Nigeria’s experience with eSIM technology began in 2020, when the Nigerian Communications Commission (NCC) granted approval for MTN Nigeria and 9mobile to conduct a one-year trial of eSIM services. The trial, which involved testing 5,000 eSIMs across both networks, aimed to assess the technology’s feasibility, regulatory compliance, and impact on Nigeria’s telecommunications ecosystem. The NCC imposed strict guidelines to ensure consumer protection, network security, and alignment with national policies.
Following the successful trial, MTN and 9mobile became the first operators to launch commercial eSIM services in Nigeria, enabling customers with compatible devices to replace physical SIM cards with digital profiles. This allowed users to switch networks seamlessly, activate services remotely, and enjoy greater flexibility in managing their connectivity. Airtel Nigeria joined the rollout in January 2023, further expanding eSIM availability and driving competition in the market.
The adoption of eSIM technology has been a game-changer for Nigeria’s telecommunications sector, which serves over 220 million mobile subscribers, according to NCC data. eSIMs offer several advantages, including reduced logistical costs for operators, enhanced user experience, and support for IoT applications in sectors like agriculture, healthcare, and smart cities. However, the newly uncovered vulnerability threatens to undermine these benefits, exposing Nigerian users to significant cybersecurity risks.
NITDA’s Response and Recommendations
NITDA has taken a proactive stance in addressing the eSIM vulnerability, issuing a detailed advisory to stakeholders, including device manufacturers, mobile network operators (MNOs), and consumers. The agency has outlined several countermeasures to mitigate the threat:
Kigen OS Patches: Device manufacturers and service providers are urged to roll out Kigen OS patches via over-the-air (OTA) updates to restore the security of affected eUICC chips. These patches address the vulnerabilities in the GSMA TS.48 test profiles, preventing unauthorized access and malicious applet installation.
Adoption of GSMA TS.48 Version 7.0: NITDA has called on stakeholders to adopt the latest GSMA TS.48 version 7.0 standard, which eliminates the outdated test profiles responsible for the vulnerability. This upgrade ensures that eUICC chips are tested and deployed with enhanced security features.
Removal of Vulnerable Profiles: Operators and manufacturers must remove outdated test profiles from devices to prevent exploitation. This includes updating firmware and ensuring compliance with the latest industry standards.
Strengthened Security Protocols: NITDA emphasized the need for robust cybersecurity protocols, including regular audits, encryption enhancements, and monitoring for suspicious activity. These measures are critical to detecting and mitigating potential attacks.
The agency underscored the urgency of these actions, stating, “Rapid intervention is vital to shutting down exploitation pathways, reinforcing security protocols, and protecting users from what could become one of the most significant cybersecurity risks in recent years.” NITDA is collaborating with the NCC, MNOs, and international partners to ensure swift implementation of these countermeasures and minimize the risk to Nigerian users.
The Global and Local Cybersecurity Landscape
The eSIM vulnerability must be understood within the broader context of the global and local cybersecurity landscape. Globally, cyberattacks have surged in frequency and sophistication, with ransomware, phishing, and data breaches costing businesses and governments billions of dollars annually. The World Economic Forum’s 2025 Global Risks Report identifies cybersecurity as one of the top risks facing the digital economy, particularly as reliance on connected devices grows.
The eSIM flaw is particularly concerning due to its scale and potential impact. With over two billion devices affected worldwide, the vulnerability could enable large-scale attacks, including state-sponsored espionage, corporate data theft, and consumer fraud. The ability to create stealth backdoors at the SIM card level poses a unique challenge, as these attacks are difficult to detect and remediate, potentially allowing attackers to maintain long-term control over compromised devices.
In Nigeria, the cybersecurity landscape is equally challenging. The country ranks among the top 10 globally for cybercrime, according to the Nigeria Cybercrime Report 2024, with financial losses estimated at over ₦500 billion annually. The rapid growth of digital services, driven by a 220 million-strong mobile subscriber base and increasing internet penetration (43.7% as of 2024), has made Nigeria a prime target for cybercriminals. The adoption of eSIM technology, while innovative, has introduced new vulnerabilities, as evidenced by the GSMA TS.48 flaw.
Nigeria’s economic context exacerbates these risks. The National Bureau of Statistics (NBS) reported a headline inflation rate of 21.88% in July 2025, driven by a 22.74% food inflation rate, which has strained household budgets. The naira’s 41.4% depreciation in 2024 has increased the cost of imported devices and cybersecurity solutions, while the Central Bank of Nigeria’s (CBN) high interest rate policy (26.75% Monetary Policy Rate) has limited investment in digital infrastructure. The World Bank’s estimate that 38.9% of Nigerians live below the poverty line underscores the socioeconomic challenges that limit access to secure devices and cybersecurity awareness.
Implications for Nigeria’s Telecommunications Sector
The eSIM vulnerability has significant implications for Nigeria’s telecommunications sector, which is a critical driver of economic growth. The sector contributes over 14% to Nigeria’s GDP, according to NCC data, and supports millions of jobs in areas like mobile services, fintech, and e-commerce. The introduction of eSIM technology has enhanced the sector’s competitiveness, enabling operators like MTN, 9mobile, and Airtel to offer innovative services and attract tech-savvy consumers.
