President Bola Tinubu has signed away Nigeria’s old identity law. Few people outside Abuja’s policy circles have noticed what that actually means.
On the surface, the National Identity Management Commission (NIMC) Act 2026 reads like routine legislative housekeeping. It replaces the 2007 law that originally created NIMC, and it arrived through a statement from the commission’s Head of Corporate Communications, Kayode Adegoke, on a quiet Friday. But buried inside that statement is a structural shift with consequences far beyond identity cards. NIMC is now the Root Certification Authority for Nigeria’s National Public Key Infrastructure and its Digital Public Infrastructure. That single designation puts one government commission at the centre of every digital trust transaction the country will run for the next decade.
This is not a paperwork update. It is the legal foundation for a market that does not fully exist yet — and the companies that understand this fastest stand to capture the most value.
Why NIMC’s New Powers Are a Bigger Deal Than the Headline Suggests
Public Key Infrastructure sounds like a backend concern for engineers, but it is the layer that decides whether a digital signature, an online banking login, or a government e-service can be trusted at all. By naming NIMC the Root Certification Authority, the new Act gives the commission the power to issue and validate the digital certificates that authenticate identity across banking, healthcare, taxation, pensions, insurance, elections, and property records. One verified identity becomes the master key that unlocks dozens of separate digital systems.
That is a genuine leap from NIMC’s original 2007 mandate, which was largely about issuing National Identification Numbers and managing a population register. The commission has spent the past two years wrestling with basic execution problems even within that narrower scope. NIMC’s abrupt migration to a new identity verification platform in mid-2025 forced telecom operators across the country to suspend SIM registration and related services nationwide, an episode that exposed how fragile the existing verification rails already were. Now the same commission is being handed the legal authority to certify digital trust for the entire economy. The ambition has scaled up considerably faster than the demonstrated operational capacity.
Still, ambition is not automatically a flaw. Every functioning digital economy needs a root of trust somewhere, and Nigeria has now decided where that root will sit. The interesting question is not whether NIMC should exist as Root CA — someone has to — but what gets built on top of it, and who gets to build it.
The Multi-Billion-Naira Stack Nobody Has Fully Priced In
Strip away the legal language and the opportunity becomes concrete. A national PKI and DPI mandate creates demand across data centres, cloud hosting, biometric authentication, identity verification APIs, fraud detection, digital signature platforms, and disaster recovery infrastructure. None of that exists for free, and none of it can be imported wholesale — sovereignty requirements around national identity data mean much of this stack needs to be built or hosted domestically.
That is precisely the opening that infrastructure players have started circling. Companies with existing national cloud footprints, secure data centre capacity, and established government connectivity — the kind of profile that firms like Galaxy Backbone occupy — are positioned to become foundational vendors in this build-out rather than incidental ones. The commercial logic is straightforward: government cannot run a Root Certification Authority on infrastructure it does not control, and very few private entities currently have the security clearances and uptime guarantees to host that workload.
Identity verification companies have been here before, just at smaller scale. Smile ID’s 2025 Digital Identity Fraud Report, drawn from more than 110 million identity checks across the continent, found that fraud attempts during authentication ran four times higher than at registration — a finding that should worry anyone assuming a single national identity layer automatically means a safer one. Ope Kufoniyi, the company’s identity and compliance lead, has argued that Africa’s KYC fragmentation needs deeper regulator-industry collaboration before fraud detection can scale with the systems it is meant to protect. The NIMC Act gives Nigeria a unified legal framework. It does not, on its own, give Nigeria a unified fraud-detection capability to match it.
The Case for Treating This as Genuine Progress
It would be unfair to read the Act only through a risk lens. Nigeria’s identity ecosystem has been a documented mess for years, and a chunk of that mess stems directly from regulatory ambiguity rather than malicious actors. When NameCheap suspended a Nigerian platform called XpressVerify in 2024 over the unauthorised commercial resale of NIN-linked personal data, NIMC’s own statement clarified that the company had never been an officially licensed verification partner in the first place. The breach was not really a breach of the national database — it was a breach of an unclear authorisation perimeter that let unlicensed intermediaries resell sensitive data with the appearance of legitimacy.
