
On 26 June 2026, President Bola Ahmed Tinubu signed the National Identity Management Commission (NIMC) Act 2026 into law, repealing the National Identity Management Commission Act 2007. The NIMC Act 2026 replaces the legal framework that has governed Nigeria’s identity management system for nearly two decades and introduces significant reforms aimed at strengthening the country’s digital.
What NIMC Act 2026 Changes? Five Key Reforms
1. The NIN Becomes Mandatory for More Services:
First, the National Identification Number (NIN) has become the central identifier for accessing a growing range of public and private services. Obtaining a passport, registering to vote, opening a bank account, purchasing insurance, filing tax returns, and applying for consumer credit now all legally require a NIN. While many of these requirements had already been introduced through policy and administrative practice, the new Act gives them a clear statutory basis.
2. NIMC Becomes Nigeria’s Root Certificate Authority:
Second, the Act designates NIMC as Nigeria’s Root Certificate Authority (Root CA). In practical terms, this places the Commission at the apex of the country’s public key infrastructure (PKI), enabling it to establish the foundation of trust for digital certificates, electronic signatures, and other secure digital transactions. Although the technical implications will become clearer as implementation progresses, this is one of the most significant institutional changes introduced by the Act and has the potential to reshape how digital trust is established across both the public and private sectors.
3. Tougher Penalties for Identity Offences:
Third, the Act significantly strengthens penalties for identity-related offences. Companies may face fines of up to ₦20 million, while offences such as impersonation, multiple registration, unauthorised access to identity information, and related misconduct now attract custodial sentences of not less than five years. The legislation also expands NIMC’s investigative and enforcement powers, including powers relating to searches, seizure of evidence, data decryption, and arrests, subject to applicable legal safeguards, including judicial authorisation where required.
4. A Reconstituted Board With 14 Agencies:
Fourth, the Board of the National Identity Management Commission has been reconstituted to include representatives from fourteen key government institutions. These include the Independent National Electoral Commission (INEC), the Nigeria Police Force (NPF), the Department of State Services (DSS), the Economic and Financial Crimes Commission (EFCC), the Central Bank of Nigeria (CBN), the National Population Commission (NPC), and the Office of the National Security Adviser (ONSA), among others. This represents a significant departure from the composition of the Board under the repealed 2007 Act and reflects a stronger emphasis on inter-agency coordination in the governance of Nigeria’s identity ecosystem.
5. The New General Multipurpose Card:
Finally, the Act introduces a new General Multipurpose Card, intended to serve as a unified identity credential across multiple sectors and, over time, reduce the need for Nigerians to maintain multiple government-issued identity cards.
What the NIMC Act 2026 Means for Privacy and Cybersecurity?
The Act has the potential to significantly improve the efficiency of Nigeria’s digital ecosystem. A unified identity framework could reduce fraud, eliminate duplicate identity records, and enable government agencies to exchange information more effectively rather than operating in institutional silos. If successfully implemented, it could also streamline Know Your Customer (KYC) processes for financial institutions, improve access to e-government services, and increase confidence in digital transactions across the economy.
At the same time, the reforms also concentrate an unprecedented amount of identity and trust infrastructure within a single institution. While centralisation may improve efficiency, it also concentrates operational risk and cyberattacks exposure in one place. A serious failure in NIMC’s systems would not stay contained to identity management. It could ripple into banking, telecommunications, tax administration, property records, and any other sector that leans on digital identity verification.
NIMC has had incidents where personal information, including National Identification Numbers (NINs), was exposed through third-party websites without the affected individuals’ knowledge or consent. Although the new Act imposes substantially stronger penalties for misuse of identity information, stronger sanctions cannot reverse the consequences of a data breach once personal information has been compromised. The more important question is whether NIMC’s technical infrastructure, cybersecurity framework, and institutional oversight are sufficiently robust to prevent similar incidents from occurring in the future. That is a question which legislation alone cannot answer.
There is also the question of consent and access to personal data. Government officials have repeatedly stated that personal information cannot be accessed without an individual’s consent and that any disclosure must occur only through lawful processes. At first glance, that provides an important safeguard. However, the repealed 2007 Act contained similar protections, subject to broad exceptions relating to national security. Whether the new Act meaningfully narrows those exceptions or simply preserves a similarly broad national security exemption remains unclear, particularly as the full text of the legislation has not yet been made publicly available.
Conclusion
For now, the NIMC Act 2026 has the potential to become a defining milestone in Nigeria’s digital transformation. Equally, it carries significant implications for privacy, cybersecurity, and governmental power. Whether it ultimately strengthens public trust or amplifies longstanding concerns will depend not merely on the text of the legislation but on how faithfully it is implemented and whether those entrusted with enforcing it are themselves subject to meaningful oversight.