President William Ruto last week signed into law the Computer Misuse and Cybercrimes (Amendment) Act, 2024, in what has been widely interpreted as a move to give the State broader powers to police online spaces in addition to enhancing penalties for digital offences.
The law, assented to last Wednesday amends the 2018 Computer Misuse and Cybercrimes Act to cover emerging threats such as SIM-swap fraud, phishing, and cyber harassment.
While the signed version was yet to be publicly published by the time of going to press, the changes are largely based on a legislative Bill tabled in the National Assembly in August last year.
Analysts at Nairobi-based legal firm Manwa OH Advocates have described the law as a pivotal shift in Kenya’s digital governance, one which extends the State’s enforcement reach while introducing heavier compliance burdens on businesses.
Under the amendments, the National Computer and Cybercrimes Coordination Committee (NC4) gains powers to direct service providers to block websites or mobile applications deemed to promote illegal activity, terrorism, or extreme religious practices.
“…seeks to give the NC4 an additional function of issuing directives on websites and applications that may be rendered inaccessible within the country where the website or application promotes illegal activities, child pornography, terrorism and extreme religious and cultic practices,” read the draft copy.
The publicly-available Parliamentary version allowed such orders to be issued without prior court approval.
“This grants significant government control over online content and raises the need for companies hosting platforms to align with content moderation standards,” observes Manwa OH Advocates.
The new law also introduces a new offence targeting unauthorised SIM-swap transactions. A person who alters or takes ownership of another person’s SIM card with the intent to commit a crime faces up to 10 years in prison or a Sh5 million fine.
At the time, Wajir East MP who had sponsored the legislative paper noted that the amendments sought to curb rising mobile-based fraud affecting banks, fintech players, and digital payment platforms.
In addition, the enactment raises the penalties imposed for cyber harassment, with offences such as online stalking or conduct that induces self-harm now attracting up to 10 years in prison or a Sh5 million fine.
The Bill had also proposed to prohibit the spread of ‘false’ or ‘misleading information’ that causes public panic or threatens national security.
However, the vague wording of the ‘false information’ clause has drawn criticism from civil rights groups, who are apprehensive that it could be deployed as a tool to silence journalists and whistleblowers.
The High Court has previously suspended similar provisions in the 2018 law for infringing on the freedom of expression.
The current amendment further expands the scope of obligations for operators of critical information infrastructure such as banks, telcos, and utilities, requiring them to localise data storage, conduct annual cybersecurity risk assessments, as well as establish internal operations centres.
All cyber incidents must be reported to NC4 within 24 hours.
According to Manwa OH Advocates, the requirements “align with global data governance standards but impose steep compliance costs, especially for fintech and telecom operators.” Non-compliance could attract fines of up to Sh10 million or prison terms of up to 20 years in severe cases.
Kenya’s tightening of cybercrime laws comes amid a sharp rise in digital fraud and a growing State appetite to regulate online activity.
In recent years, banks, telcos and government agencies have faced escalating breaches that have exposed vulnerabilities in payment systems and public databases.
Data from the Communications Authority shows that detected cyber threats rose to 842.3 million during the quarter ended September 2025, up from 657.8 million recorded during the period between July and September last year, driven by phishing, SIM-swap fraud, and ransomware targeting institutions handling financial data.
Mobile money services, which move more than Sh8 trillion annually, remain a prime target for fraud syndicates exploiting weak verification systems and insider collusion.
The 2018 Computer Misuse and Cybercrimes Act was Kenya’s first attempt to address hacking, identity theft, and online harassment, but enforcement has remained uneven.
The High Court in 2020 suspended several sections of the law over free speech concerns, leaving regulators with limited tools to act against emerging online crimes.