A Root Certification Authority model, properly enforced, closes exactly that kind of gap. If NIMC controls the certificate chain for every legitimate identity verification request, an entity like XpressVerify would be cryptographically incapable of impersonating an authorised partner rather than merely violating a licensing rule that depended on after-the-fact detection. That is a meaningful security upgrade, not a cosmetic one.
The Act also formalises a direction the rest of government has already been moving in. The Corporate Affairs Commission’s AI-powered business registration portal now leans on real-time NIN verification to compress incorporation timelines toward a 30-minute target, and NIBSS has been building out AfriGo as a national card scheme tied to the same identity backbone. A coherent PKI law gives these efforts a single legal spine instead of a patchwork of inter-agency memoranda. Financial inclusion arguments tend to get thrown around loosely in Nigerian tech policy, but a working national digital identity does map fairly directly onto faster KYC, cheaper onboarding, and lower fraud costs for banks serving previously undocumented customers.
Where the Optimism Runs Into Nigeria’s Execution Problem
None of that infrastructure logic survives contact with NIMC’s actual track record without serious qualification. The same commission now responsible for anchoring digital trust across the entire economy has, within the past 24 months, triggered a nationwide SIM registration shutdown through a poorly sequenced platform migration and publicly identified five separate websites illegally harvesting and reselling Nigerians’ NIN data. Centralising authority does not automatically centralise competence. It can just as easily centralise risk, concentrating a single point of failure where dozens of smaller ones used to exist.
There is also a harder structural tension the Act does not resolve: Nigeria’s fintech sector is simultaneously consolidating its own identity and KYC layers at the corporate level. Flutterwave’s acquisition of Mono explicitly targeted core identity and data layers including KYC and bank account verification as one of the prized assets changing hands in the current wave of fintech super-mergers. If private fintech giants are racing to own proprietary identity infrastructure at the same moment government is asserting a sovereign monopoly over the root of digital trust, the two ambitions will eventually collide. Either NIMC’s PKI becomes the mandatory substrate every private identity layer must plug into, which raises real questions about vendor lock-in and pricing power, or large fintechs route around it where they can, which undermines the entire premise of a single national root of trust.
Enforcement as Another Layer of Worry
Enforcement capacity is the other unanswered question. NIMC’s statement promises strengthened cybersecurity and improved data protection, but the commission’s Friday-afternoon press release model — explaining major operational disruptions after the fact through a single communications officer — does not inspire confidence that a Root Certification Authority handling billions of authentication requests will have the real-time monitoring and incident response infrastructure that role demands. Standing up a legal mandate is the easy part. Standing up the security operations centre to back it is the part nobody has announced yet.
Trust, ultimately, will determine whether the initiative succeeds. Banks, fintechs, telecom operators, government agencies, and citizens will all rely on the Root Certification Authority to authenticate identities and secure digital transactions. That trust cannot be built through regulation alone. It requires transparent governance, independent security audits, clear service-level commitments, and a proven track record of resilience under pressure. Without those safeguards, the RCA risks becoming not just a single point of trust, but a single point of failure for Nigeria’s expanding digital economy.
What to Watch as the Act Moves From Law to Infrastructure
The next twelve months will tell observers more than the legislation itself. Watch for the implementing regulations that define exactly which private entities can become licensed Certificate Authorities under NIMC’s root, since that licensing framework will determine whether this becomes an open ecosystem or a tightly gated one. Watch for whether Galaxy Backbone or any comparable infrastructure player actually signs a formal hosting or PKI-operations agreement with NIMC, rather than simply being positioned as a likely candidate. And watch whether the major fintech conglomerates emerging from 2026’s consolidation wave treat the national PKI as a foundation to build on or an obstacle to negotiate around.
Nigeria has approved the operating system for a digital nation, as the framing around the Act puts it. Operating systems are only as good as the applications built on top of them, and the team responsible for shipping this one has a recent history of pushing updates that broke things for millions of users overnight. The law is signed. The infrastructure build-out, and the accountability that should come with it, has not even started.
