Cybersecurity - Kenya

The Computer Misuse and Cybercrimes Act No. 5 of 2018 (assented 16 May 2018) is Kenya's primary cybersecurity law, criminalising unauthorised access, interference, interception, cyber-espionage, fraud, cyber-harassment and related offences, and protecting the confidentiality, integrity and availability of computer systems and data.

The Act established the National Computer and Cybercrimes Co-ordination Committee (NC4), a multi-agency body that coordinates national cybersecurity, advises the National Security Council, designates critical information infrastructure and issues protective directives.

The Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations 2024 (Gazette Notice No. 44, 9 Feb 2024; approved by the National Assembly April 2024) mandate annual cyber-risk assessments and business-impact analyses and require Cybersecurity Operations Centres (CSOCs) at national, sectoral and organisational levels.

Under the 2024 Regulations, owners and external service providers of critical information infrastructure must report cybersecurity incidents; external service providers must report to the CII owner at least quarterly on their obligations and on any cybersecurity incident.

Under the Data Protection Act 2019 and the Data Protection (General) Regulations 2021, a data controller must notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a notifiable personal-data breach; the Data Commissioner can impose administrative fines up to KES 5,000,000.

The National KE-CIRT/CC, hosted by the Communications Authority of Kenya, is the multi-agency national computer incident response team that detects, responds to and coordinates handling of cybersecurity incidents and publishes periodic national cybersecurity reports.