You’ve just incorporated with the Corporate Affairs Commission. Now your phone is ringing; the FIRS wants your Tax Identification Number for certification, your accountant is texting you about PAYE returns, and someone has forwarded you a regulatory update about the NDPC. Your friend in tech has warned you that the CBN can freeze your accounts without notice.
You have 10 employees, a shared workspace in Yaba, and a product you’re still trying to get off the shelves.
What does compliance require of you right now? The answer matters more than most founders realise. Under-compliance gets you fined, shut down, or quietly blacklisted by banks and investors. Over-compliance burns time and money you don’t have. Start by understanding what “compliance” actually means — because it’s not one thing.
Three Types of Compliance — and Why Conflating Them Is Expensive
Compliance in Nigeria can be broken into three distinct categories:
Statutory compliance covers laws that apply to every company regardless of size — tax registration, pension contributions, and corporate filings. These apply from day one.
Regulatory compliance covers industry-specific rules administered by sector regulators; CBN licences for fintech, NAFDAC registration for food or pharmaceuticals, and NCC authorisation for telecoms.
Contractual compliance covers what clients, investors, or partners require: security questionnaires from enterprise clients, due diligence from investors, and standards demanded by international procurement.
The mistake most founders make is treating all three as equally urgent. They are not. At 10 people, most of your energy belongs in statutory compliance, with a sharp eye on which regulatory obligations your business model triggers from day one. As a startup, what do I really need?
The Non-Negotiables: What Every 10-Person Nigerian Startup Actually Needs
CAC Annual Returns and Corporate Filings
Your CAC obligations don’t end at incorporation. Every registered company must file annual returns within 18 months of incorporation and every year after, accompanied by audited financial statements. As of 2026, the CAC is actively penalising companies and their directors for non-compliance.
The cost of getting this wrong: ₦3,000 to ₦5,000 per year of default, plus the risk of being declared inactive, which freezes your ability to open corporate bank accounts or attract investors running due diligence. Late filings surface at the worst possible moments: during a funding round or client onboarding.
Tax Registration and Filing With FIRS and State Revenue Services
Once incorporated, register with FIRS for a Tax Identification Number (TIN). Your filing obligations are layered:
Companies Income Tax (CIT): File within 18 months of incorporation and within six months of each subsequent financial year-end — typically by June 30 annually. If your turnover is below ₦25 million, you are exempt from CIT. Between ₦25 million and ₦100 million, the rate is 20%. Above ₦100 million, 30%.
Value Added Tax (VAT): 7.5% on most goods and services, with returns due by the 21st of the following month. The late filing penalty is ₦50,000 for the first month and ₦25,000 for each subsequent month — a number that compounds all too quickly.
PAY-E: Remit deductions from employee salaries to the relevant State Internal Revenue Service where each employee resides, by the 10th of the following month. If your staff are in Lagos, that means the LIRS, which has become increasingly aggressive in enforcement.
PENCOM Pension Contributions
The Pension Reform Act requires employer participation in the contributory pension scheme once you reach 15 or more employees. At that threshold, you must contribute at least 10% of each employee’s monthly emolument; the employee contributes 8% — or you can bear the full 20% yourself. Contributions must reach an approved Pension Fund Administrator (PFA) within seven days of salary payment. The penalty for non-compliance is at least 2% of outstanding unpaid contributions.
At exactly 10 employees, you sit just below this threshold. Plan for it now rather than discover it when you cross it.
NSITF Contributions
Every company must contribute 1% of its total monthly payroll to the Nigeria Social Insurance Trust Fund (NSITF), which covers employees against workplace injuries. This is not optional even at very small scale. Make your first NSITF contribution within two years of commencing operations, and monthly thereafter.
Payment is to be made by the employer before the 16th day of the succeeding month after salary payment. Employers are liable to a penalty of 10% for the late or un-remitted 1% monthly payroll. Members of the Armed Forces are exempt.
ITF Levies
The Industrial Training Fund requires a 1% annual contribution of total payroll from companies with five or more employees or an annual turnover above ₦50 million. Below both thresholds, you are exempt. If your startup conducts in-house employee training and holds a valid Startup Label under the Nigeria Startup Act 2022, you are also exempt ; a saving most founders don’t know to claim.
NDPC Data Protection Compliance
If your product collects or processes the personal data of Nigerians — as is the case for most tech startups, the NDPC has requirements that start early.
Companies processing the data of more than 1,000 individuals within six months or 2,000 within a year must submit an Annual Compliance Audit Report (CAR) via a licensed Data Protection Compliance Organisation (DPCO). Since February 2024, the NDPC also requires companies processing data of more than 200 Nigerians within six months to register as Data Controllers or Data Processors of Major Importance.
The audit deadline is March 31 annually, with a 50% penalty on the filing fee for late submission.
If your product is live and collecting user data, the NDPC clock is already ticking.
That’s the statutory baseline. Now for what you can skip.
What You Don’t Need Yet
This is where most founders burn money needlessly.
You do not need a Chief Compliance Officer — your operations lead or founder could handle it. You do not need ISO 27001 certification unless you are actively selling to international enterprise clients who require it. You do not need formal internal audit committees — that is a CAMA requirement for public companies. You do not need an elaborate policy library. A clear two-page document covering data handling, information security basics, and HR expectations will outperform a 60-page policy collecting dust on Google Drive/OneDrive any day, anytime.
But there is one thing most founders skip that they absolutely should not.
The Nigeria Startup Act Advantage Most Founders Ignore
The Nigeria Startup Act 2022 (NSA) is one of the most underused pieces of legislation in the Nigerian ecosystem, it as a regulatory fast lane for qualifying startups. To access its benefits, obtain a Startup Label from NITDA (the National Information Technology Development Agency).
Labelled startups can apply for Pioneer Status Incentive (PSI), which grants an initial three-year tax holiday extendable for a further two years — a significant cash flow advantage for an early-stage company. Labelled fintech startups also access simplified licensing procedures with the CBN and SEC through the Startup Portal.
Labelled startups may also request expedited approvals, waivers, or forbearances from regulators where traditional compliance requirements are unduly burdensome or incompatible with digital innovation. For a 10-person team navigating CBN licensing, this is a material business advantage, not a minor convenience.
To qualify: register as a limited liability company with the CAC, have been in existence for fewer than 10 years, and have at least 33% of shares held by a Nigerian founder or co-founder. If you qualify and haven’t applied, you are leaving leverage and a lot of money on the table.
As your business grows, you should know that your compliance obligations don’t stay static.
When Your Compliance Obligations Change
Compliance in Nigeria is not static; nothing is. New requirements can be triggered when governments, policies and other material factors change. Some instances that can see your compliance obligations change, include, but are not limited to:
When you land your first enterprise client: Large corporations and international organisations will send security questionnaires before signing contracts. When you are no longer a startup struggling to turn a profit and are ready to scale at an enterprise level. This stage requires documented answers to questions about data protection, information security, regulation and business continuity, which become essential to revenue.
When you raise institutional funding: Investors will examine your CAC filings, tax compliance status, PENCOM and NSITF records. Outstanding liabilities and filing gaps become negotiating leverage — against you. Clean compliance records are a valuation matter.
When you operate in a regulated industry: If your startup operates around/within financial services, healthcare, insurance, communications, or capital markets, sector-specific compliance is a day-one obligation. The CBN requires payment service providers to hold specific licences before processing transactions. The SEC’s framework covers any fundraising touching investment securities. Operating without the appropriate licence is a risk of shutdown.
Understanding when obligations kick in is one thing. Knowing what actually matters versus what just looks good is another.
Is Compliance Fugazi?
Some obligations in Nigeria exist primarily on paper: a 50-page employee handbook no one references, annual training sessions that amount to clicking through a PDF, risk registers built for grant applications and never updated. These exist solely to fulfil all righteousness.
Compliance theatre has real costs beyond wasted time. It creates a false sense of security, meaning actual risks — unregistered data processing, lapsed CAC filings, incorrect PAYE remittances among others often get overlooked because the shelf looks tidy. The FIRS and the NDPC are not impressed by policiy documents. They are impressed by evidence of actual practice; show workings.
The better approach is lean but real: fewer policies, but ones your team actually follows. A one-page data handling summary everyone understands beats a GDPR-style document your team can’t navigate. Automated monthly reminders for PAYE and VAT deadlines beat a compliance calendar checked quarterly.
Here’s how that translates into action at each stage
A Practical Timeline: What to Do and When
Year One (0–10 Employees)
Register with CAC, obtain your TIN from FIRS, register for VAT, set up PAYE remittance with your state revenue service, engage an accountant for quarterly filings, get a basic privacy policy drafted, apply for your Startup Label under the NSA if you qualify, and ensure two-factor authentication and a password manager are standard for all staff.
Estimated annual cost: ₦500,000 to ₦1.5 million in professional services.
Year Two to Three (10–30 Employees)
Begin PENCOM contributions when you cross 15 employees, formalise HR policies and offer letter templates, obtain sector-specific licences if not already done, engage a DPCO for your annual NDPC audit if data processing thresholds apply, and get your first directors’ liability insurance policy. Begin preparing for CAC annual returns with properly audited accounts.
Year Three to Five (30–100 Employees)
A dedicated operations or finance hire who excels at compliance tracking becomes cost-justified here. You will need formal financial audits (internal and external), a compliance software stack, and documented processes that survive institutional due diligence. SOC 2 or ISO 27001 may become commercially necessary at this stage — not because you are required by law to do so, but because the enterprise clients whose contracts grow your business will demand it.
Patterns don’t lie; the patterns here are constant.
The Right Question
The question for a Nigerian startup founder is not “do we need compliance?” It is: which compliance, in what order, and at what cost-to-risk ratio?
Pay your taxes, file your returns, protect your users’ data, and obtain the licences your business model actually requires. Everything else can wait until the business justifies the cost.
This article covers the most common compliance requirements for Nigerian startups as of 2026. Regulatory requirements in Nigeria change frequently — before making decisions, verify current requirements with a qualified Nigerian lawyer or tax professional.
Written by Ewomazino Ovririe.