Nigeria has taken a major step toward modernising its identity management system with the enactment of the National Identity Management Commission (NIMC) Act, 2026.
It is a landmark legislation that replaces the 2007 Act and introduces a far-reaching overhaul of the country’s identity framework.
Until now, the National Identity Number (NIN) largely served as a tool for identity verification when opening bank accounts, registering SIM cards, applying for passports and accessing various government programmes.
The newly enacted law, however, repositions the NIN as the backbone of Nigeria’s expanding digital economy.
President Bola Tinubu signed the legislation into law on June 26, 2026, following its approval by the National Assembly.
The Act grants the National Identity Management Commission (NIMC) wider legal authority over digital identity administration, cybersecurity, data protection and digital transactions.
According to NIMC, the legislation brings Nigeria’s identity ecosystem in line with global best practices while laying the groundwork for a future driven by digital innovation.
Key highlights of the new NIMC Act
The legislation introduces wide-ranging reforms expected to impact citizens, businesses and government institutions alike.
Among its key provisions are:
• The 2007 NIMC Act has been repealed and replaced with a comprehensive digital identity law.
• Digital identity becomes the foundation of Nigeria’s Digital Public Infrastructure (DPI).
• Physical identity cards are no longer the primary means of identification.
• Nigerians can verify their identity using smartphone applications, QR codes, biometric authentication, digital wallets and other digital credentials.
• NIMC becomes Nigeria’s Root Certification Authority, responsible for managing the country’s Public Key Infrastructure (PKI).
• Digital signatures and secure online authentication will receive stronger legal backing.
• Identity fraud attracts tougher penalties, including prison terms and multi-million naira fines.
• The National Identity Database is now protected under stricter privacy and cybersecurity provisions.
• Citizens’ consent becomes central to how identity data is shared with third parties.
• The law requires NIMC to create special enrolment systems for vulnerable and underserved populations.
Moving beyond plastic identity cards
A notable feature of the new Act is its transition away from relying primarily on physical identity cards.
For several years, many Nigerians encountered prolonged delays in obtaining the General Multi-Purpose Card (GMPC) after completing NIN registration, largely because of production costs and supply chain constraints.
Instead of depending on a plastic identity card, the legislation embraces a technology-neutral framework that supports identity verification across multiple digital platforms.
Going forward, Nigerians will increasingly be able to authenticate their identity through mobile devices, biometric verification, QR codes and other secure digital technologies.
The model reflects digital identity systems already in use in countries such as India, Estonia, Singapore, Brazil, Kenya and Togo.
NIMC becomes Nigeria’s digital trust authority
One of the most significant changes introduced by the legislation is a reform that many Nigerians may never directly notice.
Under the Act, NIMC is officially designated as Nigeria’s Root Certification Authority, placing it in charge of the country’s Public Key Infrastructure (PKI).
This responsibility gives the commission oversight of the digital certificates, authentication mechanisms and encryption technologies that secure online banking, government services, electronic signatures and digital communications.
In practical terms, the legislation enhances the protection of digital transactions by strengthening identity verification systems and reducing the risk of fraud.
Tougher penalties for identity fraud
The 2026 Act considerably strengthens NIMC’s enforcement authority.
Unlike the previous legislation, the commission is now empowered to investigate identity-related offences and, with court approval, carry out searches, seize evidence and prosecute illegal enrolment centres, identity fraud syndicates and data traffickers.
Punishments for violations have also become significantly more severe. Anyone found guilty of unauthorised access to the National Identity Database faces a minimum prison sentence of five years or a fine of at least ₦10 million.
Corporate bodies convicted under the law may be fined no less than ₦20 million, while company executives implicated in such offences may also face personal criminal liability.
The legislation further prescribes stiff penalties for individuals who attempt multiple registrations or impersonate another person’s identity.
Stronger data privacy and inclusion
The NIMC Act, 2026, also reinforces the protection of personal data by fully bringing the commission under the Nigeria Data Protection Act (NDPA).
It establishes a consent-first framework, meaning third parties will generally require an individual’s approval before accessing information stored in the National Identity Database. Limited exceptions apply in circumstances such as court orders, criminal investigations and matters of public interest.
The legislation also mandates NIMC to clearly explain to citizens how their personal information will be collected, stored, processed and shared throughout the enrolment process.
Beyond strengthening privacy protections, the Act aims to tackle identity exclusion by directing the commission to develop specialised registration systems for vulnerable groups, including individuals without permanent addresses.
It enables them to access healthcare, financial services and government social intervention programmes.
Although the legislation provides the legal framework for a more secure, inclusive and technology-driven identity system, its long-term effectiveness will depend largely on successful implementation, adequate infrastructure and sustained public confidence.