Nigeria has no standalone AI statute as of June 2026. Its AI governance rests on three concurrent instruments: the National Information Technology Development Agency Act 2007 and NITDA's published guidelines, the Nigeria Data Protection Act 2023 administered by the Nigeria Data Protection Commission, and the National AI Strategy 2024. Sector regulators including the Central Bank of Nigeria, the Nigerian Communications Commission, and the National Health Insurance Authority have issued AI-specific guidance for their regulated industries. Nigerian operators whose systems serve EU users remain within scope of the EU AI Act's extraterritorial provisions regardless of where their infrastructure sits. This guide explains each layer, what it requires in practice, and how to navigate them simultaneously.

Key takeaways

  • Nigeria has no standalone AI statute as of June 2026. The primary operative instruments are the Nigeria Data Protection Act 2023 (NDPA), NITDA's guidelines and the National AI Policy 2021, and the National AI Strategy 2024. No single statute establishes comprehensive AI-specific obligations for private sector operators.
  • The Nigeria Data Protection Act 2023, signed 12 June 2023, applies to the processing of personal data of Nigerian residents by automated means. The Nigeria Data Protection Commission (NDPC) administers the Act and has enforcement powers including administrative fines. AI systems that make or substantially inform consequential decisions about data subjects engage NDPA obligations directly.
  • NITDA is the primary government technology body. Its guidelines, including the National AI Policy 2021 and the Guidelines on Artificial Intelligence 2023, represent the de facto compliance baseline for AI operators in Nigeria. They are not backed by the same penalty regime as primary legislation but are enforceable signals of regulatory expectation.
  • Nigeria's sector regulators (CBN for banking, NCC for telecoms, NHIA and Federal Ministry of Health for healthcare, SEC for capital markets) have issued AI governance guidance in their respective sectors. For operators in these industries, sector guidance creates binding compliance obligations that go beyond the NDPA baseline.
  • Nigerian operators offering AI-enabled services to EU residents are within scope of Regulation (EU) 2024/1689 (the EU AI Act) for those deployments. The 2 August 2026 application deadline for Annex III high-risk systems is provisionally deferred to 2 December 2027 under the Digital Omnibus agreement of 7 May 2026, but that deferral is not yet formally adopted. The original deadline binds until adoption.
  • An AI governance programme built to EU AI Act standard will exceed current Nigerian domestic requirements in technical depth. It will not automatically satisfy Nigerian sector-specific guidance, which reflects domestic priorities distinct from the EU framework.

The Nigerian AI regulatory landscape in brief

Nigeria is Africa's most populous country and its largest economy by nominal GDP, with a technology sector concentrated in Lagos that has produced significant fintech, healthtech, and agritech activity over the past decade. The Nigerian government has made AI a strategic priority. The National AI Strategy 2024, issued by the Federal Ministry of Communications, Innovation and Digital Economy, sets a target of Nigeria becoming a leading AI-enabled economy in Africa by 2030. That ambition has not yet translated into a comprehensive statutory framework.

The architecture that exists in 2026 is characteristic of early-stage AI governance in high-growth markets: a data protection statute with clear implications for automated decision-making, a technology regulator producing advisory guidance that carries de facto weight without statutory penalty backing, a national strategy that signals direction without creating binding obligations, and sector regulators who have moved ahead of national legislation to establish domain-specific expectations. This architecture requires disaggregated compliance analysis. The questions an operator must answer are: does your AI system process personal data of Nigerian residents (NDPA applies); do you operate in a sector regulated by CBN, NCC, SEC, or health authorities (sector guidance applies); does your system produce outputs used by EU residents (EU AI Act extraterritorial provisions apply); and are you engaged with Nigerian government procurement (Strategy alignment is a de facto criterion)?

The answers determine which obligations are legally binding and which represent voluntary best practice that signals alignment with the government's regulatory trajectory. The trajectory is clearly toward greater formalisation. Operators who build governance infrastructure consistent with international standards now will face a smaller compliance gap when Nigeria's legislative framework matures.

