Kenya has taken another step in tightening its digital security framework with the Computer Misuse and Cybercrimes (Amendment) Act, 2024. The Bill was assented to on 15 October 2025. The law updates the 2018 framework to respond to evolving risks in the digital ecosystem and to strengthen enforcement powers.
We see this as part of Kenya’s ongoing attempt to balance innovation with safety in a digital economy that is rapidly expanding. The update brings useful tools for enforcement and it also raises questions about legislative overlap, institutional authority, and practical enforcement.
Why these changes now?
Cybercrime has become more sophisticated. Fraudulent SIM swap schemes, online radicalization, and digital identity theft are no longer abstract risks. They affect individuals, banks, telcos, and public institutions every week.
These amendments arrive amid rising SIM swap fraud, online extremism, and psychological harm caused by online harassment. They also reflect a wider global trend where countries tighten cybersecurity laws and redefine national powers to act against harmful digital activity.
Stronger grip on harmful online content
The law allows the National Computer and Cybercrimes Coordination Committee to order that a website or application be made inaccessible where it promotes terrorism, child pornography, or extremist and cultic practices. This gives the state a faster path to act on clear harms.
There is a governance question. These takedown powers sit close to the Communications Authority’s remit under the Kenya Information and Communications Act. A cleaner approach could have routed platform control measures through KICA to avoid future mandate overlap and to keep one clear gateway for notices to service providers.
New offence of unauthorized SIM card swap
This is a welcome addition. SIM swap fraud is a leading vector for mobile money loss and identity theft. The new section criminalizes unauthorized alteration or takeover of another person’s SIM card with penalties of up to KSh 200,000 or two years imprisonment. The penalty may look light compared to the losses that syndicates can cause, yet it sends a clear signal that this is now a stand alone criminal offence.
Expanded meaning of access and recognition of digital value
The law clarifies that access to a computer system can occur through a program or a device and not only by a person directly. This covers automated scripts, malware, and bots that intrude without a human typing a command.
New definitions for assets including virtual assets, identity theft, and virtual accounts align Kenya’s approach with how cyber enabled crime occurs in fintech and digital value environments.
Tougher stand on cyber harassment and phishing
The harassment offence now captures conduct likely to cause a victim to commit suicide. The law acknowledges the psychological effects of online abuse and gives prosecutors a clearer path where harm escalates.
The phishing offence now includes fraudulent calls as well as written messages. Real attacks blend calls, SMS, and messaging apps into one social engineering sequence.
Where the law could have gone further
- Coordination and overlap. Powers granted to the national committee may clash with the Communications Authority, the Office of the Data Protection Commissioner, and law enforcement units already handling cybercrime. Clear protocols for notices, appeals, and provider obligations will help businesses comply without conflicting directions.
- Penalty fit for purpose. SIM swap offences can cause losses that run into millions. A fine of KSh 200,000 may not deter organized groups.
- Procedural safeguards. Website takedowns without clear safeguards may raise constitutional concerns about freedom of expression and the right to information.
For individuals the law offers more protection against online harassment and identity theft. Effective enforcement will depend on awareness and cooperation between service providers and investigators.
Our expertise and how we can help
At Cavendrys, we support clients at every stage of the cyber and technology risk cycle. Our team advises on digital investigations, evidence gathering, and forensic coordination where cyber incidents or data breaches occur. We provide prosecution and defence support in cybercrime and technology related litigation, including cases of unauthorized access, fraud, and identity theft.
We act for companies and individuals facing data or system breaches, helping them manage containment, notification, and regulatory engagement with the ODPC and relevant authorities. Our lawyers handle technology contract negotiation, incident preparedness, and policy drafting. We align internal frameworks, vendor agreements, and response procedures with Kenyan and global cybersecurity standards.
Whether you face a live breach, a complex dispute, or you want to strengthen your digital risk posture, Cavendrys provides strategic and hands on legal support grounded in real market experience.
Need investigations, breach response, or litigation support in Kenya?
Speak to our Cybersecurity and Technology Law team for rapid, practical help.
