Lagos is not just Nigeria’s commercial nerve centre but also the undisputed heartbeat of Africa’s technology ecosystem. From the bustling startup clusters in Yaba to the sleek fintech headquarters across Victoria Island, the city breathes innovation. However, with rapid digitisation comes formidable cyber threats.

According to the National Information Technology Development Agency (NITDA), Nigeria loses at least $500 million (₦600 billion) annually to cybercrime. In a decisive move to secure its digital borders, the Lagos State Government, through Commissioner Gbenga Omotoso, announced the state’s first dedicated Cybersecurity Guidelines for Businesses in Lagos State. This 14-page document, quietly released months earlier and now live on the state’s portal under the banner “Lagos CyberSafe 2026”, represents a crucial pivot in local tech governance.

Unlike the flood of lofty national policies that often gather digital dust, this document reads structured as a practical guide. Prepared by Gbemisola Kayode-Bolarinwa, Head of Project Management for the Lagos State Cybersecurity Advisory Council, it is explicitly not a law. There are no punitive fines and no aggressive audits.

Instead, it offers “recommended best practices” tailored to three distinct audiences: small businesses (SMEs), medium-to-large enterprises, and state ministries, departments, and agencies (MDAs). It is timely and relevant considering the recent news of data breaches of several government agencies, including the Corporate Affairs Commission by malicious actors. The document dovetails neatly into the Cybercrime Act 2024, the Nigeria Data Protection Act 2023, and the National Cybersecurity Policy and Strategy 2021.

More importantly, it speaks Lagos’ own language of hustle, limited budgets, and hypergrowth. Babajide Sanwo-Olu, Lagos State Governor The document opens with a stark but honest introduction: Lagos is evolving into a SMART city, home to 22 million digital users and thousands of enterprises, yet “substantial cyber risks” loom large. Phishing, ransomware, insider threats, and unpatched systems are everyday realities for founders and IT managers alike.

The true genius of the guidelines, however, lies in their tiered structure. The drafters do not pretend that a roadside POS operator has the same resources as a fintech unicorn or that a newly launched startup operates like a government portal handling sensitive citizen NIN data. Lagos’ Cybersecurity Guidelines for Businesses 1.

For SMEs, the undisputed backbone of Lagos commerce, the advice is disarmingly simple and immediately actionable. The guidelines strip cybersecurity down to its absolute essentials: no jargon and no six-figure enterprise tools required. The advice includes conducting regular staff training to spot phishing and social engineering, enforcing strong, unique passwords with multi-factor authentication (MFA) across all platforms, and ensuring automatic software updates.

It also champions the classic 3-2-1 backup rule (three copies, two media types, one offsite) and basic network hygiene, such as changing default router passwords and segmenting guest Wi-Fi. A written incident response plan is highly recommended, alongside strict adherence to the 72-hour breach reporting window to ngCERT. 2. Medium and large enterprises get the next layer of complexity: formal governance, rigorous risk assessments, and dedicated security budgets.

At this tier, the state encourages adopting recognised global frameworks like NIST or ISO 27001. Companies are advised to deploy identity and access management (IAM) solutions enforcing least-privilege rules. The guidelines emphasise network segmentation, Security information and event management (SIEM) tools, and simulated phishing campaigns to keep staff continually alert.

Data Protection Impact Assessments (DPIAs) and privacy-by-design concepts become mandatory in spirit, if not by law. Crucially, third-party vendor risk management enters the picture, acknowledging the harsh reality that a cloud provider’s hidden weakness can quickly become an enterprise’s headline-making crisis. Drones for smarter traffic control in Lagos 3.

MDAs handling Critical National Information Infrastructure (CNII) and sensitive citizen data face the strictest expectations of all. The guidelines outline the need for full governance committees, privileged access management, and functional security operations centres (SOCs). There is a heavy focus on continuous threat intelligence sharing and rigorous third-party risk programmes equipped with ironclad contract clauses and offboarding protocols.

Application security receives its own deep dive, mandating a secure software development lifecycle (SSDLC), OWASP Top 10 adherence, web application firewalls, and regular penetration testing. Public notification protocols during incident response are explicitly required, prioritising transparency with citizens. According to the document, “Businesses that adopt these recommendati