NITDA: the primary technology regulator

The National Information Technology Development Agency was established by the NITDA Act 2007 as the primary government body for information technology development and regulation in Nigeria. NITDA sits within the Federal Ministry of Communications, Innovation and Digital Economy and is responsible for developing and enforcing IT standards, policies, and guidelines across the public and private sectors.

NITDA's role in AI governance has expanded progressively since 2019. The Agency published the National AI Policy in 2021, which established Nigeria's first formal government position on AI development and governance. The Policy articulates principles that AI systems should respect: human-centric values, transparency, fairness, accountability, safety, and privacy. These principles align closely with the OECD AI Principles adopted in 2019 and updated in 2024, a convergence that reflects Nigeria's engagement with international AI governance discussions.

In 2023, NITDA published the Guidelines on Artificial Intelligence (the AI Guidelines), which provide more operational content than the 2021 Policy. The Guidelines address the lifecycle of AI systems from design through deployment and monitoring. They require that AI systems deployed in Nigeria be designed with explainability appropriate to the context of use, that operators conduct risk assessments before deploying AI in consequential contexts, and that human oversight mechanisms be maintained for AI systems that make or substantially influence decisions about individuals. The Guidelines also address data governance: AI systems must use data that is accurate, representative, and obtained in compliance with applicable data protection law.

NITDA guidelines are not primary legislation. They do not establish an administrative fine regime comparable to the NDPA's penalty framework. However, NITDA has powers under the NITDA Act to investigate non-compliance with its guidelines and to issue directives. For operators engaged in government IT contracts or in sectors where NITDA has formal oversight functions, non-compliance with NITDA guidelines creates regulatory risk that goes beyond reputational consequences. Practically, NITDA guidelines function as the default compliance baseline for AI operators in Nigeria in the absence of a sector-specific regulator or comprehensive statute.

The National AI Strategy 2024

The National AI Strategy 2024 was developed by the Federal Ministry of Communications, Innovation and Digital Economy with NITDA as co-lead, building on the 2021 National AI Policy. It was published with seven strategic pillars: data and digital infrastructure, AI research and innovation, talent and skills, public sector AI adoption, private sector AI adoption, ethical and responsible AI, and international cooperation.

The ethical and responsible AI pillar is the most directly relevant to private operators. It establishes that AI systems deployed in Nigeria should be transparent (their logic and outputs should be explainable to affected parties and regulators), fair (they should not produce discriminatory outcomes across demographic groups), accountable (there should be identifiable human or institutional responsibility for AI decisions), safe (systems should not pose unreasonable risk of harm), privacy-preserving (consistent with the NDPA), and inclusive (AI benefits should be accessible across socioeconomic and geographic lines).

The Strategy is not primary legislation. It does not create a penalty regime. Its significance for private operators lies in three practical consequences. First, it shapes NITDA's subsequent guidance documents: principles articulated in the Strategy are likely to become requirements in future NITDA guidelines. Second, it is the framework within which government AI procurement decisions are made: operators bidding for public sector AI contracts will find that Strategy alignment functions as a qualification criterion. Third, it represents the government's stated direction of regulatory travel: operators who build governance programmes consistent with Strategy principles are building toward the likely shape of future binding requirements.

The Strategy also addresses international cooperation explicitly, and specifically flags alignment with the EU AI Act and the OECD AI Principles as objectives. This is relevant to operators navigating both Nigerian and EU regulatory environments: the Strategy's architects were deliberately converging Nigerian AI governance direction with international frameworks. An operator whose programme satisfies the OECD AI Principles (for which see the OECD AI principles operator guide on this site) will find significant overlap with Strategy requirements.

The Nigeria Data Protection Act 2023 and automated decision-making

The Nigeria Data Protection Act 2023 (NDPA) was signed into law on 12 June 2023, replacing the earlier Nigeria Data Protection Regulation 2019 (NDPR) which had been issued by NITDA. The NDPA is primary legislation with a dedicated regulatory authority, the Nigeria Data Protection Commission (NDPC), established under the Act with investigation and enforcement powers.

