Wanted: Legal teeth to CNII Executive Order
The Critical National Information Infrastructure (CNII) Executive Order 2024 marks a major step in protecting critical infrastructure, but the absence of a dedicated law undermines its impact. Stakeholders at the
The Critical National Information Infrastructure (CNII) Executive Order 2024 marks a major step in protecting critical infrastructure, but the absence of a dedicated law undermines its impact. Stakeholders at the Advocaat Communications Infrastructure Summit 2026 warn that without clear legal backing, stronger penalties, and coordinated implementation, rising vandalism and infrastructure attacks will continue. Deputy News Editor JOSEPH JIBUEZE reports
In a country where a single severed fibre cable can cripple banking systems, disrupt emergency communications, and stall economic activity, the protection of digital infrastructure is no longer a technical concern; it is a test of legal strength.
At stake is not just connectivity, but whether Nigeria’s laws are robust enough to deter, punish, and prevent the growing wave of attacks on the systems that power its economy.
The question is no longer whether critical infrastructure should be protected, but whether the existing legal framework can enforce that protection with the clarity, speed, and severity the moment demands.
There is also the question of whether the law can keep pace with a rapidly digitising economy.
These are the concerns hanging over Nigeria’s Designation and Protection of Critical National Information Infrastructure (CNII) Executive Order 2024, a policy instrument that has been widely praised as visionary, yet remains, in many respects, legally incomplete.
Signed in June 2024 by President Bola Ahmed Tinubu, the Order marked a decisive moment in Nigeria’s digital governance architecture.
For the first time, the Federal Government formally designated infrastructure across telecommunications, finance, power, oil and gas, transportation, digital systems, and national security as critical national assets.
They are systems whose uninterrupted operation is indispensable to economic stability, national security, and Nigeria’s digital transformation ambitions.
But nearly two years later, a more difficult question has emerged: Can an executive order, however well-intentioned, deliver the level of enforcement, deterrence, and legal certainty required to protect infrastructure that underpins nearly a fifth of the national economy?
A policy breakthrough
At its core, the CNII Order is both ambitious and necessary.
It seeks to move Nigeria from a reactive, fragmented model of infrastructure protection to a proactive, intelligence-driven framework.
Its provisions are sweeping. It designates telecommunications towers, fibre-optic cables, data centres, satellite systems, and e-government platforms as protected assets.
It mandates the development of protection plans, empowers the Office of the National Security Adviser (ONSA) to coordinate security, and criminalises the wilful destruction or disruption of designated infrastructure under the Cybercrimes Act.
On paper, it is a strong framework. In practice, however, it sits in a legally ambiguous space: an executive directive attempting to perform the work of primary legislation. That distinction matters.
Unlike an Act of Parliament, an executive order does not, by itself, create a comprehensive criminal code, define offences with precision, establish sentencing thresholds, or provide procedural clarity for prosecution.
Instead, it relies heavily on existing statutes: principally the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 (as amended in 2024) to give it teeth.
The result is a framework that is conceptually sound but operationally fragile.
As several stakeholders argued at the Advocaat Communications Infrastructure Summit 2026 in Lagos, the gap between designation and enforcement is where the real risk lies.
The summit brought together key stakeholders across the telecommunications, infrastructure, regulatory, security, and policy ecosystems.
Its theme was: “Operationalising the Critical National Information Infrastructure Framework: Lessons, achievements, gaps, and next steps.”
It featured a keynote address and high-level panel discussions.
A digital economy too big to fail
The urgency of the legal gap around the Executive Order becomes clearer when viewed against the scale of Nigeria’s digital economy.
In 2023 alone, the sector contributed approximately $23 billion (about N18.44 trillion) to GDP, roughly 18.2 per cent of the national economy, up from 16.2 per cent in 2021.
This is not a marginal sector; it is a central pillar of economic growth and diversification.
Two components dominate this ecosystem: the Information and Communication Technology (ICT) sector, contributing about 11.18 per cent to real GDP, and the Financial Institutions (FI) sector, contributing approximately 3.23 per cent.
Together, they form the backbone of Nigeria’s digital transformation, powering everything from mobile banking and fintech innovation to remote work, digital freelancing, and the fast-growing gig economy.
According to Advocaat, the ecosystem is expanding rapidly.
