&format=webp)
)
On October 8, 2025, the Kenyan Parliament passed the Computer Misuse and Cybercrimes (Amendment) Bill, 2024, ushering in a new set of rules for the country's digital space.
The amendment introduces significant changes to the original 2018 Act, with new offences and stiffer penalties that will directly impact every Kenyan who uses the internet.
Here is a breakdown of the key changes and what they mean for you.
Expanded definition of cyber harassment
&format=webp)
&format=webp)
&format=webp)
The original 2018 Act already criminalised cyber harassment.
The law now makes it an offence to send a message that you know or ought to know is 'likely to cause' a person to commit suicide
However, the amendment broadens its scope.
The law now makes it an offence to send a message that you know or ought to know is 'likely to cause' a person to commit suicide.
This is an addition to the existing provision that criminalises communication that is detrimental to a person.
The amendment does not change the existing penalty.
Under Section 27 of the Act, a person convicted of cyber harassment is liable to a fine not exceeding Sh20 million or to imprisonment for a term not exceeding ten years, or to both.
Phishing now includes phone calls
Phishing, the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity, is a common cybercrime.
The amendment expands the definition of phishing to include making a fraudulent phone call ('vishing').
The original law primarily focused on electronic messages.
According to Section 30 of the Act, a person who commits the offence of phishing is liable on conviction to a fine not exceeding Sh300,000 or to imprisonment for a term not exceeding three years, or to both.
New offence: Unauthorised SIM-swap
SIM-swap fraud, where a criminal obtains a replacement SIM card for a victim's mobile number to gain access to their online accounts, has been a growing problem in Kenya.
The amendment introduces a new section, 42A, which makes it a specific offence to wilfully cause the unauthorised alteration and unlawful takeover of another person's SIM card with the intent to commit a crime.
In short, criminals who steal your phone number through a SIM swap can now be prosecuted for it.
A person convicted of this offence is liable to a fine not exceeding Sh200,000 or to imprisonment for a term not exceeding two years, or both.
This provides a direct legal remedy for victims of SIM-swap fraud and is intended to deter criminals who engage in this practice.
It also places a greater responsibility on mobile network operators to secure the SIM-swap process.
Website and application blocking by the NC4
Perhaps the most contentious part of the amendment is the new power granted to the National Computer and Cybercrimes Coordination Committee (NC4).
Wajir East Member of Parliament Mohamed Aden Daudi sponsored the Computer Misuse and Cybercrimes (Amendment) Bill, 2024
The NC4 is now empowered to issue a directive to render a website or application inaccessible within Kenya if it is proved 'that a website or application promotes illegal activities, child pornography, terrorism, extreme religious and cultic practices'.
While the stated aim is to curb harmful content, critics have raised concerns about the lack of judicial oversight in this process.
This provision could potentially be used to block access to websites and applications without a court order, which could have implications for freedom of expression and access to information.
It remains to be seen how 'proof' will be established and what recourse will be available to a website or application owner who is affected by such a directive.
What hasn't changed
It is important to remember that all offences under the 2018 Computer Misuse and Cybercrimes Act remain in force.
These include:
False Publications: Spreading false information, commonly referred to as 'fake news,' is an offence punishable by a fine not exceeding Sh5 million or imprisonment for a term not exceeding two years, or both.
Cyber Espionage: Accessing data for espionage purposes can lead to imprisonment for a term not exceeding 20 years or a fine not exceeding Sh10 million, or both. This can be elevated to life imprisonment if the act results in a person's death.
Unauthorised Access to a Computer System (Hacking): This carries a penalty of a fine not exceeding Sh5 million or imprisonment for a term not exceeding three years, or both.
Identity Theft and Impersonation: Using another person's identity online without their consent can result in a fine not exceeding Sh200,000 or imprisonment for a term not exceeding two years, or both.
The amendments to the Computer Misuse and Cybercrimes Act represent a significant development in Kenya's legal framework for the digital age, and the bill now awaits presidential assent to become law.
While some of the changes are aimed at addressing real and present dangers online, others have raised legitimate concerns about their potential impact on fundamental rights.