhance cybersecurity in the country should further boost confidence and ultimately result in increase in the volumes of e-commerce. In this connection, the Cybercrimes Act established (i) the Cybercrimes Advisory Council, which is the policy think-tank for coordinating all research and policy issues "relating to the prevention and combating of cybercrimes and the promotion of cyber security in Nigeria"; and (ii) the NCSF which will provide substantial part of the needed capital for financing the country's cybersecurity policy. 

The NCSF, by the provisions of section 44(2)( a) of the Cyberc rimes Act, shall be entitled to receive sums equivalent to 0.005% of all electronic transactions done by certain entities, such as GSM service providers and all telecommunication companies; ISPs; banks and other financial institutions; insurance companies; and the Nigerian Stock Exchange. It is however not clear whether this levy is payable on deals done by these entities themselves or those transacted through their platforms. The accrued amount in the NCSF may be allocated, to the maximum limit of 40%, for executing programs relating to countering violent extremism.

Expansion of cover age and financial inclu sion

Although the Central Bank of Nigeria's Know-Your-Customer (KYC) policy has been in force and is being implemented by deposit money banks and other financial institutions for several years, the Cybercrimes Act further mandates all financial institutions to verify the identities of their customers before providing them with any "Access Device" (a list of what constitutes an "Access Device" is contained in section 58 of the Cybercrimes Act) for electronic transactions. Similarly, no employee of a financial institution is to be vested with both posting and authorising access at the same time.

It is expected, that these statutory provisions shall limit the incidences of identity theft; fraud via ATM/POS terminals; and fraudulent issuance of electronic instructions. Invariably, as the cyberspace becomes more secure and also easy to link through simple electronic devices such as the mobile phone; the use of electronic money transfer, mobile banking and other electronic financial services will become almost ubiquitous. One hopes to see more people from the informal sector of the economy and those who are largely regarded as previously 'un-bankable', opening bank accounts and subscribing to financial services through e-platforms.

Incre asing comme rcia l liti gation

Last (but not the least) of what to expect, is the rise in volume of commercial litigation arising out of contractual disputes. The lack of a specialised statutory regime governing cyber-related contractual agreements in the past, had limited not only the volume of commercial deals concluded electronically but also the number of cases instituted for seeking redress in cases of breaches.

The Federal High Court is now conferred with special powers to try cyber-related offences and the jurisdiction is nationwide. Disputes shall be given speedy trial without room for interlocutory applications for stay of proceedings. Again, the Cybercrimes Act provides for cross-jurisdictional cooperation. This will ensure that investigation of allegations of offences shall enjoy mutual assistance from foreign countries while accused persons, against whom prima facie cases are established, and convicted persons in respect of trans-border transactions; shall be liable to extradition. In effect, there will be better guarantee of the sanctity of commercial contracts.


As cyberattacks are a universal threat with implications that cut across the global financial and economic systems, Nigeria, with its Cybercrimes Act, has moved a step further towards joining the league of cyber-protected markets. The country is also now poised to take advantage of information sharing among nations of the world having cyber-related laws. Expectedly, information will be shared about sophisticated technologies deployed by cybercriminals whose activities include hacking, phishing, spamming, spreading of computer virus, cybersquatting and violent attacks; as well as the mechanisms for combating these crimes.

According to the latest System Risk Barometer Survey conducted by The Depository Trust & Clearing Corporation (DTCC) – a US global financial services firm – and reported in the January 2016 issue of The Banker (a publication of the Financial Times of London), "cyber risk remained the number one concern globally among financial service professionals, with 70% of all respondents citing it as a top five risk" in recent years.

With a population that is 170 million strong, and who  are fast connecting to one another and to institutions on the internet and social media (about 4 million of this population are said to be very active players already on such electronic/online platforms like Jumia, Konga, Amazon etc. while many more are subscribing to the services of e-payment solution companies like Master  Card, InterSwitch, VisaCard and e-transact); the country will become open to e-business much more in the new dispensation.

Though there are concerns that the cost of compliance with the Cybercrimes Act will significantly raise overhead costs for businesses in terms of training, research, and capacity development; the attached benefits of security, reliability, automation, integration, and increased profitability in the long-run make compliance worthwhile. At any rate, doing business in the Nigerian cyberspace is set to experience a paradigm shift, going forward.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions