How the New NCC Internet Code Affects Telecom Operators and Users

Internet usage today goes far beyond swiping on a screen or simply subscribing to data plans. What truly makes the digital experience meaningful for users is the assurance of safety, privacy, and trust online.

To strengthen these protections, the Nigerian Communications Commission (NCC) has revised the Internet Code of Practice (ICP) to reflect evolving internet usage patterns and emerging technologies.

On February 13, 2026, the Commission released ICP 2026, an updated version of the 2009 framework. The new code defines the rights and obligations of telecom operators in managing internet services while protecting users’ rights to an open, safe, and responsible internet.

Below are seven key changes introduced in the revised ICP 2026.

1. Transactional Data Management

The revised code strengthens rules on how telecom operators manage subscribers’ transactional data.

Under Chapter 3.5, Internet Access Service Providers must not allow third parties to harvest transactional data from their networks without prior written approval from the NCC.

“An Internet Access Service Provider shall not allow the harvesting of transactional data on its network or access by a third party without the prior written approval of the Commission.”

This means organizations or government agencies seeking subscriber metadata for research, analytics, or other purposes must first obtain approval from the Commission.

Transactional data includes activity logs generated by network providers such as:

Internet usage patterns

Customer behavioural trends

Interaction with online services

Spending habits and consumption data

The provision aims to strengthen data privacy and prevent misuse of subscriber information.

2. Stronger Cybersecurity Obligations

Unlike earlier frameworks, ICP 2026 introduces explicit cybersecurity requirements.

Under Chapter 3.1, telecom operators must implement the Commission’s Cyber Security Framework, particularly the Cyber Resilience Framework for the Nigerian Communications Sector (CRF-NCS).

Key obligations include:

Reporting any cyberattack to the NCC within four hours of detection

Providing updates every four hours after the incident

Submitting a confirmation report within 24 hours

The rule is designed to ensure rapid response to cyber threats and better protection of critical telecom infrastructure.

3. Expanded Takedown Notice Framework

The revised ICP also updates the content takedown procedure.

While both the previous and current regulations allow unlawful online content to be removed within 24 hours of a directive, ICP 2026 introduces additional safeguards.

Under Chapter 5.3.3(d):

Individuals or organizations affected by a takedown order can appeal the decision through established procedures.

Additionally, telecom operators may initiate takedown requests themselves, provided they submit formal notice to the Commission.

This adjustment aims to balance regulatory enforcement with due process and accountability.

4. Regulation of Artificial Intelligence Tools

Recognising the rapid growth of AI-driven technologies, the new code introduces rules governing the deployment of AI systems by telecom operators.

Under Section 5.4, operators must:

Notify the NCC before deploying AI tools or emerging technologies

Explain how the technology works

State its purpose and intended outcomes

Telecom operators must also inform subscribers who may be affected and ensure AI deployment complies with the Commission’s ethical and operational standards.

5. Stronger Child Online Protection Measures

While previous regulations recognised the need to protect children online, ICP 2026 introduces additional safeguards.

New requirements include:

Simple parental control tools that users can easily activate

Online safety guidance provided in multiple languages

Default settings requiring users to opt-in before accessing certain services

These measures aim to protect minors and vulnerable users who may not fully understand the implications of online activity.

6. New Rules for Managing Harmful Content

For the first time, the ICP introduces specific provisions for digital and online communication platforms operating in Nigeria.

Under Chapter 6, digital service providers must submit community guidelines to the NCC within six months of the code’s release.

The rules must align with the provisions of the Nigerian Communications Act 2003, particularly Section 146, which focuses on the protection of national interest.

These guidelines must include mechanisms for addressing:

Harmful content

Disinformation

Fraudulent activities

Unlawful online material

7. Biannual Compliance Reporting

To ensure adherence to the new rules, telecom operators must now submit compliance reports twice a year to the Commission.

Under Chapter 7.3(ii):

“All Internet Access Service Providers shall render reports to the Commission on compliance with the Code on a biannual basis.”

Operators must also provide clear implementation plans outlining how they will comply with the new provisions.

Why the New Rules Matter

The revised code arrives at a time when data privacy and cybersecurity have become critical concerns globally.

With frequent incidents involving data breaches, identity theft, biometric data exposure, and financial information leaks, the updated ICP seeks to strengthen trust in Nigeria’s digital ecosystem while promoting responsible internet governance.