The Nigerian regulatory landscape continues to evolve rapidly. As the country deepens reforms across corporate governance, taxation, data protection, financial reporting, labour, and sector-specific licensing, businesses now face heightened regulatory scrutiny from regulators and more complex compliance burdens. Our prediction is that the enforcement climate in 2026 is going to be stricter, with regulators such as the Corporate Affairs Commission (CAC), the Nigerian Revenue Service (NRS), the Financial Reporting Council of Nigeria (FRCN), and the Nigeria Data Protection Commission (NDPC) increasingly focusing on compliance failures and transparency gaps.
For business owners, directors and investors, understanding and complying with these obligations is essential not only for legal survival but also for market competitiveness, access to finance, and stakeholder trust. This article provides an analysis of the principal regulatory obligations that Nigerian businesses must meet in 2026.
- COMPANY REGISTRATION AND CORPORATE GOVERNANCE OBLIGATIONS UNDER THE COMPANIES AND ALLIED MATTERS ACT (“CAMA”) 2020
- Requirement for Company Registration
Under CAMA 2020, every company must be registered with the Corporate Affairs Commission (”CAC”) to operate legally in Nigeria. This registration grants a company its legal identity, separates personal assets from business liabilities, and is a prerequisite for entering contracts, suing, being sued, and gaining credibility with stakeholders. Failure to comply can lead to legal actions, fines, and the potential dissolution of the business by the CAC.
It is pertinent to note that an unregistered business is illegal in the eyes of the law as it is operating unlawfully. The business has no legal recognition and the owner of such business concern cannot hold it out as a legal entity.
Further to the above, an unregistered business finds it impossible enforcing contracts as the courts may require proof of legal existence in order to enforce the right of a business owner in a matter for breach of contract.
A business that is not registered with the CAC is not investor-friendly as investors are more drawn to business with verifiable corporate structures before committing their funds.
i. Meeting the Minimum Share Capital Requirement for Local and Fully Foreign-Owned Companies
The Companies and Allied Matters Act 2020 (“CAMA 2020”) replaced the former authorised share capital system with a new minimum issued share capital regime. Under this framework, companies are no longer required to state an authorised share capital; instead, they must issue a minimum amount of share capital upon incorporation.
In addition, companies with foreign participation are now required to have a minimum issued share capital of ₦100,000,000. Consequently, any foreign-owned or foreign-participating company that currently has a share capital below this threshold is required to increase its issued share capital to comply with the statutory requirement.
Further to the above, some sectors require that a minimum share capital threshold is maintained throughout the existence of an organisation. This is very common in the financial service industry under the regulation of the Central Bank of Nigeria and the Securities and Exchange Commission.
Regulated entities such as banks, fintechs, fund/portfolio managers, broker-dealers and other licensed operators must ensure that their paid-up capital does not fall below the threshold provided by the relevant regulator as a decline below the recommended minimum capital may result in sanctions on the defaulting organisation and in some cases restrictions on operations and in extreme cases, suspension or revocation of licence.
Organisations operating with regulated sectors or whose operations require the maintenance of a minimum share capital threshold must continuously monitor and maintain their capital position as a part of their ongoing compliance obligations.
ii. Filing of Annual Returns and Audited Financials
Every registered company must comply with annual disclosure obligations to the CAC. These obligations promote corporate transparency, ensure regulatory oversight, and maintain a company’s good standing on the public register.
Every company must file its annual returns with the CAC within 42 days after the Annual General Meeting (AGM). The filing must include the company’s audited financial statements, shareholding structure, directors’ and shareholders’ details, and any resolutions passed during the financial year, and according to Section 119 (2) of CAMA, a company shall in every annual return filing, disclose the persons with significant control of the company in respect of the year for which the return is being filed.
iii. Statutory Registers and Corporate Records
CAMA 2020 imposes strict obligations on companies to maintain accurate and up-to-date statutory registers and corporate records. These records form the legal foundation of a company’s governance structure and are essential for demonstrating regulatory compliance during audits.