The NDPA applies to the processing of personal data of natural persons in Nigeria, including processing outside Nigeria where the purpose relates to offering goods or services to persons in Nigeria or monitoring the behaviour of persons in Nigeria. This extraterritorial scope means that an operator processing data of Nigerian residents from infrastructure located outside Nigeria is subject to the Act for that processing.

For AI operators, the NDPA's core obligations engage in the following scenarios. Where an AI system processes personal data to make or substantially inform a consequential decision about a data subject (a credit decision, insurance pricing, employment screening, access to healthcare, or government service eligibility), the operator is a data controller under the Act. The data controller must have a lawful basis for processing the personal data that the AI system uses. In most commercial contexts, this will be consent (which must be freely given, specific, informed, and unambiguous) or legitimate interest (which requires a balancing test and must not override the data subject's fundamental rights). Processing without a lawful basis exposes the controller to enforcement action by the NDPC.

The Act's purpose limitation principle requires that personal data be collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes. An AI system trained on data collected for one purpose that is then repurposed to make decisions for a different purpose without a fresh lawful basis is likely to be in breach of purpose limitation. This has direct implications for operators who retrain models on customer data or who repurpose data collected in one product context for AI applications in another.

Data accuracy obligations under the NDPA require controllers to take reasonable steps to ensure that personal data used in processing is accurate and, where necessary, kept up to date. For AI systems that rely on historical data to make predictions about current behaviour (credit scoring, fraud detection, recidivism prediction), accuracy obligations require ongoing data quality monitoring and mechanisms to correct inaccurate inputs that have influenced AI outputs.

The NDPA does not contain a provision directly equivalent to Article 22 of the EU General Data Protection Regulation, which gives data subjects the right not to be subject to fully automated decisions that significantly affect them without human review. However, the Act's general provisions on data subjects' rights to access information about their data and to object to processing that violates their rights engage the transparency and human oversight requirements of automated decision-making systems. The NDPC has indicated in published guidance that it expects operators to be able to explain the basis of automated decisions to affected data subjects and to provide human review mechanisms for consequential automated outcomes.

Administrative penalties under the NDPA are calibrated by severity of breach. The maximum fine for serious violations is the greater of 2 percent of annual gross revenue or 10 million naira. The NDPC became operational in 2023 and has begun enforcement activity. Operators should monitor NDPC enforcement notices for indicators of priority areas and the penalty levels being applied in practice.

Sector regulators and AI-specific obligations

Central Bank of Nigeria

The Central Bank of Nigeria is the primary regulator for banks, microfinance institutions, payment service providers, and other financial institutions in Nigeria. The CBN has issued risk management guidelines for financial institutions that address the use of algorithmic and AI-driven decision-making in credit, fraud detection, customer onboarding, and customer service. The core requirements that emerge from CBN guidance are model risk management, explainability for credit decisions, audit trail maintenance, and bias monitoring.

Model risk management requirements mean that AI models used for credit underwriting and risk assessment must be subject to the same validation, back-testing, and ongoing monitoring procedures that apply to statistical models. A bank using a machine learning system for credit scoring must be able to demonstrate to CBN examiners that the model has been independently validated, that its performance is monitored against defined metrics, and that there is a documented process for managing model failure or unexpected behaviour. These requirements align with the Basel Committee on Banking Supervision's guidance on the use of machine learning in financial risk management, which CBN has referenced in its own publications.

Explainability requirements mean that AI-driven credit decisions must be capable of being explained to affected customers in terms they can understand. A fully opaque model that produces a credit refusal without a human-interpretable basis is inconsistent with CBN guidance on fair treatment of customers. Operators running AI credit systems in Nigeria must implement interpretation layers that translate model outputs into communicable reasons.

The CBN's guidelines on Open Banking also have implications for AI operators: financial data shared under Open Banking arrangements is subject to data protection requirements that layer on top of the NDPA, and AI systems that consume Open Banking data feeds for financial analysis or credit decisions must manage data governance across both regulatory frameworks.

