7 key changes from the NCC’s reviewed Internet Code of Practice that you should note

Internet usage is more than swiping on a screen or subscribing to data plans; what makes it enjoyable for users is the assurance of safe online use. 

To this effect, the Nigerian Communications Commission (NCC) revised the Internet Code of Practice (ICP) to accommodate recent changes in internet usage and reflect emerging technologies. 

On February 13, 2026, NCC released ICP 2026, the revised version of the 2009 edition. The document seeks to define the rights and obligations of telecom operators (telcos) in handing the rights of internet users to an open internet. 

This article will highlight seven key additions to the latest review, compared with the ICP 2009, including cybersecurity measures, AI tool moderation, and child online protection.

1. Transactional data management 

In the reviewed regulation, telcos are to prevent third parties from harvesting transactional data from their database with prior approval from the NCC, according to Chapter 3.5.

“An Internet Access Service Provider shall not allow the harvesting of transactional data on its network or access by a third party without the prior written approval of the Commission.”

This means that companies or government agencies that need subscribers’ metadata for analysis or research cannot obtain it from telcos without the NCC’s consent. It’s an attempt to enforce data privacy to protect subscribers’ information from being misused. 

Metadata are activity logs generated by a network provider, which include but are not limited to behavioural and trend data from internet use, users’ interaction with the internet,  customer behaviour, and spending habits.

2. Cybersecurity 

While the 2019 regulation did not provide room for cybersecurity measures, the 2026 framework is bridging that gap amid the influx of advanced technology. 

“All Internet Access Service Providers are to implement the Cyber Security Framework that is issued by the Commission to all its licensees.”

In Chapter 3.1, telcos are to implement the Commission’s cybersecurity framework as mandated. This means operators must adhere to the guidelines stipulated in the recently released Cyber Resilience Framework for the Nigerian Communication Sector (CRF-NCS).

Recall that as part of the key regulation in that framework, operators must now notify NCC within four hours of detecting any cyberattack. They are also expected to provide the NCC with a periodic update every 4 hours after detection and provide a confirmation report after 24 hours (1 day).

3. Takedown notice 

Compared to its existence in the 2019 regulation, the ICP’ 26 makes some adjustments to the Takedown notice section.

While both documents acknowledged the ejection of content found unlawful within 24 hours of such a directive, the reviewed document seeks to balance the books.

The additional part of Chapter 5.3.3 (d) states that any party who is affected by the content removal can appeal the decision in accordance with the set rules. 

“A person who is aggrieved or whose interest is adversely affected by any takedown notice issued by the Commission pursuant to this Paragraph may appeal the decision…”

Also, the (e) part gives telcos the mandate to initiate a takedown action/procedure by sending a formal notice to the NCC. 

Also Read: MTN, Airtel, Glo others must now inform subscribers of data breach within 48 hrs.

4. Regulations on AI tools

With the emergence of AI and emerging technologies, the ICP’ 26 has now accommodated regulations for its usage by telcos. 

Under Section 5.4, telcos are expected to inform the NCC before deploying or using an AI or emerging technologies in their operations. The notification will also contain why the operator is employing such a tool, how it works and what it seeks to achieve with it.

“An Internet Access Service Provider shall notify the Commission prior to deploying Artificial Intelligence tools, applications and solutions that relate to all its network management and customer engagement processes.”

Before deploying such tools, telcos must inform subscribers who will be affected by such adjustments, and the usage must adhere to NCC’s ethics and integrity. 

5. Child online protection 

While both regulations recognise the need for child online protection by network providers, the reviewed version introduced three additions.

One. Telcos must provide simple-to-enable parental control tools. Two. Guidance on usage and safety must be provided in multiple languages. 

Chapter 4.1 (c) says:

“All Internet Access Service Providers and Impacted Entities shall offer consistent and simple-to-enable parental control tools.”

Three. Incorporate a default setting before users opt in to parental control tools. This means that when minors or vulnerable individuals sign up for the internet, they will need to actively agree (opt-in) to certain services. It helps safeguard internet users who might not fully understand what they’re agreeing to.

6. Management of harmful content

The ICP’ 26 introduces a Chapter that focuses on how Online and Digital Platforms operating in Nigeria regulate content on their platforms.

According to Chapter 6, all Online and Digital Communications Platforms are to draft and submit a community rule to NCC within the next six months, from the time the document was released. 

 Chapter 6.2.1 (I) says:

“All Digital Service Providers shall have Community Rules or Guidelines that align with the 2003 provisions of Section 146 of the Nigerian Communications Act 2003 as it relates to protection of National Interest.”

The rules must contain measures to manage harmful content, disinformation, fraudulent activities and unlawful content.

7. Compliance measures 

In its monitoring measures to ensure telcos are complying with the regulation, NCC has directed all operators to provide a compliance report twice a year.  

Chapter 7.3 (II) says:

“All Internet Access Service Providers shall render reports to the Commission on compliance with the Code on a biannual basis.”

With the adjustment and action point made to the Code, NCC has directed telcos to provide blueprints on compliance with those rules.

Also Read: New NCC, CBN rule to suspend airtime and data purchase during network downtime.

The above key rules come at a time when privacy becomes core amid frequent breaches and illegal harvest of data such as biometric, national IDs, financial information, traffic and usage, and others.

You can download the document here.

The post 7 key changes from the NCC’s reviewed Internet Code of Practice that you should note first appeared on Technext.