However, the vulnerability threatens to undermine these gains. A successful attack could disrupt mobile networks, compromise user data, and erode consumer trust, potentially slowing eSIM adoption. For operators, the cost of deploying OTA updates and upgrading to GSMA TS.48 version 7.0 could strain finances, particularly in the face of economic pressures like inflation and naira depreciation. Small and medium-sized enterprises (SMEs) relying on IoT devices for agriculture, logistics, and healthcare could also face disruptions, impacting their operations and profitability.
For consumers, the risks are equally significant. The potential for attackers to intercept communications or clone eSIM profiles could lead to identity theft, financial fraud, and privacy violations. Low-income households, which make up a significant portion of Nigeria’s population, are particularly vulnerable, as they may lack the resources to upgrade devices or access cybersecurity solutions.
Stakeholder Reactions
The NITDA warning elicited varied reactions from stakeholders. Cybersecurity expert Dr. Chinedu Okeke described the vulnerability as a “wake-up call” for Nigeria’s telecommunications sector. “This flaw highlights the need for robust cybersecurity measures in a digital-first world,” he said. “Operators and manufacturers must act swiftly to protect users.”
MTN Nigeria, one of the first operators to launch eSIM services, issued a statement reassuring customers. “We are working with NITDA and our partners to deploy patches and ensure the security of our eSIM services,” the statement read. Airtel Nigeria echoed this commitment, emphasizing its collaboration with global vendors to address the flaw. 9mobile, meanwhile, urged customers to update their devices promptly to mitigate risks.
Consumer advocacy groups expressed concern about the vulnerability’s impact on ordinary Nigerians. “Many users don’t have the technical knowledge to protect themselves,” said Grace Ior of the Consumer Rights Advocacy Centre. “NITDA and operators must launch awareness campaigns to educate the public.” The Nigerian Communications Commission (NCC) pledged to work with NITDA to enforce compliance, stating, “We will ensure operators adhere to the highest security standards.”
International partners, including GSMA and Kigen, acknowledged the issue and committed to supporting global mitigation efforts. “We are rolling out updates to address the TS.48 vulnerability and strengthen eSIM security,” said a GSMA spokesperson.
Challenges and Opportunities
The eSIM vulnerability presents several challenges for Nigeria’s telecommunications and cybersecurity sectors:
Technical Complexity: Deploying OTA updates and upgrading to GSMA TS.48 version 7.0 requires coordination between manufacturers, operators, and regulators, a process complicated by Nigeria’s diverse device ecosystem.
Economic Constraints: High inflation (21.88%) and naira depreciation (41.4%) increase the cost of implementing cybersecurity solutions, particularly for smaller operators and consumers.
Awareness Gaps: Limited cybersecurity awareness among Nigerian users, particularly in rural areas, could hinder mitigation efforts, as many may not update their devices promptly.
Regulatory Enforcement: Ensuring compliance with NITDA’s recommendations across Nigeria’s vast telecommunications market requires robust regulatory oversight and enforcement.
Despite these challenges, the situation offers opportunities to strengthen Nigeria’s cybersecurity framework. The rapid response to the vulnerability demonstrates NITDA’s proactive approach to protecting the digital ecosystem. By investing in cybersecurity education, Nigeria can empower users to adopt safer practices, reducing the risk of future attacks. The crisis also highlights the potential for public-private partnerships to drive innovation in cybersecurity, such as developing local solutions for eSIM security.
Policy Recommendations
To address the eSIM vulnerability and strengthen Nigeria’s cybersecurity landscape, the following recommendations are proposed:
Accelerate Patch Deployment: NITDA and NCC should work with operators to ensure rapid deployment of Kigen OS patches and adoption of GSMA TS.48 version 7.0.
Enhance Consumer Awareness: Launch nationwide campaigns to educate users about the vulnerability and the importance of updating devices.
Strengthen Regulatory Oversight: NITDA and NCC should enforce compliance with cybersecurity standards, with penalties for non-compliant operators.
Invest in Local Cybersecurity: Support indigenous cybersecurity firms to develop solutions tailored to Nigeria’s needs, reducing reliance on foreign vendors.
Address Economic Barriers: Provide subsidies or incentives to make secure devices and updates accessible to low-income consumers.
Conclusion
The NITDA’s warning about the eSIM vulnerability underscores the growing importance of cybersecurity in Nigeria’s rapidly evolving digital landscape. The flaw, affecting over two billion devices globally, poses severe risks to communications security, with potential for unauthorized access, data interception, and profile cloning. Nigeria’s proactive response, including calls for Kigen OS patches and adoption of GSMA TS.48 version 7.0, demonstrates its commitment to protecting users and networks. In a country grappling with 21.88% inflation, widespread poverty, and rising cybercrime, addressing this vulnerability is critical to sustaining trust in the telecommunications sector and supporting economic growth. By leveraging partnerships, enhancing awareness, and strengthening regulations, Nigeria can mitigate this threat and build a more secure digital future.