Nigerian Communications Commission

The Nigerian Communications Commission regulates telecommunications services and has issued consumer protection guidance that addresses AI-driven customer interactions. The NCC's Consumer Code of Practice for Licensed Operators includes provisions on automated customer service systems: consumers must be informed when they are interacting with an automated system rather than a human agent, and operators must provide accessible human escalation paths for consumers who request them.

This disclosure requirement is directly relevant to operators deploying AI chatbots, virtual assistants, or automated call centre systems in the Nigerian telecommunications market. The NCC's position mirrors the EU AI Act's transparency obligation for AI systems intended to interact with natural persons (Article 50 of Regulation 2024/1689), under which such systems must disclose their AI nature at the start of interaction. For operators already complying with Article 50 for their EU deployments, extending the disclosure mechanism to Nigerian deployments addresses NCC requirements at minimal incremental cost.

Securities and Exchange Commission

Nigeria's Securities and Exchange Commission has addressed AI in the context of algorithmic trading and AI-assisted investment advice. SEC guidance requires that algorithmic trading strategies be registered with the Commission and subject to pre-deployment testing. For investment advisers and fund managers using AI to generate or screen investment recommendations, SEC expects that AI-generated outputs be reviewed by qualified human professionals before being communicated to clients.

The SEC's AI guidance reflects a recognition that AI systems operating at scale in capital markets can amplify systemic risk if governance is inadequate. Operators in Nigeria's growing capital markets technology segment should treat SEC guidance as establishing binding operational requirements for their AI deployments in this sector, including registration, testing, and human oversight obligations that are not captured by the NDPA alone.

Health regulators

The National Health Insurance Authority and the Federal Ministry of Health have issued guidance on the use of AI in healthcare diagnosis, treatment recommendation, and insurance claims processing. The guidance requires that AI diagnostic tools deployed in clinical settings be registered as medical devices where they meet the definition of a medical device under Nigerian law, and that clinical AI systems be subject to clinical validation studies before deployment. Operators should consult current NAFDAC guidance on AI medical devices to confirm applicable registration requirements.

For AI operators in the healthtech segment, this creates a compliance pathway distinct from the NDPA: registration, clinical validation, and ongoing performance monitoring as conditions for deployment in clinical contexts. Operators entering the Nigerian health AI market should engage with NAFDAC (the National Agency for Food and Drug Administration and Control) on device classification before deployment.

EU AI Act extraterritorial exposure for Nigerian operators

Regulation (EU) 2024/1689, which entered into application in phases from August 2024, extends the EU AI Act's reach beyond EU-established entities. Article 2(1) of the Act applies it to providers that place AI systems on the EU market or put them into service in the EU, regardless of establishment, and to operators whose AI systems produce outputs used in the EU. A Nigerian company operating a recruitment AI platform that is used by European employers to screen candidates, a Nigerian fintech operating a credit scoring system that assesses EU-resident borrowers, or a Nigerian content moderation platform processing the posts of EU users: each is within scope of the Act for those deployments.

The practical consequence is that Nigerian operators with EU-facing AI products face two distinct regulatory environments simultaneously. For the EU-directed deployments, they must comply with the EU AI Act's provider and deployer obligations, including technical documentation (Article 11), risk management system (Article 9), data and data governance (Article 10), transparency and provision of information (Article 13), human oversight (Article 14), accuracy and robustness (Article 15), and conformity assessment procedures for Annex III high-risk systems. For the Nigeria-directed components of the same product, they must comply with the NDPA, NITDA guidelines, and applicable sector guidance.

The 2 August 2026 application deadline for Annex III high-risk systems is the date by which providers were required to complete conformity assessments and register their systems in the EU database. The European Parliament and Council reached a provisional agreement on 7 May 2026 under the Digital Omnibus package to defer this deadline to 2 December 2027. This agreement has not been formally adopted as of the date of this publication. The original 2 August 2026 deadline remains binding until formal adoption. Nigerian operators with EU-facing high-risk AI systems should not treat the provisional deferral as a confirmed extension. They should either proceed on the original timeline or seek legal confirmation of the deferral's adoption status before adjusting their compliance schedule.

