CBN data localisation compliance timeline Nigeria 2027 banks fintechs payment data deadline January
On June 15, 2026, the Central Bank of Nigeria (CBN) issued Circular PSS/DIR/PUB/CIR/001/004 signed by the Director of the Payments System Supervision Department, Dr Rakiya Yusuf, directing all financial institutions and payment operators to store and manage payment transaction data generated within Nigeria on local servers. The deadline for full compliance is January 1, 2027 leaving banks, fintechs, payment service providers, mobile money operators, switching companies, and every other licensed payment participant with a narrow six-month window to restructure their data infrastructure, close security gaps, and demonstrate compliance.
This is not a consultation paper. It is a binding circular with supervisory sanctions attached. If your organisation processes payment transactions in Nigeria and relies on foreign-hosted cloud infrastructure, offshore data centres, or cross-border data processing arrangements, this directive affects you directly.
Key dates: Market structure compliance deadline: December 31, 2026. Data localisation full compliance deadline: January 1, 2027. The CBN has confirmed it will monitor compliance and impose supervisory sanctions on defaulting institutions.
Key Takeaways
• The CBN has mandated that all payment transaction data generated in Nigeria must be stored and managed domestically by January 1, 2027
• The directive applies to deposit money banks, microfinance banks, fintechs, mobile money operators, switching companies, payment solution service providers, and all other licensed payment participants
• Compliance requires more than moving data. It requires a complete and continuously maintained inventory of where your data lives, robust security on domestic infrastructure, and documented evidence of compliance
What the CBN Data Localisation Directive Requires
The directive is precise in its language. The circular states: “All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payments transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria.”
This means that any payment transaction originating within Nigeria must be processed, stored, and managed on servers physically located within Nigerian borders. Cloud providers can still be used, but the data residency must be domestic. That distinction matters for organizations currently using AWS, Microsoft Azure, or Google Cloud to process Nigerian payment data in foreign regions. Those workloads must migrate to Nigerian infrastructure or to domestic deployments of those same cloud providers.
Who the Directive Covers
The circular was addressed specifically to the following categories of licensed operators:
• Deposit Money Banks (DMBs)
• Microfinance Banks
• Mobile Money Operators (MMOs)
• Switching and Processing Companies
• Payment Terminal Service Providers (PTSPs)
• Payment Solution Service Providers (PSSPs)
• Super Agents
• Other licensed payment operators
If your organisation holds any CBN licence related to payments, this directive applies to you. There are no carve-outs for small operators, startups, or organisations that process only a limited volume of transactions.
What Else the Circular Introduces
The data localisation requirement is one of four pillars in this circular. The others are:
• Market structure requirements: Caps on any single institution’s market share in card issuing or merchant acquiring, with a compliance deadline of December 31, 2026
• Ultimate Beneficial Owner (UBO) disclosure: All institutions with significant digital payments footprints must disclose and maintain accurate records of the ultimate beneficial ownership of significant shareholders
• Monthly market share returns: Automated monthly submission of market share data using CBN-approved templates and timelines
Taken together, these four pillars represent one of the most significant regulatory interventions in Nigeria’s payments sector in years. The CBN’s stated rationale is to improve transparency, address concentration risk, strengthen oversight, and promote a fair, competitive, and resilient payments ecosystem.
Why the CBN Is Requiring Data Localisation
The CBN has offered three primary justifications for the localisation mandate:
• Regulatory visibility: Keeping payment data within Nigeria means the CBN and other relevant authorities can access, audit, and supervise it without relying on foreign jurisdictions or navigating international data sharing agreements
• Data sovereignty: Sensitive financial information about Nigerian citizens and businesses should be subject to Nigerian law, not the laws of whatever country a foreign cloud provider stores it in
• Operational resilience: Reducing dependence on foreign-hosted infrastructure insulates the payments system from external shocks, including geopolitical disruption, foreign sanctions, and the volatility that comes with paying for infrastructure in foreign currencies
There is also a broader economic rationale. The ALTON chairman noted that many operators currently pay for cloud services and hosting in foreign currencies, placing pressure on their operational costs when the naira weakens. Storing data locally reduces that exposure while simultaneously driving investment into Nigeria’s domestic data centre ecosystem.
