On June 24, 2024, President Bola Tinubu signed the Executive Order titled “Designation and Protection of Critical National Information Infrastructure Order, 2024,” aimed at safeguarding Nigeria’s information and communications technology (ICT) assets to bolster the nation’s economy. This order derives its authority from Section 3 of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 (as amended), empowering the president to designate certain computer systems and networks as critical national information infrastructure (CNII).
The objectives of this order are clear: to identify and designate specific ICT systems, networks and infrastructure operating in Nigeria as CNII; to develop cohesive measures and strategies for their security and protection; and to ensure their continued operation. The order emphasises a proactive and holistic approach to the identification, security and protection of CNII, aiming to minimise incidents capable of damaging, disrupting, or interfering with their operation, functionality, or integrity.
Essentially, the order seeks to ensure the effective functioning of ICT systems, networks and infrastructure, which are critical to driving national imperatives, economic development, national security and defense, public health and safety and government operations. It lists computer systems, networks, and communication infrastructures acquired, installed, deployed, and operated in sectors of the Nigerian economy as critical and, therefore, designated as CNII.
However, despite the well-intentioned nature of this document, its impact has yet to be felt. Not much has been done or heard in this regard, as it appears the document remains confined to government archives – another policy with good intentions but slow implementation. Strangely, there is a noticeable silence surrounding it, leaving industry players concerned.
Regarding the Cybercrime Act from which this order was derived, little progress has been made, aside from isolated arrests and prosecutions, particularly concerning cyberstalking and related offenses. The CNII Order requires robust implementation, especially if we aim to build a resilient and robust economy, sustain and protect telecommunications infrastructure and grow the ICT sector to improve the gross domestic product (GDP), among other goals.
Since the Order’s signing in 2024, little has been heard or implemented, raising concerns that such a promising policy is being neglected in the corridors of governance.
CNII refers to interconnected systems and networks indispensable for the functioning of the nation’s economy, security, public health and general safety. These information infrastructures ensure seamless communication, data storage, and operational continuity in both private and public sectors. Examples of CNII include telecommunications networks, financial systems, transportation management systems, national power grids and the national identity management system. Disruption to any of these systems could result in significant economic losses and distress.
Legal experts explain that the Office of the National Security Adviser (ONSA) is tasked with leading efforts to protect CNII by collaborating with relevant stakeholders to establish a Trusted Information Sharing Network (TISN) that would encourage the exchange of information across various sectors of the Nigerian economy. The order also empowers the ONSA to conduct regular audits and inspections of CNII to ensure compliance with applicable laws, guidelines and rules.
Additionally, the ONSA, in collaboration with relevant CNII stakeholders, is required to develop and implement a Critical National Information Infrastructure Protection Plan (CNIIPP) and other measures to prevent unauthorised access, theft, vandalism, destruction and unlawful interference with the operation of CNII. This is to minimise risks and reduce incidents that could disrupt or compromise the functionality of CNII.
According to the Act, individuals who commit offenses against CNII – specifically unauthorised access, tampering, or interference – shall, upon conviction, be liable to imprisonment for up to 10 years. Where such acts result in grievous bodily harm to individuals, the imprisonment terms extend up to 15 years. In cases where such offenses lead to the loss of life, offenders are liable to life imprisonment.
The designation of telecom infrastructure as critical national infrastructure may not address the challenges of vandalism unless the government demonstrates the political will to enforce the order. The immediate past government had approved and directed those necessary physical protective measures be put in place to safeguard telecommunications infrastructure deployed across the country. The presidential directive mandated the ONSA, Defence Headquarters (DHQ), Nigeria Police Force (NPF), Department of State Services (DSS) and the Nigeria Security and Civil Defence Corps (NSCDC) to ensure the protection of the infrastructure. These agencies were properly notified of the president’s directive and were expected to enforce it as directed.
However, very little was done, and this had no significant impact, as vandalism of the infrastructure remains a daily occurrence across the country. This underscores the need for the current government to muster the political will to implement this Executive Order, safeguard the infrastructure, and fuel the economy.
The Minister of Communications, Innovation and Digital Economy, Bosun Tijani explained at the advent of the document that “the order is a significant step that would strengthen and protect investments in the ICT sector by reducing incidences capable of damaging the operations and functionality of the country’s technological systems, infrastructure, and networks.” The Minister added that designating telecom infrastructure as CNII would help improve the quality of telecom services, which have often been affected by disruption and intentional damage.
“This gazette now makes it an offense to willfully damage assets such as telco towers/sites, switch stations, data centres, satellite infrastructure, submarine and fibre optic cables, transmission equipment, e-government platforms, databases, among many others,” he said, adding that the government would continue to work to create an enabling and supportive environment and policies for the digital economy to thrive.
The order identifies areas critical for protection, including power and energy sectors, water, information and communication technology, science and technology, banking, finance and insurance, health, public administration, education, defense and security, transport, food and agriculture, safety and emergency services, industrial and manufacturing and mines and steel.
The order states that the national security adviser (NSA) may, with the approval of the president, update the list of sectors in the schedule to this order, taking into consideration emerging technologies and platforms, in line with the Cybercrimes (Prohibition, Prevention, Etc.) Act and the National Cybersecurity Policy and Strategy. Any updates made under the listed areas shall be published in the Federal Gazette.
“The Office of the National Security Adviser (ONSA) shall, in collaboration with relevant CNII stakeholders, develop a comprehensive Critical National Information Infrastructure Protection Plan (CNIIPP) and guidelines specifying minimum standards, rules, and procedures for the protection, preservation, and general management of designated CNII, for the approval of the President.”
“The ONSA shall, in collaboration with relevant CNII stakeholders, establish a Trusted Information Sharing Network (TISN) as a multidisciplinary framework comprising owners and operators of CNII, representatives from relevant ministries, departments and agencies of government (MDAs), and identified private sector organisations. This network aims to build and execute awareness campaigns on risks to CNII, share information and techniques required to assess and mitigate risks in a decentralised manner across sectors of the economy and implement capacity-building initiatives to strengthen and mainstream resilience and protection of the infrastructure and networks.”
Members and entities within the TISN shall collaborate and share information on threats and vulnerabilities and develop strategies and solutions to mitigate known and evolving risks. However, the extent to which this has been implemented across the board remains uncertain.
Before the Presidential intervention, stakeholders in the Nigerian ICT sector had long lamented the persistent attacks on infrastructure across the country and had been calling on the government to designate telecom infrastructure as critical national infrastructure. In March 2024, operators reiterated this call as Nigeria suffered an internet outage due to damage to some fibre optic cables.
“In 2023 alone, MTN Nigeria suffered more than 6,000 cuts on its fibre cable. The operator relocated 2,500 kilometres of vulnerable fibre cables between 2022 and 2023, at a cost of more than ₦11 billion – enough to build 870 kilometres of new fibre lines in areas without coverage,” the company reported.
In early August 2024, CEO of Airtel Nigeria, Carl Cruz speaking during an industry forum, stated that the telecom company had been recording an average of 1,000 cases of fibre cuts every month.
These alarming statistics underscore the urgent need for the full implementation of the CNII Order. The protection of critical national infrastructure is not merely a policy directive but a necessity for the stability and growth of Nigeria’s economy and security. The government must move beyond policy formulation to tangible action, ensuring that the CNII Order is not just a document in the archives but a living framework actively safeguarding the nation’s vital ICT assets.