High-risk AI system categories under Annex III of the EU AI Act that are frequently relevant to Nigerian operators serving EU markets include: AI systems used in employment and workers management (including recruitment screening and CV sorting); AI systems used in access to essential private services (including credit scoring and insurance risk assessment); AI systems used in education and vocational training; and AI systems intended to be used by or on behalf of public authorities for law enforcement or border control. An operator in Nigeria operating in any of these categories for EU-facing deployments should treat EU AI Act compliance as a binding obligation, not a voluntary framework.

For a detailed analysis of how the EU AI Act applies to operators outside the EU, see the EU AI Act extraterritorial reach guide on this site.

Insurance and liability coverage for AI operators in Nigeria

The market for AI-specific liability insurance in Nigeria is at an early stage. Nigerian insurers do not currently offer dedicated AI liability products comparable to those available in EU or US markets. Operators deploying AI systems that carry material liability exposure (automated credit decisions, clinical AI, AI-driven fraud detection with false-positive risk) are likely to rely on professional indemnity, technology errors and omissions, and general commercial liability policies that have not been specifically designed for AI risk profiles.

For Nigerian operators with EU-facing AI deployments, EU-market insurance solutions are available and may be the more appropriate instrument. Munich Re's aiSure product, Armilla's AI performance guarantees, and Lloyd's of London market facilities for AI errors and omissions are designed for operators whose AI systems carry performance and liability risk in regulated markets. These products assess the governance quality of the AI system as part of underwriting, meaning that operators who have invested in NITDA-aligned governance documentation, NDPA compliance, and EU AI Act conformity assessment are better positioned to obtain coverage at acceptable cost.

The connection between insurance underwriting and AI governance quality is the same in the Nigerian context as in more mature markets: a well-documented, well-governed AI system with clear human oversight mechanisms, audit trails, and bias monitoring is a better insurance risk than one that lacks these features. Building governance infrastructure that satisfies NITDA guidelines, NDPA requirements, and EU AI Act obligations simultaneously reduces both regulatory exposure and insurance cost.

How Nigeria compares to other African and global jurisdictions

Among African jurisdictions, Nigeria's AI governance position is advanced relative to most peers. South Africa has published an AI policy discussion paper and is developing the Protection of Personal Information Act (POPIA) framework for AI contexts, but has not yet produced dedicated AI guidelines at the operational level of Nigeria's NITDA publications. Kenya has issued data protection regulations and is developing an AI policy framework. Egypt has published a national AI strategy. Nigeria's combination of a data protection statute, a national AI strategy, NITDA guidelines with operational content, and sector-level regulatory engagement represents one of the more developed AI governance architectures on the continent as of 2026.

Relative to the major global frameworks, Nigeria's approach resembles the United States federal position: advisory at the national level, sector-based at the regulatory level, without a comprehensive statute. The difference is that the US has a deeper ecosystem of sector AI guidance (particularly from the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the Equal Employment Opportunity Commission) and a more developed voluntary framework ecosystem (NIST AI Risk Management Framework 1.0, NIST AI RMF 2.0 drafts). For a comparison across the US, EU, and UK approaches, see the three-jurisdiction liability comparison on this site.

The EU AI Act is the most structurally demanding framework with which Nigerian operators must engage, both because of its extraterritorial reach and because of the technical specificity of its requirements. Nigeria's domestic framework, in its current form, does not approximate the EU's product-safety model for AI systems. There is no Nigerian equivalent of Annex III high-risk classification, no mandatory conformity assessment procedure, and no centralised AI system registry. An operator who has completed EU AI Act conformity assessment for a high-risk system will have produced documentation and implemented governance mechanisms that substantially exceed current Nigerian domestic requirements for the same system.

What operators should do now

The absence of a comprehensive Nigerian AI statute does not mean Nigeria is a low-governance market for AI deployment. The NDPA, NITDA guidelines, sector regulatory guidance, and EU AI Act extraterritorial obligations together create a substantive and multi-layered compliance environment. The following steps represent the practical compliance priorities for operators deploying AI in Nigeria in 2026.

