Cybersecurity · Kenya
Cybersecurity regulation in Kenya (2026)
Kenya shaded by its cybersecurity status
Kenya has a comprehensive cybersecurity and cybercrime regime anchored in the Computer Misuse and Cybercrimes Act 2018, which criminalises a broad range of computer offences and established the multi-agency NC4 to coordinate national cybersecurity. In 2024 Kenya gazetted detailed Critical Information Infrastructure and Cybercrime Management Regulations that impose risk assessments, Cybersecurity Operations Centres and incident-reporting duties on designated critical sectors. Separately, the Data Protection Act 2019 and its 2021 General Regulations require controllers to notify the data-protection regulator of personal-data breaches.
Key points
The Computer Misuse and Cybercrimes Act No. 5 of 2018 (assented 16 May 2018) is Kenya's primary cybersecurity law, criminalising unauthorised access, interference, interception, cyber-espionage, fraud, cyber-harassment and related offences, and protecting the confidentiality, integrity and availability of computer systems and data.
The Act established the National Computer and Cybercrimes Co-ordination Committee (NC4), a multi-agency body that coordinates national cybersecurity, advises the National Security Council, designates critical information infrastructure and issues protective directives.
The Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations 2024 (Gazette Notice No. 44, 9 Feb 2024; approved by the National Assembly April 2024) mandate annual cyber-risk assessments and business-impact analyses and require Cybersecurity Operations Centres (CSOCs) at national, sectoral and organisational levels.
Under the 2024 Regulations, owners and external service providers of critical information infrastructure must report cybersecurity incidents; external service providers must report to the CII owner at least quarterly on their obligations and on any cybersecurity incident.
Under the Data Protection Act 2019 and the Data Protection (General) Regulations 2021, a data controller must notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a notifiable personal-data breach; the Data Commissioner can impose administrative fines up to KES 5,000,000.
The National KE-CIRT/CC, hosted by the Communications Authority of Kenya, is the multi-agency national computer incident response team that detects, responds to and coordinates handling of cybersecurity incidents and publishes periodic national cybersecurity reports.
Timeline - major decisions & events
The Office of the Director of Public Prosecutions filed a Supreme Court appeal seeking to reinstate Sections 22 and 23 of the Computer Misuse and Cybercrimes Act, keeping the scope of criminalised online 'false information' legally unsettled.
Capital FM ↗In BAKE v Attorney General [2026] KECA 430, the Court of Appeal declared the provisions criminalising 'false' and 'misleading' publication unconstitutional for vagueness, narrowing the Act's reach over online speech.
allAfrica ↗NC4 published Kenya's second national cybersecurity strategy in draft, adding pillars on incident-response management, AI and emerging technologies, and a target to train 10,000 cybersecurity professionals.
NC4 (draft) ↗The Communications Authority's quarterly report recorded roughly 2.5 billion threat events (a ~200% jump), with critical information infrastructure and government systems the leading targets, underscoring the scale driving policy responses.
Communications Authority of Kenya ↗The Office of the Data Protection Commissioner imposed precedent-setting fines (including against Whitepath, Regus and Mulla Pride) for unlawful processing and unsolicited messaging, signalling active enforcement of the 2019 Act.
ODPC ↗A coordinated DDoS campaign disrupted the eCitizen portal (5,000+ government services), M-Pesa, power and transport systems; the government acknowledged the attack, exposing the fragility of Kenya's digitised public services.
Tech Monitor ↗Kenya adopted a five-year strategy through NC4 and the Interior Ministry, setting governance, critical-infrastructure protection and capacity-building priorities and advising on AI, 5G and IoT security.
Ministry of Interior ↗The appointment of the inaugural Data Commissioner stood up the Office of the Data Protection Commissioner, giving Kenya a functioning independent authority to register controllers/processors and enforce data-protection (and breach-notification) duties.
ODPC ↗Justice Makau dismissed the Bloggers Association of Kenya's challenge to 26 sections, lifting the suspension on key provisions and bringing the Act's cybercrime offences fully into force.
Techweez ↗Giving effect to the constitutional right to privacy, the Act (commenced 25 Nov 2019) introduced data-controller/processor obligations, breach notification and security safeguards central to Kenya's cybersecurity compliance regime.
Kenya Law ↗Kenya's flagship cybercrime statute created offences for unauthorised access, system interference and cyber-enabled crimes and established the National Computer and Cybercrimes Coordination Committee (NC4).
Kenya Law ↗KICA created the sector regulator (now the Communications Authority) and underpins the mandate to run the National KE-CIRT/CC, Kenya's 24/7 cyber-incident coordination centre and national point of contact.
Kenya Law ↗Kenya - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →