Despite Kenya’s efforts to bolster the cybersecurity space, the Communications Authority of Kenya (CA) reported 2.54 billion cyber threat incidents in the first quarter of 2025. This represents a 201.7% increase from the previous quarter in 2024. In 2023, the Communications Authority reported an $83 million loss to cybercrime. This placed Kenya second in Africa, following Nigeria’s $1.8 billion loss. The National KE-CIRT/CC also detected 1.1 billion cyber threat events between April and June 2024.

Looking at the sector’s regulatory ecosystem, the most recent amendment to the cybercrimes regulatory framework is the Computer Misuse and Cybercrimes Act of 2025. However, the enactment of this law has been surrounded by controversy. There are concerns that the amendment is a knee-jerk reaction to unfavourable social media comments about the government.

 In recent years, the trust deficit in the government has notably decreased. Kenyans are critical of the government, citing poor handling of economic issues such as debt, high taxes, and wanton corruption. The government has also been accused of using the law as a weapon to silence dissent. This is especially in the aftermath of the Finance Bill protests last year. It has also led lawmakers in the country to face an onslaught of digital activism that they claim borders on harassment. 

This Wednesday, the High Court of Kenya temporarily halted key sections of the Computer Misuse and Cybercrimes Amendment Act. This followed an urgent application lodged by gospel musician Dr. Reuben Kigame Lichete ,the Law Society of Kenya and the Kenya Human Rights Commission (KHRC). 

Former Chief Justice David Maraga has also criticised the amended Act, calling it a betrayal of Kenyans and a setback for digital freedoms. In a press briefing, Maraga stated that the new provisions risk abuse, censorship, and political manipulation. He emphasised that granting the Executive unchecked power is not about protecting Kenyans but about silencing dissent and controlling information. 

President Ruto has since defended the Act, explaining that the new amendments aim to protect Kenyans from cyberbullying and other online criminal activities. The law was signed on the same day that Hon. Raila Amolo Odinga passed away, leading to accusations that it was hurriedly enacted to bypass proper public scrutiny. Widespread misinformation about the Act has circulated online, prompting the National Assembly to issue official clarifications and dismiss several false versions of the law that were circulating. 

A Factual Overview of The Cybercrimes Act, 2025

The legislation is officially titled the Computer Misuse and Cybercrimes (Amendment) Act, 2025. It is important to recognise that it introduces several amendments to the original Computer Misuse and Cybercrimes Act (Cap 79C), enacted in 2018.

1. Amendment to Section 2 – Interpretation

The Act expands and clarifies key definitions to better reflect modern digital realities. The term “access” is widened to include entry into a computer system “through a programme or a device,” acknowledging the diverse ways of technological intrusion.

Several new definitions are also introduced. The term “asset” now includes all forms of property, whether movable, immovable, physical, or virtual, as well as legal and equitable rights, money, and goodwill, whether within or outside Kenya. 

“Computer misuse” is defined as the unauthorised use, modification, or access to a computer system, programme, or data. The term “cybercrime” refers to offences committed through information and communication technology that target or exploit networks, systems, data, websites, or digital platforms.

The amendment also defines “identity theft” as the unauthorised use of another person’s personal identification information, including details such as names, ID numbers, SIM cards, bank information, or passwords. The term “terrorist act” has the same meaning as in the Prevention of Terrorism Act. Additionally, the term “virtual account” is introduced to describe a digital account obtained through virtual representation.

2. Amendment to Section 6 – Functions of the National Computer and Cybercrimes Coordination Committee

The Committee’s mandate is broadened to include the authority to issue directives that make websites or applications inaccessible if they promote unlawful activities. This encompasses sites hosting inappropriate sexual content involving minors, or content advocating terrorism, religious extremism, or cultism. However, this power has been moderated by the requirement of proof prior to issuing the directive.

3. Amendment to Section 27 – Cyber Harassment

Section 27, which concerns cyber harassment, is amended to cover situations where such harassment results in or is likely to cause a person to commit suicide. This has been the bone of contention for public interest litigants and civil society voices who argue that ‘harassment likely to cause a person to commit sucicide’ is too broad an offence , whose interpretation would be  subjective and likely be used to muzzle dissent.  

4. Amendment to Section 30 – Phishing

Section 30 of the principal Act, which criminalises phishing, has been broadened to cover additional forms of communication beyond written messages. Previously, the offence applied to persons who created or operated a website or sent a message through a computer system with the intent to deceive users into disclosing personal information for unlawful purposes or to gain unauthorised access.

The amendment now clearly includes cases where a person sends an email or makes a call with the same deceptive intent. It also expands the definition of the “recipient of the message” to encompass the “recipient of the email or call.” This revision broadens the scope of phishing offences to cover a wider range of digital and electronic communications used to fraudulently obtain personal information.

5. Insertion of New Section 46A – Further Court Orders

A new section, 46A, is introduced and grants courts the authority to issue additional orders in cases involving offences such as promoting unlawful activities, terrorism, religious extremism, or inappropriate sexual content of minors. When a person is convicted, the court may order the removal of offending materials, the closure or deactivation of the relevant computer system, website, or device, or the implementation of any other suitable measure.

Furthermore, the section permits authorised persons, such as law enforcement officers, to apply to court for similar orders even before a conviction if there is a reasonable belief that a digital platform or device is being used for such unlawful activities.

Conclusion 

The Computer Misuse and Cybercrimes (Amendment) Act, 2025, marks a significant milestone in Kenya’s evolving digital governance framework. However, despite the controversy surrounding its enactment, it is important to stay informed. Given the emotive nature of this debate and the wave of misinformation, it is essential to ensure you have a proper grasp of the facts as they stand.