First, assess NDPA applicability to your AI deployment. If your AI systems process personal data of Nigerian residents, the Act applies regardless of where you process that data. Confirm that you have a lawful basis for each processing activity and that your data governance practices satisfy purpose limitation, accuracy, and security requirements. If your AI system is used to make consequential automated decisions about Nigerian data subjects, review the NDPC's published guidance on data subjects' rights in automated processing contexts and implement appropriate explanation and review mechanisms.

Second, review NITDA guidelines for your deployment context. The NITDA Guidelines on Artificial Intelligence 2023 provide the most operationally specific government guidance currently available for private sector AI operators in Nigeria. Confirm that your risk assessment, explainability, and human oversight practices are consistent with those guidelines. Document your compliance posture in a form that can be presented to NITDA or to a sector regulator on request.

Third, identify which sector regulator governs your activities. If you operate in financial services, your primary AI compliance obligations beyond the NDPA derive from CBN guidance. For telecommunications, NCC applies. For capital markets, SEC applies. For healthcare, NAFDAC and the Federal Ministry of Health guidance applies. Review the AI-specific guidance published by your sector regulator and confirm that your model risk management, explainability, audit trail, and bias monitoring practices satisfy that guidance.

Fourth, assess your EU AI Act exposure. If any component of your AI deployment produces outputs used by EU residents, map those components against the EU AI Act's risk classification. For Annex III high-risk systems, initiate or continue conformity assessment procedures. Do not assume that the Digital Omnibus provisional deferral of the 2 August 2026 deadline removes your obligation: the deferral is not yet formally adopted and the original date binds until it is.

Fifth, document your AI governance programme in a form that is legible across both Nigerian and EU regulatory expectations. A governance documentation set that includes system purpose and scope, training data description and governance, risk assessment findings, testing and validation records, human oversight mechanisms, incident response procedures, and monitoring arrangements will satisfy the audit requirements of NITDA guidelines, NDPC data protection obligations, and EU AI Act technical documentation requirements simultaneously. Building one documentation set that satisfies both environments is more efficient than maintaining separate governance artefacts for each jurisdiction.

Frequently asked questions

Does Nigeria have a standalone AI law in 2026?

Nigeria does not have a standalone AI statute as of June 2026. The primary instruments governing AI-related activities are the Nigeria Data Protection Act 2023 (NDPA), NITDA's guidelines including the National AI Policy 2021 and the Guidelines on Artificial Intelligence 2023, and the National AI Strategy 2024. NITDA has also issued sector guidance. The overall approach is advisory at the national level and sector-based in regulated industries.

What is NITDA's role in AI governance?

The National Information Technology Development Agency (NITDA), established by the NITDA Act 2007, is the primary government body for information technology policy and regulation in Nigeria. NITDA published the National AI Policy 2021 and co-led the National AI Strategy 2024. NITDA issues guidelines and frameworks that represent the government's compliance expectations for technology operators. For AI operators, NITDA guidelines are the de facto compliance baseline in the absence of a comprehensive statute or sector-specific regulator.

What does the Nigeria Data Protection Act 2023 require for AI systems?

The NDPA, signed into law on 12 June 2023, applies to the processing of personal data of Nigerian residents by automated means. Where an AI system processes personal data to make or substantially inform a consequential decision about a data subject, the operator is a data controller under the Act and must have a lawful basis for processing, respect purpose limitation, ensure data accuracy, and implement appropriate technical and organisational safeguards. The NDPC has enforcement powers including administrative fines.

How does the National AI Strategy 2024 affect private operators?

The National AI Strategy 2024 sets Nigeria's ambition to become a leading AI-enabled economy in Africa by 2030. Its ethical and responsible AI pillar establishes principles (transparency, fairness, accountability, safety, privacy, inclusivity) that operators working with government or in regulated sectors are expected to observe. The Strategy is not primary legislation and does not create binding obligations on private sector operators directly. It signals regulatory direction and informs NITDA's subsequent guidance documents, which carry greater de facto compliance weight.

