Kenya’s Path to the Malabo Convention: Data Protection and Cybersecurity at a Crossroads
Stakeholder consultations announced by the Office of the Data Protection Commissioner in September 2025, mark Kenya’s first step toward accession to the African Union Malabo Convention with important implications for compliance, digital trade, and the future of regional data governance.
Kenya’s Office of the Data Protection Commissioner has begun consultations on the country’s accession to the Malabo Convention. The step signals a move toward alignment with a continental framework for data protection and cybersecurity. If accession follows, the framework may reshape compliance expectations, cross border transfers, and investor confidence while raising the bar for governance and security across sectors in Kenya and East Africa.
Setting the context
The African Union Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention, is designed to harmonize rules on electronic transactions, personal data protection, and cybersecurity cooperation among member states. Although the Convention entered into force in the year twenty twenty three, the present consultations show that Kenya has not yet ratified or joined. The discussion arrives at a time when Kenya’s data protection regime under the Data Protection Act of the year twenty nineteen continues to mature with active enforcement and growing jurisprudence.
Why stakeholder consultations matter
The consultations indicate that Kenya is weighing domestic, regional, and international implications before taking a formal step. Accession would call for alignment of national rules on privacy, security, and electronic commerce with standards recognized across Africa while maintaining support for innovation, digital trade, and cross border data flows. For organisations this is the moment to shape outcomes by sharing practical perspectives on transfer tools, incident response, and accountability models.
Potential benefits of accession
Accession may reduce fragmentation for companies operating in multiple African markets by encouraging more consistent obligations for data protection and cybersecurity. It may also strengthen cooperation among regulators and law enforcement for incident response and cybercrime investigations. Clear alignment with continental standards can support investor confidence, smoother cross border operations, and a stronger trust environment for digital services.
The challenges ahead
Alignment will require careful review of the Data Protection Act, the Computer Misuse and Cybercrimes Act, and sector specific frameworks in finance, telecoms, and health. There are questions about the interaction with international commitments for trade and privacy and about practical enforcement across jurisdictions with different capacities. Commentators also point to emerging realities such as artificial intelligence and complex platform ecosystems which require continuous policy evolution.
What this means for the market
For Kenyan companies and multinationals in East Africa, this is the time to engage. Financial institutions, fintechs, telecommunications providers, and digital platforms should evaluate how accession may influence transfer mechanisms, cybersecurity controls, incident readiness, and contractual liability. Larger and already compliant organisations may adapt more quickly while smaller players may need structured programs for governance and audit readiness.
More about the Malabo Convention
The Malabo Convention is the African Union instrument that addresses electronic transactions, personal data protection, and cybersecurity cooperation. Its goals include common principles for privacy and security safeguards, incident reporting and response, and mutual assistance among member states. Wider accession and effective domestication can reduce legal fragmentation and improve certainty for organisations that operate across borders. The framework supports digital trust and seeks to enable secure online services and cross border commerce.
Looking ahead
Kenya’s consultations signal leadership in shaping regional digital governance. Whether accession proceeds immediately or in stages, organisations should expect compliance to be influenced by regional instruments. Early planning for governance, privacy by design, security by design, transfer impact assessments, and audit readiness will position businesses to adapt smoothly when the framework advances.
Partner with Cavendrys on data protection, privacy, and cybersecurity
Cavendrys supports audits, DPIAs, cross border data transfers, incident readiness, regulator engagement, and implementation under Kenya law and regional frameworks. Speak with our team to map obligations and design a practical compliance roadmap for operations in Kenya and across East Africa.
