The New Standard: Dr Olatunji Mandates .ng Domains for All Compliance Organisations

The Nigeria Data Protection Commission (NDPC), under the leadership of National Commissioner/CEO Dr. Vincent Olatunji, has mandated that all Data Protection Compliance Organisations (DPCOs) must operate with a .ng domain name. This directive, announced at the Tech Convergence 3.0 event, underscores Nigeria's commitment to strengthening its digital independence, enhancing local content, and bolstering the security and credibility of its data protection ecosystem. The move is a critical step in operationalizing the Nigeria Data Protection Act (NDPA) 2023, ensuring that entities responsible for guiding data controllers and processors in compliance also contribute to the nation's digital sovereignty and economic growth. It signifies a strategic alignment between data protection regulations and national digital identity initiatives.

In a significant move aimed at fortifying Nigeria's digital landscape and ensuring robust data protection, the National Commissioner/CEO of the Nigeria Data Protection Commission (NDPC), Dr. Vincent Olatunji, recently announced a mandatory requirement for all Data Protection Compliance Organisations (DPCOs) to adopt and operate with a .ng domain name. This directive, unveiled at the Tech Convergence 3.0 event organized by the Nigeria Internet Registration Association (NiRA) on June 2, 2026, marks a pivotal moment in the nation's journey towards digital independence and enhanced data privacy.

The mandate is not merely an administrative formality but a strategic imperative designed to embed national digital identity within the core of Nigeria's data protection framework. By requiring DPCOs—the frontline entities responsible for guiding data controllers and processors on compliance—to use the country's official top-level domain, the NDPC aims to foster greater trust, security, and local economic growth within the digital sphere. This article delves into the implications of this new standard, examining its legal underpinnings, practical consequences for legal professionals and compliance entities, and its broader significance for Nigeria's digital future.

The foundation for this directive lies in Nigeria's evolving data protection legal framework. Initially, data protection in Nigeria was primarily governed by the Nigeria Data Protection Regulation (NDPR) of 2019, issued by the National Information Technology Development Agency (NITDA). However, recognizing the need for more comprehensive and enforceable legislation in a rapidly advancing digital age, President Bola Ahmed Tinubu signed the Nigeria Data Protection Act (NDPA) 2023 into law on June 14, 2023. The NDPA 2023 established the Nigeria Data Protection Commission (NDPC) as the apex regulatory body, replacing the erstwhile Nigeria Data Protection Bureau (NDPB), with a mandate to safeguard fundamental rights and freedoms of data subjects as guaranteed under the 1999 Constitution of Nigeria.

A crucial component of the NDPA 2023 is the provision for Data Protection Compliance Organisations (DPCOs). Section 33 of the NDPA 2023 defines a DPCO as an entity duly licensed by the NDPC for the purpose of training, auditing, consulting, and rendering services aimed at ensuring compliance with the Act or any foreign data protection law having effect in Nigeria. These organisations, which can include law firms, professional service consultants, IT service providers, and audit firms, play a vital role in assisting data controllers and processors in meeting their statutory obligations, including conducting data protection audits and submitting compliance reports to the NDPC. The NDPC's mandate for .ng domains integrates directly into the existing licensing requirements for these critical compliance partners.

The mandate by Dr. Olatunji for DPCOs to utilize .ng domains is firmly rooted in the NDPC's regulatory powers under the NDPA 2023 and its broader strategic objectives. The NDPC's 'DPCO Registration & Requirements' explicitly lists "Website registration on .ng domain" as one of the documents required for licensing. This pre-existing requirement has now been unequivocally enforced as a standard for all compliance organisations. The directive aligns with the NDPC's commitment to supporting NiRA and strengthening Nigeria's digital independence.

The rationale behind promoting the .ng domain is multi-faceted. Firstly, it enhances national digital identity and sovereignty. The .ng domain is Nigeria's official country code top-level domain (ccTLD), managed by NiRA, and its adoption signifies a commitment to the local digital ecosystem. Secondly, it fosters credibility and trust among Nigerian data subjects and businesses, signaling a local presence and adherence to national standards. Thirdly, using local domains can improve search engine visibility within Nigeria, making it easier for local users to find compliant service providers. Lastly, it contributes to the local economy and supports Nigerian IT professionals, aligning with broader national digital economy policies.

For legal practitioners and DPCOs, this mandate necessitates immediate action. Existing DPCOs operating with generic top-level domains (gTLDs) or other ccTLDs must transition to a .ng domain to maintain their licensed status. New applicants for DPCO licenses must ensure this requirement is met from the outset. This also implies that data controllers and processors seeking compliance services should verify that their chosen DPCO operates under a .ng domain, as this will become a benchmark for regulatory adherence. The NDPC's emphasis on this requirement underscores a broader push for a localized, secure, and trustworthy digital environment, where data protection is not just a regulatory obligation but a component of national digital infrastructure. The collaboration between NDPC and NiRA, as highlighted by Dr. Olatunji, further solidifies the institutional support for this initiative.

The NDPC's mandate for all Data Protection Compliance Organisations to adopt .ng domains represents a significant step towards integrating data protection with Nigeria's national digital identity and sovereignty. For legal practitioners and compliance professionals, the immediate implication is the need to ensure strict adherence to this new standard, either by transitioning existing domains or by incorporating it into future licensing applications. Failure to comply could impact a DPCO's licensed status and, by extension, their ability to provide essential data protection services.

This directive signals a clear direction from the NDPC: a future where Nigeria's digital economy is not only robust and secure but also distinctly Nigerian. Practitioners should closely monitor further guidance from the NDPC regarding the implementation timeline and any associated compliance frameworks. This move is expected to foster greater trust in Nigeria's digital space, enhance the credibility of compliance services, and ultimately strengthen the overall data protection landscape in the country, aligning with the core objectives of the Nigeria Data Protection Act 2023.