Key Statutory Registers Required under CAMA 2020
Every company must maintain the following registers at its registered office or principal place of business:
- Register of Members:Contains the names, addresses, shareholdings, and membership dates of all shareholders. It reflects the legal owners of the company at any given time.
- Register of Directors:Provides the particulars of all directors, including appointments, resignations, and changes in personal information.
- Register of Persons with Significant Control (PSC):Records individuals or entities that ultimately exercise significant influence or hold substantial control over the company, typically through share ownership or voting power of 5% or more.
- Register of Charges:Lists all registered charges over the company’s assets, including details of the lender, the nature of security, and the date of creation.
- Register of Allotments:Documents all share allotments made by the company, including the number of shares issued, the consideration received, and the allottee’s details.
- Register of Persons with Significant Control: Documents persons who control or benefit from the business indirectly especially through the use of corporate shareholder or a nominee structure.
- Notification of Changes
CAMA 2020 requires companies to promptly notify the CAC of key changes affecting their corporate structure, governance, or shareholding. Timely notification ensures regulatory compliance and prevents penalties for late filing.
Key Notifications and Filing Obligations Deadlines
| Appointment/resignation/removal of directors | Within 14 days | Section 292 CAMA |
| Changes in shareholding or share transfers | Within 30 days | Section 154 CAMA |
| Change of registered office or principal place of business | Within 14 days | Section 82 CAMA |
| Alteration of share capital (increase, reduction) | Within 15 days | Section 127 CAMA |
| Appointment of Person with significant control | With 1 month after receiving the notification from the PSC and the PSC must inform the company within 7 days from becoming a PSC. | Section 119 (1) and (2) CAMA |
It is pertinent to state that notification of changes does not end at the CAC. Companies that operate in regulated sectors such as the CBN or SEC must also file a notification of changes with their relevant regulator. For companies regulated by the CBN, it is important that the CBN is informed of the changes even before effecting any changes.
- Persons with Significant Control and Beneficial Ownership Reporting with the Regulators
Another significant aspect that requires strict compliance is the reporting requirement of Persons with Significant Control (“PSC”) and Ultimate Beneficial Ownership (“UBO”) of a company.
PSC and UBO refers to persons who ultimately own, control or benefit from a company even if their ownership or benefit is indirect. It is a vehicle used by the regulators to identify the natural persons who control and benefit from a company’s assets and income especially when done through a corporate vehicle or nominee structure.
The Purpose of the PSC and UBO reporting is to ensure corporate transparency, prevent money laundering and ensure that tainted funds are not brought into the country through corporate channels.
Further to the above, companies are required by the CAC to do the following:
- File beneficial ownership information with the CAC especially for corporate shareholders.
- Maintain a PSC register that is regularly updated.
- Ensure that the details of the PSC contained in the register and filed with the CAC are accurate.
- Promptly file and update records of the PSC in the event of any change.
Section 12 of the Persons with Significant Control Regulations, 2022 provides for sanctions that are applicable to organizations that are not in compliance with the reporting requirement and reporting standards for PSC. Depending on the level of default, sanctions could be by way of administrative fines on the company and the officers of the company who have participated or allowed the default to occur. In extreme cases, the status of the company on the CAC portal could be reflected as “inactive” in the PSC register of the Registrar of Companies in Nigeria and on the online portal of the CAC. This could lead to loss of business for such companies especially in light of the recent discussions between the CAC and some banks in Nigeria where the CAC has encouraged banks to disregard applications for loan from companies whose status on the CAC online portal is reflected as “inactive”.
- Corporate Governance Requirements
In Nigeria, the Nigerian Code of Corporate Governance (NCCG 2018) continues to serve as the primary framework for corporate governance, particularly for Public Interest Entities (“PIEs”) such as listed companies, banks, insurance firms, and other financial institutions. The Code is designed to strengthen transparency, accountability, and ethical business conduct.
Some key governance issues to put into consideration are as follows:
- Board Effectiveness: Boards are expected to provide strategic leadership, oversee management, and ensure the company meets its objectives and carries out its operations in compliance with the relevant laws. In order to achieve this, it is recommended that companies set up a structure to that regularly evaluates board performance and competencies.
