Kenya’s digital economy has outgrown its cybersecurity architecture. The question now is whether the Government’s solution, a new National Cybersecurity Agency (NCSA), will resolve longstanding institutional fragmentation or create another layer of uncertainty.  

On 6 May 2026, the President established the National Cybersecurity Agency through Executive Order, which was subsequently gazetted under the State Corporations Act on 15 May. The Agency’s mandate is expansive: coordinating national cybersecurity policy, protecting critical information infrastructure, managing cyber incident response, building technical capacity, promoting research and implementing cybersecurity strategy across both the public and private sectors.  

At first glance, the decision appears logical. Cyber threats are becoming more sophisticated and more costly. Critical infrastructure is increasingly digital and interconnected. Artificial intelligence is lowering the barriers to cyberattacks and enabling new forms of disinformation and digital disruption. Governments around the world are strengthening their cybersecurity institutions in response.  

The establishment of the NCSA, though, raises a more fundamental question that Kenya has not adequately answered: who exactly governs cybersecurity in Kenya?  

Existing Cybersecurity Ecosystem  

Kenya already has a complex cybersecurity ecosystem. The Computer Misuse and Cybercrimes Act, 2018, established the National Computer and Cybercrimes Coordination Committee (NC4) to coordinate national cybersecurity policy and cybercrime response. The Communications Authority of Kenya, through the National Kenya Computer Incident Response Team and Coordination Centre (KE-CIRT/CC), has for years served as the country’s principal operational cybersecurity institution, coordinating incident response, threat intelligence and technical cooperation.  

Alongside these institutions, sector regulators, including the Central Bank of Kenya, Capital Markets Authority, Insurance Regulatory Authority, Energy and Petroleum Regulatory Authority, and the Office of the Data Protection Commissioner, have developed cybersecurity and operational resilience frameworks tailored to their respective sectors.  

The challenge, therefore, has never been the absence of institutions. It has been the absence of clarity about how those institutions are expected to work together.  

This was the central diagnosis of the Draft National Cybersecurity Strategy (2025–2029), which identified fragmented governance as one of Kenya’s greatest cybersecurity weaknesses. Its proposed remedy was equally clear: amend the Computer Misuse and Cybercrimes Act to establish a National Cybersecurity Agency and define, in law, how it would relate to existing institutions.  

Instead, Kenya has proceeded in reverse. The Agency now exists with a Board, a Director-General, an independent budget and a broad national mandate, while the legal architecture intended to define its relationship with existing bodies remains unresolved.  

The Way Forward Amid Institutional Ambiguity  

At the outset, the NCSA’s Board composition substantially mirrors that of NC4, while many of its responsibilities overlap with functions already assigned to the Committee under law. Unlike NC4, however, the NCSA possesses what the Committee never had: a permanent institutional structure, dedicated staffing, budgetary autonomy and operational capability.  

It is increasingly difficult to avoid the conclusion that the NCSA is intended to become the successor to NC4, even if legislation formalising that transition has not yet emerged. Put differently, Kenya may be witnessing the gradual replacement of a statutory committee by a state corporation before Parliament has formally approved the transition.  

Further, for nearly two decades, KE-CIRT/CC has served as Kenya’s principal technical cybersecurity institution, coordinating cyber incident response and acting as the country’s operational interface with international cybersecurity networks. The NCSA Order, however, assigns the new Agency responsibility for operating the National Cybersecurity Operations Centre and coordinating national cyber incident response.  

These responsibilities overlap significantly with KE-CIRT/CC’s existing mandate. Whether KE-CIRT/CC will remain an independent operational capability within the Communications Authority or evolve into a technical arm operating under the strategic direction of the NCSA remains unclear. The answer matters because it determines where operational authority sits during major cyber incidents and who ultimately speaks for the government during a national cyber emergency.  

More importantly, the establishment of the NCSA does not remove the statutory authority of regulators such as the Communications Authority, the Central Bank of Kenya, or the Office of the Data Protection Commissioner. Telecommunications operators, banks, payment service providers and digital platforms will continue to be supervised by their respective regulators.  

At the same time, the NCSA’s mandate to coordinate cybersecurity policy, assess critical infrastructure resilience and oversee national cyber preparedness creates the possibility of overlapping oversight, duplicated reporting obligations and competing regulatory expectations.  

For businesses operating critical digital infrastructure, the practical question is straightforward: if a major cyber incident occurs, to whom should they report first? At present, there is no clear answer.  

A Shift Towards Security-Led Cybersecurity Governance  

Beneath these institutional questions lies a broader policy shift that has received relatively little public attention. Historically, Kenya’s cybersecurity governance framework has been anchored within the ICT and regulatory ecosystem. The establishment of the NCSA under the Ministry of Interior and National Administration, combined with the Agency’s strong representation from security, intelligence and law enforcement institutions, signals a movement towards a more security-led model of cybersecurity governance.  

This shift is understandable. Cyberattacks increasingly target critical infrastructure, and artificial intelligence is changing the nature of digital threats. Cybersecurity is no longer simply an ICT issue; it is increasingly a matter of economic resilience and national security.  

The question is not whether cybersecurity should have a stronger national security dimension. The question is how that transition should occur and where the balance should be struck between security, regulation, innovation and accountability.  

Getting the architecture right  

None of this is an argument against the National Cybersecurity Agency itself. Kenya requires stronger national cybersecurity coordination, and a dedicated institution capable of coordinating critical infrastructure protection and national cyber preparedness is a legitimate policy objective. The problem lies in creating the institution before defining the system within which it is intended to operate.  

The most likely outcome is that the NCSA will emerge as Kenya’s apex cybersecurity coordinator, NC4 will eventually be phased out through legislative amendment, KE-CIRT/CC will remain the country’s principal technical incident response capability, and sector regulators will continue exercising supervisory authority within their respective sectors. This may ultimately prove to be the right model.  The difficulty is that this architecture currently exists more as an assumption than a matter of law.  

Kenya’s cybersecurity future cannot be built on institutional ambiguity. The Government should move quickly to introduce legislative amendments that formally establish the NCSA, clarify the status of NC4, define the relationship between the Agency and KE-CIRT/CC, and establish clear boundaries between national cybersecurity coordination and sector-specific regulation.  

Cybersecurity governance depends not only on institutional capacity, but also on institutional clarity. Until Kenya resolves who governs cybersecurity, it risks creating precisely the fragmentation that the National Cybersecurity Agency was established to solve.