Quick Abbreviations/Glossary
CMCA- Computer Misuse and Cybercrime Act
NC4 - National Computer and Cybercrimes Co-ordination Committee
For purposes of this blog, at all times, “The Act” means The Computer Misuse and Cybercrime Act Cap 79C.
I. A brief overview of the cybersecurity regulatory landscape in Kenya
Digital transformation in Kenya has been growing exponentially over the years, opening great opportunities in the digital economy that are meant to foster socio-economic development in the country. However, with new opportunities come novel threats, such as cyber related crimes and threats.
This necessitated the Kenya government through the Legislature, in 2018, to enact the groundbreaking Computer Misuse and Cybercrime Act Cap 79C, making it the third African country at that time to enact a piece of legislation on computer cybercrimes. To date (as of August 2025), there have been amendment bills introduced in parliament in 2021 and 2024 respectively, but none of them got passed into law and the original version remains with some revisions in 2022 by the Annual Supplement.
II. Overview of the CMCA Act
The main objective of this Act is to stipulate offences relating to computer systems; to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes; to facilitate international co-operation in dealing with computer and cybercrime matters.
Key Provisions Include:
Establishment of the NC4
The Act establishes the National Computer and Cybercrimes Co-ordination Committee (NC4). It also outlines its composition and organizational structure of the Committee. Their roles include: advising government and security organs on cyber threats; coordinating national and international responses; protecting critical information infrastructure; setting cybersecurity standards; managing public key infrastructure; and building national capacity to prevent, detect, and respond to cybercrime.
2. Critical Information Infrastructure
One of the most important elements of the Act is the protection of critical national information infrastructure such as banking systems, power grids, and telecommunications networks. Critical Information Infrastructure (CII) is defined in the Act as “an information system, program or data that supports or performs a function with respect to a national critical information infrastructure.” The law empowers the NC4 to designate these systems as critical, develop frameworks to ensure their confidentiality, integrity, and availability, and enforce codes of cybersecurity practice. The goal is to ensure that Kenya’s most vital services are shielded from cyberattacks that could disrupt the economy or national security.
3. Offenses and Penalties
The Computer Misuse and Cybercrimes Act sets out a range of offences with corresponding penalties, some of which carry very severe consequences.
Unauthorized access to computer systems, interference with data, or unlawful interception of communications may attract fines of up to five million shillings or imprisonment ranging from three to ten years depending on the seriousness of the offence.
Cyber terrorism attracts an imprisonment of ten years, or a fine of up to five million Kenyan shillings, or both.
Cyber espionage is treated as a grave threat to national security, punishable by up to twenty years in prison or fines of up to ten million shillings, and even life imprisonment if the offense results in the death of a person.
The Act also criminalizes the publication of false information likely to endanger national security or public order, prescribing penalties of up to ten years imprisonment or fines of five million shillings. Though important in curbing harmful disinformation, this provision has raised constitutional debates on freedom of expression.
Child protection is another area where the Act imposes particularly strict penalties. The production, distribution, or even possession of child pornography attracts fines of up to twenty million shillings and/or imprisonment of five years.
Computer-related fraud and forgery, including mobile money scams and digital impersonation, carry penalties of up to ten years in prison and fines of twenty million shillings. Identity theft and impersonation are separately penalized, with imprisonment of up to three years or fines of two hundred thousand shillings.
Finally, offences such as cyber harassment, cyberstalking, and the unlawful disclosure of passwords or access codes are also included, with penalties that may extend up to ten years in prison and significant fines, in millions of Kenya Shillings, particularly in aggravated cases.
The most severe penalties in the Act are therefore directed at offences that undermine national security, threaten life, or exploit children, in a bid to prioritize the protection of critical infrastructure and vulnerable groups.
4. Electronic Evidence
The Act makes electronic evidence admissible in court, allowing digital records such as emails, text messages, and mobile money transactions to be used in prosecuting offences.
5. International Cooperation
Recognizing the cross-border nature of cybercrime, the Act sets out Principles relating to International Cooperation, in accordance with the Mutual Legal Assistance Act (Cap. 75A) and the Extradition (Contiguous and Foreign Countries) Act (Cap 76). The Office of Attorney General and Department of Justice in Kenya is empowered by the Act to make requests for mutual legal assistance to other states, and likewise, receive such requests.