Software-as-a-Service platforms, content creation, and online skills development are unlocking global opportunities for Nigerian talent.
Broadband penetration is improving. Digital payments are becoming ubiquitous. Investor confidence, while more selective, is shifting toward sustainable digital enterprises.
Yet this growth has exposed a structural vulnerability: the infrastructure enabling it is increasingly under attack, physically and digitally, while the legal framework protecting it remains underdeveloped.
A national security milestone
Delivering a keynote address, Commandant Rotimi Onibiyo, Deputy Director, Policy and Strategy, Directorate of Critical National Assets and Infrastructure Protection (DCNAIP) at the ONSA, described the CNII Order as transformative, at least in intent.
“Signed in 2024, this landmark in Nigeria’s digital governance and national security recognises that telecommunication systems are vital to national security, economic stability, and public safety,” he said.
But he was quick to add a crucial caveat: “The Order provides the legal foundation, but its true value lies in deliberate, coordinated, and sustained implementation.”
Before the Order, Onibiyo noted, infrastructure protection in Nigeria was fragmented and reactive.
He said: “Infrastructure protection was reactive rather than proactive and fragmented, with agencies operating in silos. There was a weak public-private partnership… and issues with wanton vandalism, sabotage, and compromise.”
The CNII framework, he argued, creates an opportunity for a coordinated, intelligence-led approach. But that opportunity remains largely unrealised.
Onibiyo outlined an ambitious implementation roadmap, one that underscores how much work remains.
A central plank is the creation of a coordination mechanism - the DCNAIP - expected to harmonise policy, align operations, and resolve interagency friction.
“This ensures all stakeholders work within a unified national framework, as no single agency can manage CNII protection alone,” he said.
He also stressed the importance of a national asset register: “Effective protection begins with knowing what to protect.
“The register must capture telecommunications towers, fibre optic networks, data centres, and power control systems.”
But that register is still pending.
Other pillars include sector-specific risk assessments, minimum security standards, and a centralised incident reporting system.
“Compliance must be mandatory and tied to licensing and regulatory approvals, with operators taking ownership of infrastructure protection as a core operational responsibility,” he added.
Perhaps most critically, he emphasised enforcement.
“Attacks on CNII must be treated as serious national security offences.
“Without credible enforcement, compliance will remain weak, and the Order’s objectives will be undermined.”
Rising attacks, weak deterrence
If Onibiyo’s remarks outlined the blueprint, industry players provided a sobering reality check.
Gbolahan Thomas, Associate Director, Network Permits, External Relations & Public Policy, IHS Nigeria, who was a panellist, presented stark figures illustrating the scale of the problem.
“We had 64 battery and 17 generator thefts in the first month of this year.
“In January, there were 160 cases of massive cable thefts recorded. In February alone, more than 155 cases were reported compared to 73 last year.”
He noted that despite the CNII designation, infrastructure crimes remain widespread and largely undeterred.
Thomas identified a key problem: weak enforcement and mischaracterisation of offences.
He said: “Sometimes these crimes are reported to the police, but because the police do not really have the expertise, they take them for just ordinary theft, and sometimes they pay fine of N3,000, and then these guys go.”
The implication is clear: the law does not match the scale or seriousness of the offence.
For Thomas and many others, the solution lies in legislation.
“We need to do more in terms of punishment, deterrence, and the clear application of the law,” he said.
He called explicitly for an Act of Parliament: “Beyond the Executive Order, we need to have these penalties codified in law. With that, there will be deterrence beyond enforcement. We need a change in the legal setup.”
He argued that even modest improvements would have an impact.
“Even a 30 per cent reduction in vandalism will be significant,” he said.
The absence of a clear legal regime, he suggested, allows offenders, and even negligent actors like construction firms, to operate without meaningful consequences.
“If a construction company knows they will have to pay for the cost of restoration, they will be cautious,” he said.
Monitoring, compliance and limits
From the regulatory side, the Nigerian Communications Commission (NCC) outlined steps being taken to bridge the gap.
Chizua Whyte, Head of Legal and Regulatory Services at the Commission, represented by Olutunde Osunleye, Principal Manager, Policy, highlighted ongoing compliance efforts.
She said: “The commission has been engaging in a series of PTS monitoring exercises, visiting sites to ensure that matters like minimum security standards are put in place.”