Are Nigerian operators subject to the EU AI Act?

Yes, if they place AI systems on the EU market or their AI systems produce outputs used in the EU. Regulation (EU) 2024/1689 applies extraterritorially: a Nigerian company operating an AI system whose outputs are used by EU residents is within scope for those deployments. High-risk system obligations under Annex III (including technical documentation, conformity assessment, and registration) apply. The 2 August 2026 deadline for Annex III high-risk systems is provisionally deferred to 2 December 2027 under the Digital Omnibus agreement of 7 May 2026, but this deferral is not yet formally adopted and the original date binds until adoption.

What sector regulators govern AI in Nigeria?

The Central Bank of Nigeria (CBN) governs AI in banking and financial services, with guidance on model risk management, explainability, and bias monitoring for credit and fraud AI. The Nigerian Communications Commission (NCC) requires disclosure when consumers interact with automated systems. The Securities and Exchange Commission (SEC) governs algorithmic trading and AI investment advice. The National Health Insurance Authority and NAFDAC govern AI in healthcare and medical device contexts. For operators in these sectors, the relevant regulator's guidance creates the binding AI compliance floor beyond the NDPA baseline.

References

  1. Nigeria Data Protection Act 2023, signed into law 12 June 2023. National Assembly of the Federal Republic of Nigeria.
  2. Nigeria Data Protection Commission (NDPC), operational from 2023. Published enforcement guidance on automated decision-making.
  3. NITDA, Guidelines on Artificial Intelligence, 2023. National Information Technology Development Agency, Federal Republic of Nigeria.
  4. NITDA, National AI Policy, 2021. National Information Technology Development Agency, Federal Republic of Nigeria.
  5. Federal Ministry of Communications, Innovation and Digital Economy, National AI Strategy 2024, Federal Republic of Nigeria.
  6. NITDA Act 2007, National Information Technology Development Agency Act, Federal Republic of Nigeria.
  7. Central Bank of Nigeria, Risk Management Guidelines for Banks and Other Financial Institutions (AI and machine learning provisions).
  8. Nigerian Communications Commission, Consumer Code of Practice, provisions on automated customer interactions.
  9. NAFDAC, Guidance on AI Medical Device Classification.
  10. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (EU AI Act). Official Journal of the European Union, 12 July 2024.
  11. EU AI Act, Annex III (high-risk AI system categories), Article 2(1) (scope including extraterritorial application), Article 9 (risk management), Article 10 (data and data governance), Article 11 (technical documentation), Article 13 (transparency), Article 14 (human oversight), Article 50 (transparency obligations for AI systems interacting with natural persons).
  12. EU Digital Omnibus provisional agreement, 7 May 2026. Provisional deferral of EU AI Act Annex III high-risk deadline from 2 August 2026 to 2 December 2027. Not yet formally adopted as of date of publication.
  13. Directive (EU) 2024/2853 on liability for defective products (Product Liability Directive), entered into force 9 December 2024. Relevant to AI system defect liability for operators placing systems on the EU market.
  14. OECD AI Principles, 2019, updated 2024. Organisation for Economic Co-operation and Development.
  15. NIST AI Risk Management Framework 1.0, National Institute of Standards and Technology, January 2023.
  16. Munich Re, aiSure AI performance insurance product. Munich Reinsurance Company.
  17. Armilla AI, AI performance guarantees and underwriting. Armilla AI Inc.
  18. Lloyd's of London, market facilities for AI errors and omissions coverage. Lloyd's of London.
  19. Moffatt v. Air Canada, 2024 BCCRT 149 (British Columbia Civil Resolution Tribunal). AI chatbot liability case: Air Canada held liable for its AI agent's misrepresentation. Frequently cited in AI liability analysis.
  20. Mata v. Avianca, Inc., 22-cv-1461 (S.D.N.Y. 2023). Sanctions imposed on attorneys who submitted AI-generated hallucinated case citations without verification.
  21. Basel Committee on Banking Supervision, Principles for sound model risk management. Guidance on AI and machine learning in financial risk management.