Nigeria’s National Digital Economy and E-Governance Bill 2025 has cleared both chambers of the National Assembly. Presidential assent is expected before the end of March. When it arrives, it will become the most consequential piece of AI regulation on the African continent — and it will cost Nigerian tech companies between ₦13 million and ₦35 million per year to comply.
That figure comes from a compliance cost model developed by Lagos-based digital governance advisory Datum Africa, which has been mapping implementation requirements against the bill’s risk-tier framework since late 2025. “The question our clients keep asking is: how much will this actually cost?” says Anda Usman, Datum Africa’s director of regulatory strategy. “The honest answer is: it depends on how high-risk your AI is, and whether you built compliance thinking into your product from the start or are retrofitting it now.”
For most Nigerian fintechs, the answer will be retrofitting. That is where the real cost lives.
What the Bill Actually Does
The National Digital Economy and E-Governance Bill 2025 is an omnibus digital governance law — it covers everything from e-transactions to data infrastructure. But embedded within it is Africa’s first binding AI governance framework, enforceable through NITDA, the National Information Technology Development Agency.
The framework is risk-based. It creates three tiers of AI application, with the highest tier — covering AI systems that make or support decisions affecting individual rights, economic access, or safety — subject to mandatory licensing, pre-deployment impact assessments, explainability requirements, continuous audit trails, and NITDA inspection powers.
The high-risk category is not narrow. It explicitly includes: credit scoring and automated lending decisions; AI-driven fraud detection systems that can freeze or block user accounts; biometric identity verification used in financial services; clinical diagnosis or treatment recommendation systems; and AI systems used in employment screening or benefits determination. For a fintech ecosystem that has built its entire growth infrastructure on algorithmic credit models and AI-native KYC, this captures a significant slice of production systems currently in operation.
Penalties are designed to be meaningful at scale. The bill sets maximum fines at ₦10 million (approximately $7,000 at current rates) or two percent of annual Nigeria-attributed revenue, whichever is higher. For a startup with ₦2 billion in annual revenue — a modest number for a Series A fintech — two percent means ₦40 million. NITDA also retains powers to revoke licences, mandate product shutdowns, and require mandatory third-party audits.
“The penalty structure was clearly designed with large organisations in mind,” says Kashifu Inuwa Abdullahi, NITDA’s Director General, who has been the bill’s primary executive champion. “We want to make non-compliance expensive for multinationals operating in Nigeria. The percentage-based structure ensures the fine scales with the business.”
The Compliance Price Tag — and Who It Breaks
Datum Africa’s compliance cost model assumes a mid-sized Nigerian fintech with three high-risk AI systems in production — a credit scoring model, an identity verification layer, and a fraud detection classifier. Annual compliance costs under the bill’s licensing and audit regime run between ₦13 million and ₦35 million, depending on the complexity of audit requirements and whether the company has existing documentation infrastructure.
Those numbers are tolerable, if uncomfortable, for a company doing ₦5 billion or more in annual revenue. For an early-stage startup with ₦200 million in revenue, they are potentially existential — representing six to seventeen percent of turnover in compliance spend alone, before any product development investment.
This is the asymmetry the Nigerian AI startup ecosystem will spend the next two years managing. Companies like Moniepoint, Paystack, or PiggyVest have the engineering teams, legal budgets, and CBN relationships to navigate a new compliance regime. A Techstars-backed seed-stage AI startup with eight engineers does not.
The bill contains no regulatory sandbox provisions. There is no innovation-friendly tier for companies below a revenue threshold. No startup support mechanism. No phased implementation schedule that would give early-stage companies time to build compliant systems before enforcement begins. The gap between Nigeria’s bill and comparable frameworks in Singapore or the United Kingdom — both of which include explicit carve-outs or lighter-touch regimes for startups — is significant, and it has not gone unnoticed in Lagos tech circles.
The Engineering Burden: Building Compliance Into the Stack
For companies that have already shipped AI systems into production, the compliance challenge is not just legal — it is architectural. The bill’s explainability requirements mean that decisions made by high-risk AI systems must be documentable in human-readable form. Its audit trail provisions mean that model inputs, outputs, and decision logic must be logged and retained. Its transparency requirements mean that users affected by automated decisions must be informed, and in some cases given the right to request human review.
None of these requirements are exotic. They exist in Europe’s GDPR, the EU AI Act, and sector-specific guidelines from Nigeria’s own Central Bank. What is new is that they will now be enforceable at the infrastructure layer — not just in policy documents. NITDA inspection teams will be empowered to audit model documentation directly.
For companies that chose LLM-based AI systems with limited interpretability, the challenge is harder still. The bill does not ban black-box models, but it imposes documentation obligations that many transformer-based systems cannot satisfy without significant engineering work. A credit model running on a fine-tuned LLM without a separate interpretability layer will require rearchitecting to comply. An AI fraud detection system that flags transactions without producing auditable feature weights will need a parallel logging and explanation system built alongside it.
The engineering cost of this rework — distinct from the compliance and legal costs — is what most published analyses have so far underestimated.
Regional Context: What Nigeria Is Getting Right, and What It Is Missing
Nigeria is not alone in this work. South Africa’s Information Regulator has published AI processing guidelines under POPIA. Kenya’s Data Commissioner has issued AI advisory notes under the Data Protection Act. Egypt is developing an AI strategy that includes regulatory provisions. But none of these are yet at the level of binding legislation with active enforcement mechanisms. Nigeria is moving first at meaningful regulatory depth.
The bill’s risk-based framework reflects genuine technical sophistication — the decision to tier AI systems by risk rather than by technology type is the right architecture, and it is consistent with global best practice. The penalty structure is sensible. The NITDA enforcement mandate is clear.
What is missing is proportionality for the startup ecosystem, and a recognition that Nigeria’s AI talent base is thin relative to the compliance infrastructure now being demanded. There are no more than a handful of firms in Lagos with the technical expertise to conduct independent AI audits of the kind the bill contemplates. That bottleneck will create its own market — and delay compliance timelines regardless of what the law says.
What Founders Need to Do Now
Presidential assent could come any day between now and the end of March 2026. The practical implication for Nigerian AI startups is that the window for orderly preparation is short. Companies with high-risk AI systems in production should be conducting internal audits now: mapping which systems fall into the bill’s high-risk categories, assessing documentation gaps, and beginning the process of building or acquiring interpretability tooling.
Companies that are not yet deploying AI — or are deploying only in lower-risk categories — have more time. But any startup planning to enter credit scoring, identity verification, or automated lending in the next eighteen months should build compliance into the product architecture from day one. Retrofitting is far more expensive than building for compliance at the outset.
Minister Bosun Tijani has framed the bill as a foundation for trust that will, in the medium term, make Nigeria a more attractive market for enterprise AI deployment. That framing may be correct. But the short-term costs are real, and they will fall most heavily on the startups least equipped to absorb them.
The bill is coming. The question is whether the ecosystem is ready.
— Technology Desk, BETAR.africa
UphivaBETAR
Joseph Busari
