The government has laid out major
reforms to the country’s cybersecurity framework following the release of key
highlights from the amended Computer Misuse and Cybercrimes Act.
In an exclusive interview published
in MyGov, Cabinet Secretary for Information, Communications and the
Digital Economy William Kabogo explained why the changes were necessary and
what they mean for citizens, businesses, innovators and the broader digital
ecosystem.
Kabogo said the digital environment
had transformed dramatically since the original law was passed in 2018,
creating both opportunities and vulnerabilities that required a modern legal
response.
“Kenya’s digital landscape has
evolved significantly since 2018. We now have broader fibre coverage, expanded
digital services, thriving fintech innovations, and millions more citizens
online,” he said.
“While this growth is welcome, it
has also introduced new threats including SIM-swap fraud, identity theft,
deepfakes, crypto scams, cyberbullying, child exploitation and extremist
content.”
According to him, the 2025 amendment
modernises the law to address these risks, safeguard citizens and ensure Kenya
remains secure, innovative and globally competitive in the digital space.
Some Kenyans have expressed concern that the amendments could curtail freedom of expression or be used to target critics.
Kabogo dismissed these fears.
“Freedom of expression remains fully
protected. The law does not criminalise criticism, satire, political
commentary or legitimate media work,” he said.
“It targets criminal misuse of
technology such as child exploitation, identity theft, online harassment and
the promotion of terrorism.”
He added that the government’s
ongoing investments in digital infrastructure, including 100,000 kilometres of
fibre, 1,450 digital hubs and 25,000 public Wi-Fi hotspots, clearly demonstrate
a commitment to expanding digital access rather than restricting it.
“Our goal is safety, not
censorship,” he said.
Kabogo also clarified that the
government cannot arbitrarily shut down websites under the amended law.
“The law does not permit arbitrary
shutdowns. Any removal of content or deactivation of websites must follow due
process and, in most cases, requires a court order,” he said.
He explained that the amendment only
provides a mechanism to act against websites promoting child sexual abuse,
terrorism, cultism or unlawful activities, and even then such action must be
supported by evidence and judicial oversight.
On privacy concerns, Kabogo said the
amendment provides no new surveillance powers.
“Absolutely not. The amendment does
not introduce new surveillance powers. Any search, seizure, or access to
personal data still requires a court order,” he noted.
“In fact, the law enhances privacy
protections by clarifying procedures and adding safeguards.”
He added that Kenya is working
toward EU Data Adequacy status and observer status under Convention 108, both
of which require strong data protection standards.
The amendment also introduces new
offences and clearer definitions to address modern cyber threats.
These include expanded cyber
harassment provisions covering behaviour likely to cause self-harm or suicide, explicit
recognition of phishing through fraudulent emails and voice calls, and a
clearer definition of identity theft including misuse of SIM cards, bank cards
and digital accounts.
Others include recognition of
virtual assets and digital accounts to support action against crypto-related
fraud, and provisions allowing courts to order the removal of harmful content
or deactivate criminal websites.
“These updates offer stronger
protection against modern forms of online harm,” Kabogo said.
Kenya recently detected more than 842 million cyber threat events.
Kabogo said this figure underscores why robust
cybersecurity systems are essential.
“Kenya’s readiness has improved
significantly. We have a strengthened CERT-Kenya, an active NC4 coordinating
security agencies and regulators, and sector-specific cyber units in finance,
health, defence, energy and telecoms,” he said.
He added that the amendments
reinforce this ecosystem by providing clearer mandates, tougher penalties, and
faster response protocols.
A key part of the reforms is the
proposed National Cyber Security Agency (NCSA), which Kabogo described as a
modern and well-resourced authority.
“The NCSA will coordinate cybersecurity across ministries and critical sectors, host the National Cybersecurity Operations Centre, set standards, accredit training and enforce compliance,” he said.
“It will enhance Kenya’s digital
sovereignty and resilience.”
Kabogo emphasised that the amended law will not hinder startups, innovators, researchers or ethical hackers.
Instead, he said they stand to benefit.
“Ethical hackers, researchers and
innovators are not the target. Identity theft and data breaches
disproportionately affect small enterprises. Stronger laws make Kenya’s cloud,
fintech, and data environments more attractive to investors,” he said.
“Kenya’s ambition to be Africa’s secure
digital hub depends on a safe, enabling environment for innovation.”
On alignment with international
standards, Kabogo noted that Kenya is moving closer to the Budapest Convention
on cybercrime and Convention 108 on data protection.
“Accession to the Budapest
Convention enhances cross-border cooperation in investigating cybercrime. Joining
Convention 108 demonstrates Kenya’s commitment to privacy, responsible data
use, and global trust,” he said.
His message to Kenyans unsure about
the reforms is clear.
“This law is for your safety, not
your silence. It protects you from fraud, extortion, identity theft, child
exploitation, extremism, and digital abuse. It ensures your data is secure,
your rights are respected and your online environment is safer,” he said.
“We are building a trusted, inclusive and globally competitive digital economy that empowers citizens, businesses, innovators and youth.”
