The government, through the Office of the Principal Secretary for Internal Security and National Administration, has moved to clarify and defend the recently enacted Computer Misuse and Cybercrimes (Amendment) Act 2024, amid a wave of online debate and concern about its provisions.

PS Raymond Omollo stated on October 22, 2025 that many of the narratives circulating on social media regarding the Act are either misleading or outright false, and urged Kenyans to read the actual law rather than relying solely on summaries or commentary. “A lot of what is being shared online … is misleading or outright false,” he said.

On October 15, 2025 President William Ruto signed the Computer Misuse and Cybercrimes (Amendment) Bill, 2024, into law. This legislation aims to bolster Kenya’s defenses against rising cyber threats including online fraud, hate speech, and digital harrassment.

The Amendment strengthens the role of the National Computer and Cybercrime Coordination Committee (NC4), giving it authority to issue legal directives against websites and platforms engaged in child-pornography, human-trafficking, terrorism and extreme religious/cultic practices.

However, the law has sparked significant controversy, with critics arguing that it may infringe upon fundamental rights such as freedom of expression and access to information.

The amended Act introduces several notable changes to Kenya’s cybercrime legislation. One of the key provisions is the expansion to the definaton of “access,” which now includes unauthorized entry through a program or device.

This broadens the scope of cybercrimes to encompass activities involving automated attacks, malware, and hacking tools. Additionally, the definition of “asset” has been expanded to include all forms of property, movable or immovable, physical or virtual, as well as estates, rights, money, and goodwill, whether in Kenya or abroad. This inclusion aims to address the growing significance of digital assets in cybercrime activities.

The Act also introduces new definitions, such as “identity theft,” which encompasses the use of another person’s personal identification information, including names, identification numbers, SIM cards, bank cards, and other subscriber information.

Furthermore, the Act defines “SIM card” in alignment with the Kenya Information and Communications Act, 1998, ensuring consistency in telecommunications laws. However, the definition does not adequately address advancements such as embedded SIMs (e-SIMs) and virtual SIMs, which do not require a physical card and are increasingly used in modern mobile devices and Internet of Things applications.

The lack of clarity on whether these technologies fall within the scope of the Act may create challenges in enforcement.

To combat emerging threats, the Act criminalizes unauthorized SIM card swaps with intent to commit an offense.

Specifically, Section 42A stipulates that a person who willfully causes unauthorized alteration and unlawfully takes ownership of another person’s SIM card with intent to commit an offense is liable to a fine not exceeding Ksh 200,000 or imprisonment for a term not exceeding two years, or both. This provision addresses the growing issue of SIM-swap fraud, enhancing security in mobile transactions.

The Act also empowers the National Computer and Cybercrimes Coordination Committee (NC4) to issue directives to render websites or applications inaccessible if they are found to promote illegal activities. This expansion of NC4’s powers has raised concerns about potential overreach and the lack of judicial oversight in content regulation.

The penalties for cyber offenses has increased up to KSh 20 million fines or 10 years imprisonment for publishing grossly offensive online material, aimed at combating phishing and scams. The severity of fines and prison terms for certain offenses may be seen as excessive and could disproportionately affect ordinary citizens.

Kenyans responded with over 50,000 social media posts under #RejectCyberCrimeLaw, raising concerns about threats to free speech amid national mourning.

The ability of NC4 to act without court approval is viewed by many as a bypass of constitutional safeguards.

Organizations such as Article 19, an international human rights company that focuses on freedom of expression and information, had called for withdrawal of the law when it was first brought into motion.

They argued that the bill contravenes international human rights standards.

While the Computer Misuse and Cybercrimes (Amendment) Act, 2024, seeks to address legitimate concerns regarding cyber threats, its potential implications for fundamental rights cannot be overlooked. A balanced approach is essential to ensure that the law effectively combats cybercrime without compromising the freedoms that underpin democratic society