Skip to Content
On 15 October 2025, President William Ruto signed the Computer Misuse and Cybercrimes (Amendment) Act, 2025 into law. It was gazetted on 22 October and will come into force in early November 2025. The amendment updates Kenya’s 2018 cybercrime law, widening its scope and enforcement powers. While it promises stronger digital protection, it also raises constitutional and operational questions about state power, privacy, and online freedom.
Sharpening Definitions, Blurring Boundaries
The amendment introduces new definitions for key terms such as asset, computer misuse, cybercrime, identity theft, and virtual account. These additions bring more clarity for investigators and courts dealing with complex digital offences.
Yet, the language still leaves wide room for interpretation. Words like virtual representation or asset may sound technical, but they could create ambiguity in cross-border or blockchain-related disputes. Without clear guidance, courts will have to fill the gaps, which could produce inconsistent outcomes across different cases.
The New Power to Remove and Deactivate Online Platforms
The amendment gives the National Computer and Cybercrimes Coordination Committee (NC4) direct authority to intervene against harmful online platforms. Under the revised section 6(1), NC4 may issue a directive to render a website or application inaccessible where it is proved that the platform promotes unlawful activities, inappropriate sexual content of a minor, terrorism, religious extremism, or cultism. This is the first time the law explicitly gives an administrative body power to restrict access to digital platforms on such grounds. While the intention is to curb online exploitation and extremist content, the provision leaves key questions unanswered: What level of proof is “sufficient,” and what recourse do affected parties have before enforcement?
Further, the new section 46A introduces judicial oversight in this process. After conviction, courts may order the removal or deactivation of any computer system, website, or device used to promote unlawful activities. More significantly, even before conviction, an authorised person may apply to court for such orders if there is belief that a system is being used unlawfully. This allows early intervention, but also opens space for misuse if applications are granted on weak evidence. The section does not outline notice or appeal procedures, raising due process concerns.
Expanding Communications Offences
The law now explicitly extends cyber harassment and false publication offences to cover emails and calls, not just messages or posts. It also introduces liability for communication “likely to cause another person to commit suicide.”
These provisions recognize the real psychological and emotional harm caused by online abuse and cyberbullying. They also reflect how harassment has evolved across multiple channels.
Still, enforcement will demand caution. Prosecutors must distinguish between genuine harm and speech protected under Article 33 of the Constitution (Freedom of Expression). Courts will have to decide how to measure intent, causation, and foreseeability, especially in private communications where context matters. Without careful judicial guidance, these sections could criminalize emotional expression or heated online exchanges.
Balancing State Power and Civil Rights
Kenya’s cybercrime enforcement record already faces scrutiny for overreach. Several digital rights groups have documented cases where individuals were arrested for social media posts critical of the government. By expanding state powers to remove or block content, the amendment arrives in a politically sensitive environment.
The tension between security and freedom is not new, but it is sharper in the digital age. The amendment gives the state sharper tools to fight crime, yet it leaves the checks and balances vague. Transparency, proportionality, and judicial independence must anchor its implementation, or the law will tilt toward control rather than protection.
Three Safeguards to Prevent Abuse
To strike the right balance, the government and judiciary can act without rewriting the statute.
First, they should set clear evidentiary standards before courts issue any takedown or deactivation order, especially at the pre-conviction stage. “Belief” or “reasonable grounds” alone is too low a threshold for measures that restrict access to digital platforms. The law should require demonstrable proof linking the platform or device to the alleged offence, supported by verifiable digital evidence.
Second, the State should publish transparent rules defining who qualifies as an “authorised person” under section 46A and what procedure governs their applications to court. The amendment uses this term without explanation, leaving uncertainty about whether it refers to NC4 officials, law enforcement officers, or other designated agents. Clarifying this through subsidiary legislation or regulations would create accountability and prevent arbitrary or politically motivated requests.
Third, courts should limit the scope of takedown orders to the specific unlawful content rather than entire websites or applications. Broad deactivations risk shutting down legitimate services or speech unrelated to the offence. Precision ensures that enforcement remains proportionate to the harm and does not undermine public trust in digital governance.
A Modern Law Demanding Modern Discipline
The amendment undeniably brings Kenya’s cybercrime framework closer to today’s digital realities. It targets online radicalisation, financial scams, identity theft, and digital exploitation with more precision. The law’s success, however, will depend not on its text but on its implementation culture.
Courts, regulators, and enforcement agencies must exercise discipline, transparency, and restraint. They must interpret the new powers narrowly and with constant reference to constitutional rights. Otherwise, the law that was meant to secure Kenya’s digital space could end up chilling innovation, silencing dissent, and discouraging civic engagement online.
Looking Ahead
Kenya needed to modernize its cybercrime law. The amendment achieves that goal on paper but leaves serious gaps in procedural fairness and rights protection. For lawyers, developers, and civil society, the next phase will not be about lobbying for more laws; it will be about demanding clarity and accountability in how this one is enforced.
In a country where the internet has become a lifeline for expression, business, and governance, true cyber safety must rest on both strong enforcement and stronger safeguards. The 2025 amendment offers a chance to build that balance, but only if every actor in the justice system insists on fairness, not fear.
About the Author
Valarie Waswa is a tech law expert, an Advocate of the High Court of Kenya and East Africa by extension, and the Founding Partner of Valarie Waswa & Co. Advocates
Contact Us
For more information, contact us on WhatsApp Business at +254 707 059 485 or email us at info@valariewaswa.com