These requests may pertain to investigations, gathering electronic evidence, or the urgent preservation and disclosure of electronic traffic and communication data. When a request is received, The Office of Attorney General and Department of Justice in Kenya assesses it in accordance with applicable domestic laws and may decide to grant or refuse the assistance.
Furthermore, the Act allows the Office of Attorney General and Department of Justice in Kenya to impose conditions that ensure any shared information is kept confidential, used solely for the specified criminal matter, and handled under strict terms to protect its integrity.
III. Progress of the CMCA
Since enactment of the Act, some of the progress that has been made included the enactment of the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024. The purpose of this subsidiary legislation is to establish a comprehensive framework for managing cybersecurity, with a focus on protecting critical information infrastructure, monitoring cyber threats, and coordinating response efforts.
The regulation details the roles and responsibilities of the National and Sector Cybersecurity Operations Centers, owners of critical infrastructure, and the Committee tasked with advising the government, promoting public awareness, and formulating standards and capacity-building initiatives. The regulation also further emphasizes stakeholder collaboration, risk assessments, incident reporting protocols, and adherence to data protection laws, aiming to enhance Kenya’s cybersecurity resilience across public and private sectors.
Apart from that, the regulation also provides that within twelve months from the day of enactment of the regulation (2024), the Police are required to set up cybercrime desks at every police station and police post with appropriately trained personnel from amongst its members.
There has also been the publication of Guidelines for Developing Security Operation Centers (SOC). The document emphasizes compliance with the Computer Misuse and Cybercrimes Act, 2018 and the 2024 Cybercrime Management Regulations, highlighting the need to protect critical information infrastructure. It provides key steps and guidelines for establishing and managing a Cybersecurity Operations Center (SOC) in line with these regulations, ensuring strong data protection, system resilience, and proactive response to emerging cyber threats.
Further, Section 9 of The Act (on Critical Information Infrastructure) has birthed a documentation that outlines the Procedure for Designation of Critical Information Infrastructure and Compliance. The purpose of this document is to ensure that Kenya’s digital assets are safeguarded. As such, the document outlines elaborately the process for designating Critical Information Infrastructure (CII) involves the Director of the NC4 identifying systems essential to national well-being and publishing this designation in the Kenya Gazette.
Lastly, worth noting is the Cybersecurity Standards for Adoption by Public and Private Entities Gazetted as Critical Information Infrastructure. Section 6(h) of the Computer Misuse and Cybercrime Act (one of the functions of the NC4; establish codes of cyber security practice and standards of performance for implementation by owners of critical national information infrastructure;) operationalizes this document. The document came into force in May 2025. The purpose of this document is to guide public and private entities designated as Critical Information Infrastructure in Kenya to adopt global best practices such as ISO and NIST. They aim to secure sensitive systems, manage cyber risks from rapid digitization, and align with Kenya’s Bottom-Up Economic Transformation Agenda by ensuring resilience, compliance, and robust protection of critical digital infrastructure
IV. Pitfalls
The biggest challenge when it comes to the Computer Misuse and Cybercrime Act first and foremost is poor implementation. The Act has very great provisions, and has even given birth to very good subsidiary legislations, standards, procedures, and guidelines. However, there is little to no information on how many cybercrime cases have been lodged with the NC4 and successfully concluded. It is difficult to know whether perpetrators of cyber related offences are being prosecuted.
Another challenge is the cross-border nature of cyber related offences, where you find that some of the perpetrators are not residing in Kenya. It then makes it costly and time efficient to bring them to book.
Another challenge is capacity gaps with the personnel in the law enforcement sector, starting with the Police, Prosecution Department to the Judiciary and judicial officers. Cyber related offenses require a considerable amount of knowledge around technology and cybersecurity, and even with the evolving nature of technology, you find that new skills need to be developed and learnt.
Resource constraints is yet another challenge that has limited the effective implementation of the CMCA. It is capital intensive to set up incident response teams, have in place the right technology, invest in reskilling and upskilling of staff, and setting up effective incident detecting systems and software.
Another challenge that has arisen over the years has been the Act being used as a weapon to limit freedom of expression on the internet. Free speech has been criminalized and quickly labeled an offense listed under the Act, which at times begs the question whether there were genuine intentions of enacting the CMCA. This has in turn made the general public to lose trust in the piece of legislation, with many believing that it is a state machinery to limit freedom of expression on the internet, which is a fundamental right under the Constitution of Kenya.