The Global Context
Nigeria is not acting in isolation. Regulators in India, Kenya, Indonesia, and across the European Union have implemented or are implementing data localisation requirements for critical financial and personal data. The CBN’s directive aligns Nigeria with a growing global consensus: data generated within a jurisdiction should remain subject to that jurisdiction’s oversight.
In Africa specifically, the Bank of Ghana has moved in the same direction, emphasising local hosting and regulatory visibility for critical financial infrastructure. The regional trend is clear, and organisations that build compliant domestic data infrastructure now will be better positioned as similar requirements spread across other African markets where they operate.
Can You Use AWS, Azure, or Google Cloud to Comply?
This is one of the most common questions from Nigerian banks and fintechs currently operating on global cloud infrastructure. The short answer is: not in their standard form. Here is the current state of each provider and what your realistic options are.
AWS: Lagos Local Zone Only, Not a Full Region
AWS opened a Local Zone in Lagos in 2023. A Local Zone is a limited infrastructure extension that delivers low-latency services closer to end users but does not offer the full AWS service catalogue, the same resilience guarantees, or the comprehensive data residency assurances of a full AWS Region. Most managed services that Nigerian fintechs rely on, including RDS, S3, and many security and analytics services, are not available in the Lagos Local Zone.
AWS does not currently have a full-scale data centre or Region in Nigeria. If your workloads run on AWS in the EU, US, or South Africa regions, they are outside Nigeria and do not satisfy the CBN directive. Migrating selectively to the Lagos Local Zone may address some workloads, but you should obtain explicit written confirmation from AWS about which specific services support Nigerian data residency before relying on this approach.
Microsoft Azure: No Nigerian Infrastructure
Azure’s closest African infrastructure is the South Africa North region in Johannesburg, established in 2019. There is no Azure Region in Nigeria. Any payment data stored on Azure today is outside Nigeria and does not satisfy the CBN directive. As of the date of this article, Microsoft has not announced a Nigerian Region or Local Zone. Organisations relying on Azure for payment data processing will need to migrate those workloads to a compliant Nigerian provider before January 1, 2027.
Google Cloud: No Nigerian Infrastructure
Google Cloud established its first African infrastructure in Johannesburg. There is no Google Cloud Region or Zone in Nigeria. The situation is the same as Azure: data stored on Google Cloud is outside Nigerian jurisdiction and does not meet the CBN requirement. Organisations using Google Cloud for payment processing must plan a migration to domestic infrastructure.
One Advanced Option: Hybrid Deployment on Nigerian Colocation
Some organisations are exploring a middle path: running a global hyperscaler’s managed services stack on infrastructure physically located in a Nigerian data centre. AWS Outposts and Microsoft Azure Stack, for example, allow organisations to deploy cloud-native tooling on servers colocated in a facility of their choosing. If those servers sit in Equinix LG1, Rack Centre, or MTN’s Dabengwa Data Centre in Lagos, the data residency is within Nigeria.
This approach is more complex and more expensive to set up than a standard cloud deployment, but may be worth evaluating for organisations heavily invested in a specific cloud platform that want to retain familiar tooling while achieving compliance. Obtain written contractual confirmation of Nigerian data residency from both the hyperscaler and the colocation provider before relying on this architecture.
Compliant Options: Nigerian Infrastructure Providers
The following providers offer infrastructure physically located within Nigeria and represent the primary compliant options for the CBN directive:
• Equinix (MDXi): Operates LG1 and LG2 data centres in Lagos, with LG3 planned. One of the most established colocation operators globally, with strong interconnection, resilience, and security standards
• Rack Centre: A well-established Nigerian colocation facility with connectivity to major internet exchanges and financial networks
• MTN Dabengwa Data Centre: MTN Nigeria’s major modular data centre, positioned as a local alternative to hyperscalers with cloud services at comparable scale. Enables naira-denominated payments, reducing forex exposure
• Open Access Data Centres: Nigerian colocation provider serving enterprise and financial sector clients
• Kasi Cloud: Nigerian cloud provider offering domestic hosting with local currency payments
• Nobus, Galaxy, Suburban, Layer3, Nebula: Homegrown cloud providers offering naira pricing and contractual Nigerian data residency
Evaluate providers against your requirements for processing capacity, uptime guarantees, disaster recovery, security certifications, and support quality. One structural limitation worth noting: most Nigerian data centre capacity is concentrated in Lagos, which limits the availability of geographically distributed availability zones. Factor this into your disaster recovery planning.