These include checks on CCTV systems, alarm infrastructure, and physical security at telecom sites.
Where infractions are identified, operators are required to act.
“We ensure that we write to various operators; these are infractions that need to be remediated on.”
Enforcement, she explained, follows due process.
“We give time for compliance; then if there is no compliance, the regulator has the power to now say, yes, we will enforce,” she said.
Whyte also pointed to the Telecom Infraction Reporting Hub as a key tool for coordination, enabling incidents to be escalated to the NSCDC for action.
But she placed responsibility on operators as well, saying: “It is the responsibility of the operators to seek help.”
Enforcement: progress, but not enough
From the enforcement perspective, Dr Benito Eze, Assistant Commandant General of the NSCDC, struck a cautious tone.
“We’re not where we should be, but we’ve left where we used to be,” he said.
He highlighted the complexity of the threat landscape, pointing to insider involvement and organised criminal networks.
“A novice won’t know how to remove the battery from a base station or the market to sell,” he said.
He said enforcement actions have yielded some results, including arrests of suspects and foreign nationals.
But these efforts, he believes, remain insufficient relative to the scale of the problem.
The legal gap
Perhaps the most striking intervention came from a panel moderator and telecoms lawyer Rotimi Akapo, Partner/Head of TMT Department at Advocaat, who distilled the legal dilemma into a single line.
“You cannot be guilty of a crime that does not exist,” he said.
The statement captures the core weakness of the current framework.
While the CNII Order designates infrastructure and signals intent, it does not, by itself, create a comprehensive, codified set of offences with clearly defined penalties.
This leaves prosecutors relying on general laws, often ill-suited to the specific nature of infrastructure crimes.
The result is inconsistency, weak deterrence, and, ultimately, continued attacks.
Counting the cost of weak enforcement
For operators, the consequences are financial and immediate.
Johnson Oyewo of MTN Nigeria revealed the scale of losses: “Eleven billion naira was spent on repairing damaged cuts within a few months.”
Beyond cost, there is the issue of response time and operational disruption.
“We require law enforcement support. We also need to close the gaps around the laws, and the ONSA can champion that,” he said.
The economic implications extend beyond telecom companies. Service disruptions ripple across banking, commerce, healthcare, and governance.
Recognising the limitations of the existing judicial system, some stakeholders proposed alternative approaches.
Olawale Fayose of MainOne suggested a specialised adjudicatory mechanism.
The idea, according to him, is a dedicated system, outside regular courts, to fast-track CNII cases and build expertise.
Such a mechanism could address delays, improve consistency, and enhance deterrence.
A recurring theme at the summit was the role of subnational actors.
Many disruptions occur at state and local levels, often linked to construction activities, community disputes, or informal levies.
Onibiyo emphasised the need to integrate CNII into state-level governance.
“Many CNII disruptions occur at the sub-national level, and there is a need for visible corporate social responsibility to close community gaps,” he said.
Without local buy-in, enforcement at the federal level will remain limited.
From policy to law: the next step
Nigeria’s CNII challenge is compounded by a dual threat landscape.
Unlike more advanced economies, where cyber threats dominate, Nigeria faces significant physical risks: vandalism, theft, and sabotage, alongside cyber vulnerabilities.
“In Nigeria, physical threats remain major risks alongside cyber threats,” Onibiyo noted.
As discussions at the Advocaat summit made clear, the CNII Order is an important beginning, but not an endpoint.
To achieve its objectives, Nigeria must move from executive policy to legislative certainty.
This means:
•Enacting a dedicated CNII law
•Defining offences and penalties clearly
•Strengthening enforcement capacity
•Enhancing judicial prioritisation
•Improving interagency coordination
Above all, it means ensuring that violations carry real consequences.
Advocaat: Driving the conversation
For Advocaat Law Practice, the summit was designed to catalyse this shift.
As Akapo put it: “At a time when digital infrastructure underpins national security, economic growth and public trust, the conversation must shift from intention to execution.”
The firm, with its deep expertise across infrastructure, telecommunications, and dispute resolution, has positioned itself at the centre of this evolving legal landscape.
Its work, spanning commercial litigation, regulatory advisory, and high-value disputes, reflects the growing importance of legal precision in safeguarding economic assets.
