On October 15, 2025, President William Ruto signed the Computer Misuse and Cybercrimes (Amendment) Act, 2024, into law. The Act amends the Computer Misuse and Cybercrimes Act of 2018 to address emerging digital threats, according to a legal analysis published by Manwa Advocates. New provisions cover SIM-swap fraud, phishing, identity theft, and cyber harassment, with penalties raised to KES 10 million (approximately $77,000) or 20 years imprisonment for severe offenses.
Among the amendments, the Act mandates data localization for critical information infrastructure, requires annual risk assessments, and strengthens the establishment of Cybersecurity Operations Centres. It also broadens the definition of critical information infrastructure to explicitly cover sectors including banking, energy, and telecommunications.
Kenya has not yet enacted legislation requiring migration to quantum-resistant cryptographic standards, though cybersecurity experts have called for proactive measures to protect the country’s National Public Key Infrastructure from future quantum computing threats. The amended Act and its associated 2024 regulations form the legal architecture within which any post-quantum cryptography transition would eventually occur.