Premium
New law case of digital overreach
The 2018 Act focused largely on offences such as unauthorised access, computer forgery, and cyber harassment.
What you need to know:
- Kenya has already seen cases where laws meant to ensure safety are used to intimidate whistle-blowers or muzzle uncomfortable opinions.
- What we are witnessing is a broader trend, where cybersecurity becomes the justification for greater state surveillance and control.
When Kenya first passed the Computer Misuse and Cybercrimes Act in 2018, it was a necessary response to a fast-growing digital space that lacked legal safeguards. At the time, the main aim was to protect computer systems from hacking, fraud, and unauthorised interference. It was a straightforward attempt to bring order to the online frontier.
Seven years later, the law has gone through a major transformation, culminating in the 2025 Amendment Act, and what we now have is a framework that is far more powerful, complex, and concerning. The story of this evolution is not just about technological progress, it is also about power, control, and the delicate balance between security and freedom.
The 2018 Act focused largely on offences such as unauthorised access, computer forgery, and cyber harassment. It laid the foundation for prosecuting digital crimes, but its scope reflected the realities of that time, when cybercrime mostly meant phishing scams, data theft, and online impersonation.
Over the years, Kenya’s digital ecosystem has expanded at an astonishing rate. Mobile money became mainstream, fintechs multiplied, and social media turned into both a marketplace and a political battleground. Naturally, cyber threats evolved with equal speed. The 2025 Amendment was introduced to modernise the framework and catch up with this new digital reality. On paper, that sounds reasonable. In practice however, it raises several red flags about how far the state can reach into cyberspace.
Powers to block websites or apps
The most noticeable changes in the 2025 version lie in its definitions and scope. “Asset” now includes both physical and virtual property, even if it’s located outside Kenya, meaning digital tokens, cryptocurrency, and online accounts could all fall under state scrutiny. The definition of “access” has also been stretched to include indirect and automated forms of entry into systems, broadening the net for what could be considered a criminal act.
There is a new offence for SIM-swap fraud, which targets people who illegally take over someone else’s SIM card to commit financial crimes. On the surface, these changes make sense. Cybercriminals have become more sophisticated, and the law must evolve to deal with them. But when every definition is widened, every loophole closed, and every new form of access criminalised, we start to enter dangerous territory, one where enforcement can easily slip into overreach.
It also raises a larger question that sits at the heart of this new framework, can the government legislate morals? When the law begins to decide what speech is acceptable or not, the line between protecting citizens and controlling them becomes worryingly thin. What worries me most is how much discretion the state now holds under this updated framework.
The National Computer and Cybercrimes Coordination Committee (NC4) has been given extraordinary powers to block websites or apps that are deemed to promote “terrorism,” “extreme religious practices,” or “illegal activities.” While the intention may be to protect public order, the lack of clear checks and balances invites abuse. What counts as “extreme” or “illegal” can easily be stretched to silence critical journalism, online activism, or dissenting voices.
Muzzle uncomfortable opinions
Kenya has already seen cases where laws meant to ensure safety are used to intimidate whistle-blowers or muzzle uncomfortable opinions. This new authority to take down online platforms without prior court oversight risks turning cyberspace into a controlled environment where speech survives only at the pleasure of those in power.
The 2025 law also amplifies the responsibilities of internet service providers and digital platforms. They are now expected to preserve, hand over, or even block user data when instructed to do so. That might sound like cooperation with investigations, but in practice, it gives law enforcement sweeping access to private information with limited accountability. Kenya’s constitution guarantees privacy, yet these new powers make that right conditional. What happens when personal data is requested for political reasons? Or when the identity of an online critic is exposed under the pretext of a “cybercrime investigation”? The line between protection and surveillance has never been thinner.
Another issue that cannot be ignored is the vagueness of some new provisions. The cyber-harassment section now includes communications “likely to cause someone to commit suicide”. While the intention is clearly to prevent online bullying and emotional harm, the language is subjective. How do you measure likelihood? Laws than rely on emotional outcomes rather than concrete acts are dangerous as they depend on interpretation, not evidence. Where political and social sensitivities run high, that ambiguity becomes a weapon, not a shield.
What we are witnessing is a broader trend, where cybersecurity becomes the justification for greater state surveillance and control. The narrative is simple, digital world is dangerous, therefore the government must have more tools to keep us safe. The problem is that safety without accountability easily becomes suppression. Kenya’s digital economy thrives on innovation, free expression, and openness. The more we regulate through fear, the less room we leave for creativity, criticism, and civic engagement online.
Mr Omondi is a Cybersecurity and Data Analytics Consultant. [email protected]. Washington, D.C. USA