AWS Azure Google Cloud CBN data localisation compliance Nigeria 2027 comparison Equinix MTN Rack Centre
What Compliance Actually Requires: The Infrastructure Challenge
Moving data from foreign servers to domestic ones sounds straightforward. In practice it is not. The infrastructure compliance challenge has several layers, and organisations that treat this as a simple migration project will find themselves underprepared.
Layer 1: Know Where Your Data Is Right Now
Before you can localise your data, you need to know exactly where it lives. This requires a complete and accurate inventory of every system, application, API, and database that stores, processes, or transmits payment transaction data. For most organisations, that inventory does not currently exist in a maintained, accurate form.
The 6030 Technologies CMDB provides exactly this: automated discovery of all assets across on-premise, cloud, and hybrid environments, with continuous reconciliation so the inventory stays current as your infrastructure changes. Without this foundation, you cannot demonstrate to the CBN that you know what you are moving or whether the migration is complete.
Layer 2: Migrate Without Breaking Your Payment Rails
Nigeria processes billions of naira in payment transactions daily. The migration of live transaction data from foreign to domestic infrastructure must be managed without disrupting the payment rails that millions of Nigerians depend on. The six-month window is achievable but tight, particularly for smaller operators with limited engineering capacity.
Industry experts recommend a structured migration approach: audit current infrastructure, identify what must move, select domestic infrastructure partners early, run parallel environments during migration, and validate each workload before cutting over. The CBN has not published detailed technical guidance on migration methodology, so organisations need to make their own informed decisions about sequencing.
Layer 3: Security on Domestic Infrastructure
This is the layer most organisations underestimate. Moving data from AWS’s Dublin region to a Nigerian data centre does not automatically make it more secure. In many cases, the opposite is true. Global hyperscalers have invested billions in security controls, threat detection, and incident response. Nigerian data centres are improving rapidly, but the security maturity gap is real.
When your payment data moves to domestic infrastructure, your responsibility for securing it increases. You can no longer rely on the security controls embedded in a global cloud provider’s managed services. You need to:
• Know every asset on your new domestic infrastructure, including servers, APIs, databases, and network devices
• Continuously scan that infrastructure for vulnerabilities using a tool like SecureProbe
• Confirm which vulnerabilities are actually exploitable, prioritise them by business risk, and track them to confirmed closure via a Vulnerability Operations Centre
• Maintain a documented audit trail of your security posture, remediation actions, and incident history
This is not a theoretical risk. The ByteToBreach incident showed exactly what happens when Nigerian financial institutions run infrastructure without adequate visibility and security controls. One attacker, no sophisticated tools, a forgotten test server and an API with no authentication: Sterling Bank, Remita, and the Corporate Affairs Commission were breached in a single connected operation. 3TB of data was exfiltrated. 25 million records exposed. Detection came from a cybercrime forum, not internal monitoring.
The CBN is requiring you to bring your payment data home. Make sure your home is secure before you do.
Layer 4: Intersect With NDPA 2023 Obligations
The CBN circular explicitly states that data must be stored “in accordance with data protection laws and regulations applicable in Nigeria.” This is a direct reference to the Nigeria Data Protection Act 2023 and its General Application and Implementation Directive (GAID 2025). Compliance with the CBN data localisation directive and compliance with the NDPA 2023 are not separate exercises. They are the same exercise.
Your data localisation strategy must therefore also address your NDPA obligations: lawful basis for processing, data subject rights, breach notification procedures, DPIA for high-risk processing activities, and annual Compliance Audit Report (CAR) filing. Failure to address both simultaneously means you may achieve CBN compliance while remaining exposed to NDPC enforcement action.
