Kenya has ushered in a new era of digital regulation following the presidential assent to the Computer Misuse and Cybercrimes (Amendment) Act, 2024, a sweeping reform aimed at tightening control over cyber offences, fintech fraud, and online content regulation. The law marks the most significant update to the country’s cyber framework since 2018, aligning Kenya’s legal regime with the rapidly evolving digital and fintech landscape.
Expanded Definitions and Digital Scope
One of the major changes lies in the amendment of Section 2, which broadens key definitions within the law. Previously, “access” was narrowly defined as entry into a computer system or program, excluding modern digital interfaces. The new law introduces definitions for asset, identity theft, SIM-card, virtual account, and terrorist act, while also expanding the meaning of access to include entry through a program or device.
The reform widens the scope of cyber offences to cover virtual property, digital identity, and fintech-related crimes. This means that offences involving digital wallets, online accounts, and virtual assets now fall squarely within the ambit of Kenyan law. It also allows authorities to prosecute device-based intrusions and virtual asset manipulation — a move seen as critical in a digital economy where cyber theft and data misuse are increasingly sophisticated.
New Enforcement Powers for the Cyber Coordination Committee
Under Section 6(1)(ja), the National Computer and Cybercrimes Coordination Committee (NCCCC) has been granted expanded powers. Previously, the Committee’s role was largely advisory, focusing on coordination, policy development, and issuing cybersecurity frameworks. The new provision empowers it to issue directives blocking access to websites or applications that promote illegal activities, terrorism, pornography, or extremist religious content.
While this bolsters Kenya’s capacity to curb illicit and extremist online material, it also raises constitutional concerns. The provision does not require a court order, notice, or appeal mechanism, prompting debate over potential conflicts with Articles 33 and 47 of the Constitution, which safeguard freedom of expression and fair administrative action.
Stronger Protection Against Cyber Harassment
The amendment to Section 27 expands the definition of cyber harassment to include conduct likely to cause a person to commit suicide. Previously, the law only addressed communications that caused fear, violence, damage, or distress.
This revision acknowledges the serious psychological impact of online abuse and strengthens legal protection for victims, especially minors and frequent social media users. However, the expanded definition is expected to pose evidentiary challenges for prosecutors, particularly in proving the causal link between online conduct and self-harm.
Phishing Now Includes Voice Calls
In a bid to keep pace with emerging fraud tactics, Section 30 has been expanded to include phishing conducted through phone calls. Originally, the law criminalised phishing through electronic or digital messages only. By adding “or makes a call,” the amendment captures voice-based scams that trick victims into revealing sensitive personal information.
This change modernises legal tools available to investigators tackling mobile-money and telecommunication fraud, which remain widespread in Kenya’s fintech-driven economy.
New Offence for SIM-Card Fraud
A new Section 42A introduces a specific offence for unauthorised SIM-card swaps — a form of fraud that has plagued mobile-money users for years. Previously, such offences were prosecuted under general fraud provisions.
The new section criminalises the unlawful taking of another person’s SIM card with intent to commit an offence. Convicted offenders face a fine of up to KSh 200,000, imprisonment for up to two years, or both. This move is expected to deter fraudulent SIM replacements and enhance accountability within the telecommunications sector, particularly around identity verification procedures.
Compliance Implications for Businesses
With the new law in force, businesses and digital platforms are required to update their compliance frameworks. Organisations must:
- Revise internal cybercrime and data-protection policies
- Strengthen SIM-swap and user verification systems
- Maintain audit logs for NCCCC takedown directives
- Implement lawful notice-and-takedown mechanisms
- Align operations with the Data Protection Act, 2019, to avoid dual liability
A Modern Framework for a Digital Economy
The Computer Misuse and Cybercrimes (Amendment) Act, 2024 represents a decisive step in modernising Kenya’s cybersecurity regime. By addressing loopholes in fintech fraud, identity theft, and online abuse, the law enhances state capability to respond to digital threats.
However, as experts have noted, the balance between digital security and constitutional freedoms will be crucial. Businesses and regulators alike will need to ensure that enforcement mechanisms strengthen, rather than erode, the trust and rights that underpin Kenya’s growing digital economy.
