President William Ruto has signed into law the Computer Misuse and Cybercrimes (Amendment) Act, 2024, a move aimed at strengthening Kenya’s response to rising cases of online fraud, misinformation, and data theft.
The law updates the 2018 Computer Misuse and Cybercrimes Act, expanding its scope to address emerging digital threats while giving authorities more power to regulate online spaces and social media use.
Expanded definitions and new offences
The amendment broadens key definitions in the law to keep pace with technological change. It redefines “access” to include entry through any device or program and introduces new terms such as “asset”, covering both physical and virtual property, and “virtual account.”
It also introduces new offenses such as unauthorized SIM-swap fraud, identity theft, and online impersonation. These crimes, often linked to mobile banking fraud, have been on the rise in recent years, prompting calls for tougher penalties.
The law empowers the government to compel internet service providers and digital platforms to assist in cybercrime investigations, block malicious websites, and report suspicious activity.
Social media under scrutiny
A key focus of the new law is social media regulation. Platforms such as Facebook, X (formerly Twitter), and TikTok will now be required to cooperate with government agencies in cases involving the spread of false information, incitement, or cyberbullying.
They may also be compelled to take down content linked to criminal activity, preserve user data for investigations, and share information with law enforcement upon request.
The government says the move is necessary to protect citizens from harmful content and digital scams, but critics fear it could open the door to censorship and privacy violations.
“The law strengthens Kenya’s ability to fight cybercrime, but it must be implemented with respect for freedom of expression and data protection,” said a researcher from Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT).
Critical infrastructure protection
The amendment also introduces new rules for sectors classified as critical information infrastructure—including banks, telecoms, and energy companies.
These entities are now required to conduct annual cybersecurity audits, report breaches, and comply with national cybersecurity regulations designed to safeguard Kenya’s digital backbone.
Rights concerns and public debate
Human rights groups and digital rights advocates have raised concerns that the law’s broad wording could be used to silence critics online. They argue that terms such as “false publications” and “cyber harassment” need clearer definitions to avoid misuse.
Organizations such as Article 19 have urged the government to ensure judicial oversight before blocking content or accessing user data, warning that unchecked powers could erode online freedoms.
“Cybersecurity must not come at the expense of free speech,” said one digital rights advocate. “Oversight and transparency will determine whether this law protects citizens or controls them.”
Enforcement and the road ahead
With the law now in force, authorities are expected to increase enforcement actions targeting online fraud, digital scams, and hate speech. Businesses and social media platforms operating in Kenya will need to review their compliance policies, data handling procedures, and response systems for government requests.
Experts, however, caution that laws alone are not enough. They emphasize the need for technical capacity, skilled personnel, and public awareness to make the new framework effective.