- Risk Management Systems: Companies must implement robust risk management frameworks to identify, assess, and mitigate financial, operational, and compliance risks.
- Internal Audit Function: An independent internal audit function should evaluate internal controls, governance processes, and compliance with statutory and regulatory obligations.
- Ethical Conduct and Corporate Responsibility: Companies are expected to operate with integrity, fairness, and transparency, promoting stakeholder confidence and sustainable business practices.
While the Nigerian Code of Corporate Governance, 2018 is formally recommended for PIEs, adherence by other companies is encouraged to strengthen governance standards. Compliance with the Code can enhance investor confidence, reduce operational risks, and facilitate regulatory approvals.
PERSONAL DATA PROTECTION COMPLIANCE OBLIGATIONS
Data protection has become one of the most enforced aspects of regulatory compliance. Regulators have intensified scrutiny of companies whose operations require them to collect, use, store or transfer personal data of Nigerians. Such organizations are now expected to demonstrate practical compliance with applicable laws and regulations.
Article 7 of the Nigeria Data Protection Act, 2023, General Application and Implementation Directives 2025 list out some of the compliance measures expected of an organization that processes and controls the personal data of Nigerians under the Nigeria Data Protection Act (“NDP Act”. Some of them as it relates to compliance are as follows:
- Registration with the NDPC as a data controller or data processor of major importance.
- Conduct NDP Act compliance audit within 15 months of commencement of business and thereafter on annual basis.
- In the case of data controllers and processors of major importance, they are required to file Compliance Audit Returns with the NDPC on or before the 31st of March of each year.
- Develop and implement an organizational privacy policy which shall be in compliance with the NDP Act. The organization must publish the privacy policy on its platform.
- Designate a Data Protection Officer whose primary duty would be to ensure that the company’s operations are compliant with the NDP Act.
- For companies that operate a website, they are required to provide privacy and cookie notices at the homepage of its website
- Develop and circulate an internal data protection strategy or policy and basic privacy checks to help members of staff and other relevant persons understand the organisation’s direction in connection with the processing of personal data and outline the steps to be taken by all to ensure that the organisation’s standards as it relates to the protection of personal data are upheld.
Further to the above, additional measures that should be applied by data processors/controllers are as follows:
- Implementation of data security measures.
- Clear lawful basis for processing data.
- Regular staff trainings on data protection regulations and guidelines.
- Data breach reporting. Under current regulatory frameworks for protection of personal data, organisations are required to report data breaches promptly once identified. In addition to the reporting requirements, regulators are interested in seeing steps taken to ensure the immediate containment of breach.
- Implementation of basic cybersecurity controls.
Tax Compliance Obligations
On 26 June 2025, the President signed the Nigeria Tax Act, 2025 (NTA), alongside the Nigeria Tax Administration Act, 2025 (NTAA), the Nigeria Revenue Service (Establishment) Act, 2025 and the Joint Revenue Board (Establishment) Act, 2025 into law. The new laws have since taken effect since 1st January 2026. The new tax regime poses stricter measures to ensure that there are no loopholes in the tax system. This also places a lot of responsibilities on businesses in Nigeria.
The following are the areas that require strict compliance:
(a) Companies Income Tax (“CIT”): Company Income Tax, also known as Corporate Tax, is a tax levied on the profits accruing in, derived from, brought into or received in Nigeria. It is paid by incorporated businesses on the income earned from carrying out business activities.
Small companies with an annual turnover less than N100,000,000 (One Hundred Million) and a fixed asset less than N250,000,000 (Two Hundred and Fifty Million) are exempted from remitting CIT while companies with an annual turnover that exceeds N100,000,000 (One Hundred Million) are required to make a remittance of 30% of their profit for the year.
The due date for filing CIT is within 6 months of the company’s accounting year end and for new companies, it must be done within 18 months from the date of incorporation or 6 months after its first accounting period. Whichever is earlier.