Nigeria payment data domestic infrastructure security responsibility CBN compliance NDPA 2023
Your Compliance Checklist: What to Do Before January 2027
CBN data localisation 6 step compliance checklist Nigeria 2027 banks fintechs payment data
Step 1: Conduct a Full Data Asset Audit
Map every system that stores, processes, or transmits payment transaction data. Include all cloud environments, on-premise systems, third-party integrations, and API connections. The output should be a comprehensive, maintained inventory of your entire data estate. This is both a CBN compliance requirement and a prerequisite for any migration planning.
Step 2: Identify What Must Move
Not all data is payment transaction data as defined by the directive. Work with your legal and compliance team to categorise your data correctly and identify the specific datasets and workloads that must be localised by January 1, 2027. Document your methodology and your conclusions so you can demonstrate to the CBN that your categorisation is defensible.
Step 3: Select Domestic Infrastructure Partners
None of the three major global cloud providers, AWS, Azure, and Google Cloud, currently have full-scale Nigerian data centres or Regions. AWS has a limited Local Zone in Lagos but it does not cover the full service catalogue. Azure and Google Cloud have no Nigerian infrastructure at all. This means most organisations currently using these providers for payment data must plan a migration to compliant domestic alternatives.
Your primary compliant options are: Equinix MDXi (LG1, LG2, LG3), Rack Centre, MTN Dabengwa Data Centre, Open Access Data Centres, Kasi Cloud, and local cloud providers including Nobus, Galaxy, Suburban, Layer3, and Nebula. Evaluate each against your requirements for capacity, uptime, security certifications, disaster recovery, and pricing. Consider also the hybrid option of running AWS Outposts or Azure Stack on servers colocated within a Nigerian facility, if your team is deeply invested in a specific cloud platform and wants to retain that tooling while achieving data residency compliance.
Step 4: Assess and Strengthen Your Security Posture
Before migrating workloads to domestic infrastructure, assess the security of that infrastructure using an independent attack surface scanner. SecureProbe can scan your new domestic environment, identify vulnerabilities across web applications, APIs, and infrastructure, confirm which are actually exploitable, and generate the exact remediation code needed to close each one. Complete this assessment before go-live, not after.
Step 5: Align With NDPA 2023 and GAID 2025
Ensure your data localisation plan is reviewed against NDPA 2023 obligations. Update your privacy policies, data processing records, and data transfer mechanisms to reflect the new domestic hosting arrangement. If you have not already registered with the NDPC and filed your Compliance Audit Report, the CBN circular makes this even more urgent.
Step 6: Document Everything
The CBN has stated that it will monitor compliance and impose supervisory sanctions where necessary. That monitoring will require evidence. Start building your compliance documentation now: migration logs, infrastructure inventories, security scan results, vendor contracts, and evidence of NDPA alignment. Organisations that can produce a complete compliance evidence pack on demand will be in a significantly stronger position than those that cannot.
Frequently Asked Questions: CBN Data Localisation Directive 2027
Can we still use AWS, Microsoft Azure, or Google Cloud after January 2027?
Not in their standard form for payment data. AWS has a limited Local Zone in Lagos but it does not offer the full AWS service catalogue or full data residency guarantees. Azure and Google Cloud have no Nigerian infrastructure at all; their closest facilities are in Johannesburg, South Africa. Any payment data currently stored in those providers’ standard regions is outside Nigeria and does not satisfy the CBN directive. Your options are: migrate to a Nigerian domestic provider such as Equinix MDXi, Rack Centre, MTN Dabengwa Data Centre, Kasi Cloud, or local cloud providers; or explore a hybrid architecture running AWS Outposts or Azure Stack on servers colocated within a Nigerian data centre. In either case, obtain written contractual confirmation of Nigerian data residency before relying on the arrangement.
Does the CBN data localisation directive apply to my fintech if we only use payment APIs from a licensed processor?
Yes, if your organisation facilitates payment transactions in Nigeria and holds a relevant CBN licence, the directive applies. Even if you use a third-party processor, you need to review the data flows in your own systems and ensure that any payment transaction data you store or process is held domestically. Review your contracts with your payment processor to understand where they store the data they process on your behalf.
Can we still use AWS, Microsoft Azure, or Google Cloud after January 2027?
