Kenya's digital infrastructure is under unprecedented assault, with cyber threat incidents surging by 146% in the year leading up to June 2025. The Communications Authority of Kenya (CA) reported 8.6 billion detected threats during this period, a significant increase from 3.5 billion in the preceding year. This alarming rise underscores the heightened aggression by cybercriminals amidst the nation's accelerated digitalisation of public and private services.

The first quarter of 2025 alone saw 2.54 billion cyber threat incidents, marking a 201.7% increase from the previous quarter, according to the Communications Authority of Kenya (CA). This surge has profound economic implications, with businesses grappling with increased costs for cybersecurity measures, potential data breaches, and damage to their reputation.

Historical and Political Context

Kenya has been on a rapid digital transformation path, driven by high mobile penetration and government initiatives like the Ajira Digital Program and e-citizen services. This digital boom, while fostering economic opportunities, has also expanded the 'attack surface' for cybercriminals. The country lost an estimated KES 10.7 billion (approximately $83 million USD) to cybercrime in 2023, ranking it second in Africa after Nigeria.

In response to the growing threats, the Kenyan government launched its first Cybersecurity Strategy in 2014, which led to the enactment of the Computer Misuse and Cybercrimes Act (CMCA) in 2018. The CMCA provides a legal framework for tackling cybercrimes, regulating online conduct, and ensuring accountability in cyberspace.

Laws, Policy, and Governance

The Computer Misuse and Cybercrimes Act No. 5 of 2018, assented to on May 16, 2018, and commenced on May 30, 2018, is the overarching law addressing cybersecurity concerns in Kenya. It defines and criminalises various cybercrimes, including unauthorised access to computer systems, cyberespionage, data breaches, cyberbullying, cyberstalking, and malicious communications. Penalties for these offenses range from substantial fines to lengthy prison sentences, depending on the severity.

The Act also established the National Computer and Cybercrimes Coordination Committee (NC4), a multi-agency entity tasked with coordinating national cybersecurity matters. The NC4 advises the National Security Council on cybercrimes, approves the designation of critical information infrastructure, and formulates cybersecurity codes of practice.

Kenya's National Cybersecurity Strategy 2022-2027, launched on August 5, 2022, serves as a roadmap to address emerging threats and challenges in the cyber domain. This strategy is anchored on six main pillars, including establishing governance structures, strengthening legal frameworks, protecting critical information infrastructure, cultivating a skilled cybersecurity workforce, minimising crimes, and fostering cooperation.

A draft second review of the National Cybersecurity Strategy 2025-2029 has also been released, aiming to align with the government's digital transformation agenda and incorporate new critical pillars such as incident response management and the constructive use of artificial intelligence and other emerging technologies.

Stakeholders and Testimonies

National security officials and ministers are urging all organisations, from small businesses to large employers, to develop contingency plans for potential IT infrastructure crippling cyberattacks. This call to action highlights the shared responsibility in bolstering Kenya's cyber resilience. The Communications Authority of Kenya (CA) and the National Computer and Cybercrimes Coordination Committee (NC4) are key government entities at the forefront of detecting, preventing, and responding to cyber threats.

Businesses, particularly Small and Medium-sized Enterprises (SMEs), are increasingly vulnerable. SMEs, which contribute approximately 40% of Kenya's GDP, are often perceived to have weaker security measures, making them attractive targets for cybercriminals. The financial sector is also a prime target, with cybercriminals exploiting vulnerabilities to commit fraud and theft.

Evidence and Data

• Cyber Threat Incidents: Kenya recorded 2.54 billion cyber threat incidents between January and March 2025, a 201.7% increase from the previous quarter (Communications Authority of Kenya, July 2025).
• Annual Increase: Detected cyber threats rose by 146% to 8.6 billion in the year to June 2025, up from 3.5 billion in the preceding year (Communications Authority of Kenya, July 2025).
• Economic Loss: Kenya lost an estimated KES 10.7 billion (approximately $83 million USD) to cybercrime in 2023 (Communications Authority of Kenya, October 2024).
• Most Prevalent Attacks: System attacks were the most prevalent type, accounting for 4.5 billion incidents in the year to June 2025.
• Cybersecurity Skills Gap: Kenya needs approximately 40,000 to 50,000 cybersecurity professionals but has only 1,700 certified experts, representing a 96% shortage (Seceon Inc., September 2025).

Risks and Implications

The escalating cyber threats pose significant risks to Kenya's economic stability and national security. The increased reliance on digital technologies, coupled with inadequate system patching and limited user awareness, creates a fertile ground for malicious actors. The proliferation of inherently insecure Internet of Things (IoT) devices, insecure system configurations, and outdated software further exacerbates vulnerabilities.

The economic impact extends beyond direct financial losses, encompassing business interruptions, recovery expenses, regulatory penalties, and erosion of consumer trust. The severe shortage of cybersecurity professionals in Kenya also means organisations are often forced to pay higher salaries or resort to expensive international consultants, further straining resources.

Unknowns and Controversies

While the statistics highlight a significant increase in detected cyber threats, the full extent of unreported or undiscovered attacks remains unknown. The effectiveness of current reporting mechanisms and the capacity of law enforcement to investigate and prosecute all cybercrimes are ongoing areas of concern. Additionally, the rapid evolution of AI-driven attacks presents new challenges that require continuous adaptation of cybersecurity strategies and policies.

Timeline and Next Steps

• 2014: Kenya's first Cybersecurity Strategy developed.
• 2018: Computer Misuse and Cybercrimes Act (CMCA) enacted.
• August 5, 2022: National Cybersecurity Strategy 2022-2027 launched.
• 2024: Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations enacted.
• Q1 2025: 2.54 billion cyber threat incidents detected.
• Year to June 2025: 8.6 billion cyber threat incidents detected.
• Ongoing: Implementation of the National Cybersecurity Strategy 2022-2027 and development of the 2025-2029 strategy.

What to Watch

Stakeholders will be closely watching the implementation of the National Cybersecurity Strategy 2025-2029, particularly its focus on building resilient cyber incident response mechanisms and addressing the challenges posed by emerging technologies like AI. The government's efforts to consolidate cyber control units across ministries and agencies into a single national entity, as well as amendments to the National ICT Policy, will be crucial in strengthening Kenya's cybersecurity posture. Continued investment in cybersecurity education and training is essential to bridge the significant skills gap and ensure a robust defence against evolving threats.