(b). Value Added Tax (“VAT”): Value Added Tax is a consumption tax that is chargeable on goods and services. According to the NRS, e-invoicing is now a compulsory digital tool for issuing sales invoices and collecting VAT. This is to ensure real-time reporting of transactions in order to strengthen compliance and minimize tax evasion.
The VAT rate is still 7.5%. VAT must be filed by the 21st of the month following the date of transaction.
- Withholding Tax (“WHT”): WHT is an advance payment of income tax deductible at source on specific transactions. It can be applied as a tax credit against income tax liability. Companies with an annual turnover of N50 Million or less are exempt from having to deduct WHT on transactions up to N2 Million in a month, provided that the supplier has a valid Tax Identification Number (“TIN”).
The WHT rates are as follows:
- 10% on dividends
- 10% on interest
- 10%. On royalties
- 10% on rent
- 5% on Commission, Consultancy, technical services, management and professional fee
- 5% on brokerage fee
- 2% for supply of goods and materials
- 2% for rendering services
- 2% for Co-location and telecommunication towers
- 2% for construction of road, bridge and building and power plant
- Personal Income Tax (“PIT”): PIT is a tax imposed on the income of individuals and unincorporated entities in Nigeria. It represents the contribution individuals make to government revenue based on the earnings or income level.
The new tax laws exempt annual income below tax N800,000 from pay. Minimum wage earners are also exempted from paying Personal Income Tax. The due date for filing PIT is dependent on the category and they are as follows:
- Self-employed individuals: It must be filed on or before 31st March of every year.
- Employees: The monthly Pay as You Earn deductions must be done before the 10th day of the following month.
- The annual return of employees must be filed by 31st January every year.
LICENCE PROCUREMENT AND TIMELY RENEWALS
For organisations operating in regulated sectors, procuring of operational licence and renewal of licence remain a mandatory compliance requirement. For such organisations, they must obtain and maintain the appropriate operational licences from their respective regulators before commencing operation.
Also, throughout the duration of their business activities, they must not only renew their licence where necessary, they must equally ensure that the standards they presented to the regulators that earned them the licence in the first place, is adequately maintained throughout the existence of the company.
Failure to comply with the above will expose an organisation to regulatory sanctions including fines and suspension or of operations.
ANTI-MONEY LAUNDERING (“AML”) COMPLIANCE
Compliance with Anti-Money Laundering (“AML”) laws has become a central aspect of regulatory compliance and corporate governance. This requirement is even stricter for companies in the finance sector whose operations involve reporting requirements to their respective regulators and the security agencies such as the Nigeria Financial Intelligence Units and the Economic and Financial Crimes Commission. Such organisations are expected to have in place controls and measures that helps them monitor transactions and identify suspicious transactions.
While the regulators and the law are stricter on businesses in the financial sector, designated non-financial businesses also fall within the purview of companies that have AML reporting requirements. Such business involves businesses in the real estate sector, jewellery business, consultancy etc. For such businesses, they are required to register with the Special Control Unit against Money Laundering.
Generally, such organisations are required to do the following:
- Conduct customer due diligence. The level of due diligence required is usually dependent on the risk level of the customer and the transaction.
- Verify the identity of clients, beneficial owners and any other related party
- Apply the use of technology to easily identify suspicious transactions
- Report suspicious transactions to regulators and the relevant security agency.
- Train staff regularly on how to identify suspicious transactions
- Implement internal AML policies and procedures and ensure that the policies are regularly updated.
Failure to adhere to AML obligations could result in both regulatory and commercial consequences such as:
- Financial penalties and sanctions
- Investigations and freezing of account which could cause reputational damage to an organization.
- Criminal liability for directors and officers of the company.
It is an unending list, but from the above it is clear that in 2026, what is expected of companies in Nigeria is a proactive-based approach to compliance as opposed to a reactive approach.
Companies must ensure that they not only meet initial regulatory requirements but most also sustain them throughout the existence of the business through timely filings, implementation of internal controls and continuous monitoring of regulatory developments in the country and all over the world. Nigeria’s regulatory landscape is ever evolving and companies that embed compliance as part of their business strategy will be best equipped to survive the regulatory terrain in 2026 and beyond.
