Summary of the law

The Computer Misuse and Cybercrimes (Amendment) Act, 2025 (Amendment law) introduces targeted updates to Kenya’s Computer Misuse and Cybercrimes Act, 2018 (Principal Act).

The updates are aimed at addressing evolving digital threats and aligning enforcement mechanisms with current technological realities. The Amendment law expands categories of regulated assets to cover digital assets and introduces a definition for virtual accounts. It also empowers authorities to block unlawful or extremist online content and empowers courts to order takedowns of harmful digital material.

Who is affected

The changes in the law impact a wide spectrum of actors in the digital ecosystem. The actors include:

1. a) Online platforms, website owners and app developers who may be subject to takedown orders where content promotes unlawful activity, terrorism, cultism, religious extremism or inappropriate sexual content involving minors.
2. b) Telecommunications operators and internet service providers who may receive directives to render specified websites or applications inaccessible.
3. c) Financial service providers and virtual asset platforms who are now covered by the principal Act owing to expanded/new definitions of “asset” and “virtual account.”
4. d) Law enforcement officers and regulators who have broader authority to seek court orders for removal of digital content.
5. e) Individuals and organizations, particularly those engaging in online communications since provisions on cyber harassment now include emails and calls.

Required actions 

The new law necessitates the following concrete compliance steps by the various actors:

• Compliance gap assessment: Entities should initiate a compliance gap assessment to identify and prioritize procedures, protocols and mechanisms to be aligned with the new law.
• Policy updates: Update internal cybersecurity and data governance policies and user engagement protocols to account for new definitions such as virtual account, cybercrime and computer misuse as well as the expanded definition of cyber harassment, which now covers conduct including through email and SMS that detrimentally affects a person or is likely to cause another person to commit suicide.
• Content moderation protocols: Implement rapid review and response mechanisms for unlawful, inappropriate, or extremist content on a website or application.
• Incident response enhancement: Put in place or enhance existing takedown and reporting mechanisms to align with potential Court orders for removal of content, closure, or deactivation of website or digital device or National Computer and Cybercrimes Co-ordination Committee’s directive rendering a website or application inaccessible.
• Employee and stakeholder awareness: Undertake policy and other measures to sensitize staff and stakeholders on the expanded scope of liability for online activities, especially relating to unlawful content, phishing, cyber harassment and identity theft.
• Legal readiness: Take appropriate contractual measures and prepare for potential court applications or orders requiring content removal or account deactivation.

Practical impact 

The law represents a change in the legal landscape in that:

• It empowers Courts, upon application, to issue takedown or deactivation orders for content linked to terrorism, religious extremism, cultism, as well as sexual content of a minor.
• It empowers the National Computer and Cybercrimes Co-ordination Committee to make a directive rendering a website or an application inaccessible.
• It elevates compliance obligations, especially for platforms hosting user-generated content, in alignment with best practice on online safety.
• It bridges regulatory gaps in the oversight of virtual accounts and digital platforms.
• It enhances accountability for content by online intermediaries and digital service providers.

Through this law, therefore, Kenya is looking at tightening its regulatory grip on digital spaces with a view to safeguarding users, protecting minors and reinforcing national cyber resilience.

Effective dates and next steps 

i. When the law comes into effect

The Computer Misuse and Cybercrimes (Amendment) Act, 2025 was assented to by the President of Kenya on 15th October 2025 and was set to come into operation on 4th November 2025.

ii. Waiting period
Several petitions challenging constitutionality of the Amendment law have been filed in Court.

Consequently, implementation of specific provisions of the law has been temporarily halted by the High Court. The High Court specifically issued conservatory orders suspending the enforcement, implementation and operation of the provisions relating to:

1. The expanded definition of cyber harassment; and
2. The expanded powers of the National Computer and Cybercrimes Co-ordination Committee to make a directive rendering a website or an application inaccessible.

As at the date of publication of this alert, the suspensions are active. The government has also applied to Court requesting it to lift the suspensions.

iii. Transitional provisions to take note of
The Amendment law does not contain express transitional clauses. Accordingly, all amendments, save for the suspended provisions, take effect immediately upon commencement on 4th November 2025.

iv. Phased compliance requirements, if any
The Amendment law does not provide for phased implementation. Enforcement is expected to apply uniformly from 4th November 2025, except for the provisions which have been suspended