Lastly, another challenge has been the evolving nature of technology. With each passing day, we have new emerging technologies, and upgrades of already existing technologies. As such, new cyber related offences emerge, and some of these are not captured in the Act. These include:
Artificial intelligence Misuse
Deepfakes are already being used around the world to spread fake news, defraud people, or damage reputations. Yet, the CMCA doesn’t directly mention them.
b. Cryptocurrency and Digital Asset-related crimes
Cryptocurrencies are another tricky area. Mobile money scams are well covered, but what happens when criminals use Bitcoin or other digital assets to launder money, pay ransoms, or trick investors? Right now, that space is more of a legal grey zone.
c. Ransomware and Malware-as-a-Service
Ransomware is also on the rise. We’ve seen cases where hackers lock up entire systems and demand payment in return for restoring access. While hacking is criminalized, the specific tactics of ransomware, and the business-like “malware-for-hire” industry that feeds it, aren’t clearly addressed in the Act.
d. Data Privacy breaches
Then there’s the reality of how much of our personal data is floating around online. The Act doesn’t go far enough in punishing large-scale breaches or misuse of personal information. Kenya does have a Data Protection Act, but it doesn’t fully sync with the CMCA, leaving gaps in enforcement.
e. Exploitation of Internet of Things
Another area being overlooked is the Internet of Things; the smart devices that surround us, from home gadgets to connected cars. Imagine the chaos if these were hacked on a large scale. The law doesn’t yet reflect the risks of this new connected world.
f. New forms of cyber bullying and Online Gender Based Violence
On a social level, the rise of cyberbullying and online gender-based violence shows just how much harm can be done with a smartphone and an internet connection. While the law does mention cyber harassment, it doesn’t capture the lived reality of revenge pornography, doxing, or coordinated online abuse that is becoming far too common.
Practices such as doxing, where private information like phone numbers or home addresses are exposed online without consent, put victims at risk of harassment and even physical harm.
Digital stalking is another form, involving constant surveillance through hacked accounts, GPS tracking, or obsessive monitoring of social media activity, leaving victims, particularly women, feeling unsafe both online and offline. Similarly, revenge pornography, where intimate images are shared without consent, often devastates careers, reputations, and personal lives.
While the CMCA criminalizes cyber harassment and child pornography, it does not explicitly address these forms of abuse, creating legal grey areas that make prosecutions difficult and leave survivors vulnerable.
Finally, disinformation campaigns, especially during elections, are a growing concern. The Act criminalizes false publications, but it doesn’t fully address organized, foreign-backed, or highly sophisticated digital campaigns designed to sway voters.
V. So, Where Do We Go From Here?
The truth is, the Computer Misuse and Cybercrimes Act is a good law with great intentions; but a law is only as strong as its implementation.
First, Kenya needs to put more focus on transparency. The NC4 should publish regular reports showing how many cases have been reported, prosecuted, and concluded. Without data, it’s impossible to measure success or build public trust.
The second step is to face the global nature of cybercrime head-on. Strengthening cross-border cooperation through regional treaties, joint investigations, and quicker data-sharing agreements would make it harder for perpetrators to hide outside our borders.
Capacity strengthening is another area that can’t be ignored. Law enforcement officers, prosecutors, and even judges need constant training in digital forensics and cyber law. Technology evolves daily, and the people tasked with applying this law need to evolve with it.
Of course, all this requires resources. Kenya should prioritize investments in national cyber infrastructure; from incident response teams to detection systems, not just in Nairobi, but across counties where digital uptake is growing fast. Public–private partnerships can help bridge the financial and technical gaps.
Equally important is striking the right balance between security and rights. The Act must be applied in a way that protects Kenyans from real harm without being used as a tool to silence free speech. A review of the “false publication” clauses could go a long way in restoring confidence in the law.
Finally, the Act must keep pace with technology. Clearer provisions on AI misuse, deepfakes, cryptocurrency fraud, ransomware, IoT exploits, and cyberviolence are overdue. Updating the law regularly, and not once every decade, will ensure it remains relevant in a rapidly changing digital world.
About the Author
Valarie Waswa is a Certified Data Protection Officer, a Tech Policy and Digital Rights Specialist, a lawyer by profession, an Advocate of the High Court of Kenya and East Africa by extension, and the Founding Partner of Valarie Waswa & Co. Advocates
Contact Us
For more information, contact us on WhatsApp Business at +254 707 059 485 or email us at info@valariewaswa.com