Technology Regulation in Kenya: From the ICT Authority to Data Protection, Cybercrimes Law, and Digital Economy Governance

Kenya, known as Africa's Silicon Savannah, has built one of the continent's most vibrant technology ecosystems, anchored by innovations like M-Pesa, a thriving startup scene, and rapid digital infrastructure expansion. Governing this dynamic sector requires a complex regulatory framework spanning telecommunications, data protection, cybersecurity, digital commerce, and emerging technologies. Key regulatory bodies include the Communications Authority of Kenya (CA), the ICT Authority, the Office of the Data Protection Commissioner (ODPC), and the National Computer and Cybercrime Co-ordination Committee (NC4), each playing distinct roles in shaping Kenya's digital governance landscape.

The Communications Authority of Kenya

The Communications Authority of Kenya, established under the Kenya Information and Communications Act (1998, revised 2009), is the principal regulator of the telecommunications, broadcasting, and postal sectors. The CA licenses telecommunications operators including Safaricom, Airtel Kenya, and Telkom Kenya, manages radio frequency spectrum allocation, enforces quality of service standards, oversees consumer protection in telecommunications, and regulates broadcasting content. The authority also manages the universal service fund aimed at expanding connectivity to underserved areas.

Recent CA initiatives include the rollout of 5G spectrum licensing to support next-generation mobile networks, the Digital Literacy Programme aimed at equipping public schools with digital devices and internet connectivity, and enforcement of SIM card registration requirements to combat fraud and enhance security. The CA also oversees Kenya's country code top-level domain (.ke) through the Kenya Network Information Centre (KeNIC) and coordinates with international bodies including the International Telecommunication Union (ITU).

Data Protection Act and the ODPC

The Data Protection Act, 2019 established Kenya as a leader in privacy protection on the African continent, creating a comprehensive framework for the collection, processing, storage, and use of personal data. The Act established the ODPC as an independent regulatory office headed by the Data Protection Commissioner, with powers to register data controllers and processors, investigate complaints, conduct compliance audits, and impose penalties for violations. Since its introduction, the ODPC has built a growing registry of data controllers and processors across both public and private sectors.

The proposed Data Protection (Amendment) Bill, 2025 aims to strengthen the framework further by expanding the definition of sensitive personal data to include political opinions and trade union memberships, enabling legal entities—not just individuals—to lodge complaints with the ODPC, and establishing a Data Protection Appeals Tribunal to handle appeals against the Commissioner's decisions, helping decongest courts. In December 2024, the ODPC issued draft Compliance Audit Regulations and a Data Sharing Code to regulate ethical and responsible data sharing in government and private organisations. These developments align Kenya's data protection regime more closely with international standards such as the European Union's General Data Protection Regulation (GDPR).

Computer Misuse and Cybercrimes Act

The Computer Misuse and Cybercrimes Act, 2018 provides Kenya's primary legal framework for addressing cybercrime, establishing offences including unauthorised access to computer systems, cyber fraud, identity theft, cyber harassment, child exploitation material, and interference with critical information infrastructure. The Act also established the National Computer and Cybercrime Co-ordination Committee (NC4) to coordinate national cybersecurity efforts, assist in investigations, and advise the government on cybersecurity policy.

The Computer Misuse and Cybercrimes (Amendment) Act, 2025, signed by President William Ruto and effective from November 2025, introduced stricter penalties for serious offences, with fines ranging from KES 300,000 to KES 20 million and imprisonment of 6 months to 10 years. The amendment expanded NC4's authority to make websites or applications promoting unlawful activities inaccessible. However, the law has generated significant controversy. Human Rights Watch, the Kenya Human Rights Commission, and digital rights organisations argue that certain provisions are overbroad and threaten online expression. In October 2025, the High Court suspended specific provisions pending constitutional review following a legal challenge.

ICT Authority and Digital Government

The ICT Authority, established as a state corporation under the State Corporations Act, is responsible for rationalising and streamlining the management of all government ICT functions, including e-government services, shared ICT infrastructure, and digital skills development. The Authority oversees the National Optic Fibre Backbone (NOFBI) infrastructure that provides high-speed connectivity to government offices across all 47 counties, the Government Common Core Network (GCCN), and the government cloud computing platform.

Key digital government initiatives include the e-Citizen portal that provides over 5,000 government services online—from business registration and passport applications to driving licence renewals—and the Huduma Kenya programme that established one-stop service centres across the country. The ICT Authority also drives the Digital Economy Blueprint, which outlines Kenya's strategy for leveraging technology to achieve economic growth through five pillars: digital government, digital business, infrastructure, innovation-driven entrepreneurship, and digital skills and values.

Fintech and Mobile Money Regulation

Kenya's mobile money ecosystem, led by Safaricom's M-Pesa with over 30 million active users, operates under regulations issued by the Central Bank of Kenya (CBK). The National Payment System Act (2011) and National Payment System Regulations (2014) provide the framework for licensing and supervising payment service providers, mobile money operators, and digital lenders. The CBK Digital Credit Providers Regulations, 2022 brought previously unregulated digital lenders under CBK supervision, requiring licensing, transparency in pricing, and compliance with data protection standards.

Emerging regulatory challenges include the oversight of cryptocurrency and digital assets—Kenya currently lacks specific legislation for virtual currencies despite being among Africa's largest cryptocurrency markets—the regulation of artificial intelligence applications, algorithmic accountability in automated lending decisions, and the governance of cross-border data flows in an increasingly interconnected digital economy. The Kenya Institute for Public Policy Research and Analysis (KIPPRA) continues to advise the government on balancing innovation-friendly policies with adequate consumer and citizen protection in the rapidly evolving technology landscape.