Yes, but only if those providers offer Nigerian data residency for your specific workloads. AWS, Azure, and Google Cloud all offer region selection, and some have Nigerian or nearby West African infrastructure. You must ensure your data is stored in a region where Nigerian law governs its management. Check your current cloud configuration carefully and migrate any workloads currently running in foreign regions to an approved domestic or domestically equivalent configuration.
What sanctions will the CBN impose for non-compliance?
The circular states that the CBN will monitor compliance and may impose supervisory sanctions in accordance with applicable laws and regulations. The CBN has broad sanctions powers for licensed institutions, including financial penalties, restrictions on operations, and in serious cases, revocation of licences. The specific sanctions schedule for this directive has not been published separately, but given the CBN’s recent enforcement posture, the risk of meaningful sanction for non-compliance is real.
Does the data localisation requirement overlap with NDPA 2023 obligations?
Yes, and significantly so. The CBN circular explicitly requires compliance with Nigerian data protection laws, which means NDPA 2023 and GAID 2025. Your data localisation strategy must address your NDPA obligations simultaneously. This includes NDPC registration, annual CAR filing, data subject rights procedures, breach notification mechanisms, and DPIA for high-risk processing activities. Treating these as separate compliance exercises is both inefficient and incomplete.
What is the fastest way to know whether we are currently compliant?
The fastest starting point is a data asset audit and an attack surface assessment. The audit tells you where your payment data currently lives. The assessment tells you how secure your current infrastructure is. Together they give you a baseline from which to build your compliance plan. 6030 Technologies can deliver both quickly and independently, giving you the objective picture you need before January 2027.
Is there a grace period or phased compliance approach?
The circular sets a firm deadline of January 1, 2027 for data localisation compliance. The market structure requirements have a separate deadline of December 31, 2026. No phased approach or grace period has been announced by the CBN. Industry executives have noted that the six-month window is achievable with structured planning and early action, but tight for organisations starting from scratch. Do not wait for a grace period announcement that may not come.
Ready to Meet CBN Data Localisation Requirements? 6030 Technologies Can Help.
The CBN data localisation directive is not a future problem. The deadline is January 1, 2027, and the compliance work required, including data audits, infrastructure migration, security assessments, and NDPA 2023 alignment, cannot be left to the final weeks.
6030 Technologies is a Nigerian cybersecurity firm and licensed Data Protection Compliance Organisation (DPCO) under the Nigeria Data Protection Act 2023. Our principals hold CISSP, CRISC, CISM, OSCP, GCIH, GWAPT, and CySA+ certifications. We have helped Nigerian banks, fintechs, and regulated institutions build the compliance infrastructure and security posture that regulators require.
What we provide for CBN data localisation compliance:
CMDB (Configuration Management Database): We give you a continuously maintained inventory of every asset across your domestic and cloud infrastructure, so you always know where your payment data lives. Audit-ready for CBN and NDPC assessments.
SecureProbe: Our AI powered attack surface scanner assesses your domestic infrastructure for vulnerabilities before and after migration. It confirms which vulnerabilities are actually exploitable, maps the full attack chain, and generates the exact remediation code.
VOC (Vulnerability Operations Centre): We aggregate all findings from SecureProbe and your other security tools, prioritise by actual business risk, track remediation to confirmed closure, and produce the KPI dashboards and audit trail that regulators expect.
Gap Analysis and Compliance Roadmap: We assess your current data infrastructure and security posture against CBN circular PSS/DIR/PUB/CIR/001/004 and NDPA 2023 obligations, and produce a prioritised remediation roadmap with timelines.
NDPA 2023 Compliance and CAR Filing: As a licensed DPCO, we register your organisation with the NDPC, file your Compliance Audit Report on your behalf, and ensure your data protection policies are aligned with your new domestic hosting arrangements.
Penetration Testing and Security Assessment: We conduct formal penetration tests of your domestic infrastructure to produce the independent security evidence your board, auditors, and regulators require.
January 2027 is closer than it looks. Book a consultation with our team and let us help you build a compliance plan that covers both the CBN directive and your broader data protection obligations.
Book a free consultation:
📧 info@6030technologies.com
🌐 6030technologies.com