Introduction: Kenya’s Cybersecurity Journey

Kenya’s rapid digitisation has transformed society and the economy. By 2022, mobile money was transacting more than KSh 7 trillion annually, eCitizen had digitised over 5,000 services, and counties were migrating revenue collection online. At the same time, threats multiplied. The Communications Authority reported 860 million attempted attacks between July and September 2022, households lost billions of shillings to fraud, and public trust in digital platforms was eroding. Cybersecurity had become a matter of national security.

The legal and institutional framework at the time was fragmented. The Computer Misuse and Cybercrimes Act (2018) was partially suspended in court, limiting enforcement. The Data Protection Act (2019) had created the Office of the Data Protection Commissioner (ODPC), but capacity was thin. The National Cybersecurity Strategy 2022–2027 had been launched, yet its measures were still in planning. Kenya entered this period with strong ambitions but fragile defences.

The turnaround is anchored in multi-agency leadership. Under the Ministry of Interior and National Administration, cybersecurity has been mainstreamed into the national security framework. Dr. Raymond Omollo, Principal Secretary for Internal Security and National Administration, has steered coordination between law enforcement, county administrators, the Communications Authority, ODPC, and sector regulators. His leadership ensured cybercrime is addressed not only as an ICT issue but as a frontline security challenge, linking citizens’ safety with national sovereignty.

• 2022 Crisis: Record threat attempts, rising fraud, weak enforcement, and collapsing public trust.
• 2023 became a year of stabilisation. ODPC initiated mandatory compliance audits, the Communications Authority intensified threat monitoring, and amendments to the Kenya Information and Communications Act (KICA) were prepared to introduce tougher penalties for non-compliance.
• 2024 marked acceleration. The Central Bank of Kenya updated its cybersecurity guidelines in January, requiring banks and fintechs to report breaches within 72 hours and conduct quarterly audits. In the first quarter, Parliament passed amendments to KICA, granting the Communications Authority enforcement powers, including financial penalties for telcos and ISPs that failed to protect users.
• 2025 is a year of consolidation. ODPC is auditing more than 2,500 registered organisations, the Communications Authority is imposing fines for breaches, the CBK guidelines are actively protecting household finances, and counties are embedding cybersecurity measures into devolved governance systems.

This three-year scorecard documents how Kenya is responding to unprecedented digital threats by embedding cybersecurity in law, policy, institutions, and citizen practice. It shows the shift from vulnerability in 2022, to stabilisation in 2023, acceleration in 2024, and consolidation in 2025, with visible impact on households, businesses, and the nation’s digital economy.

Part 1 — Magnitude of the 2022 Challenge

Kenya entered September 2022 with its digital economy hailed globally for rapid innovation, yet critically exposed to vulnerabilities. Mobile money had become the financial bloodstream of the nation, transacting KSh 7.2 trillion annually through more than 32 million active users. eCitizen had digitised over 5,000 services, covering everything from driving licences to land title searches, while counties were beginning to adopt digital revenue platforms. Across universities, hospitals, and businesses, digitisation was being embraced as a vehicle for efficiency.

 

However, this rapid shift outpaced the growth of safeguards. Citizens were facing a daily reality of fraud, businesses were disrupted by ransomware, and institutions were struggling to keep their databases secure. Kenya had passed the Computer Misuse and Cybercrimes Act (2018) and the Data Protection Act (2019), and in mid-2022 had launched the National Cybersecurity Strategy 2022–2027. But implementation was slow, enforcement was weak, and capacity was thin. The result was a digital economy under attack, with ordinary Kenyans bearing the heaviest burden.

 

1. Threat Volume at Record Levels

 

The scale of cyber threats by 2022 placed Kenya among the most attacked digital economies in Africa.

• Explosive Growth: The Communications Authority (CA) reported 860 million attempted cyberattacks between July and September 2022, up from 139 million in the previous quarter. This six-fold spike reflected Kenya’s growing digital footprint, particularly in mobile money and government portals, making the country a prime target for cybercriminals.
• Sectoral Focus: Banks and telcos bore the brunt of DDoS attacks, which aimed to paralyse payment systems. Phishing campaigns targeted millions of M-Pesa users daily with fake links, while malware intrusions sought access to personal devices. Government registries, including tax and land systems, suffered repeated intrusion attempts.
• Evolving Tactics: Criminals moved from crude scams to sophisticated social engineering and cloned apps. Fake investment platforms spread widely, draining savings from citizens convinced by polished interfaces. Malware was disguised in downloads, affecting not only individuals but also SMEs.
• Citizen Exposure: By late 2022, almost every Kenyan with a phone was a potential victim. A farmer waiting for a digital produce payment, a student applying for HELB, or a small trader filing iTax returns faced real risks of fraud or disruption. Threats had become systemic.

2. Financial Impact on the Economy

The financial toll of cyber incidents in 2022 was unprecedented, cutting across households, businesses, and macroeconomic indicators.

• Household Devastation: SIM-swap fraud alone accounted for thousands of cases where citizens lost entire savings overnight. Reported average losses were KSh 80,000–120,000 per incident, wiping out school fees, rent, or medical funds. Many families had no path to restitution, deepening mistrust in digital platforms.
• SME Disruption: A Kenya National Chamber of Commerce survey found that 18% of SMEs faced cyber incidents in 2022. Ransomware locked inventory records and payment systems, forcing downtime of 5–7 days. For small enterprises, even a week’s halt meant missed orders, loss of stock, and erosion of customer confidence.
• Banking Sector Strain: Banks spent billions upgrading systems and compensating customers. These costs were transferred through higher transaction fees, meaning citizens indirectly bore the burden of systemic insecurity.
• National Losses: Combined direct and indirect losses from cybercrime were estimated at KSh 20–25 billion in 2022, equivalent to 0.2–0.3% of GDP. This persistent leakage undermined investor confidence and reduced Kenya’s competitiveness as a regional ICT hub.

3. Institutional Weaknesses Across Sectors

While digitisation spread across government and public institutions, cyber resilience lagged far behind.

• Outdated Systems: Many ministries and counties relied on unsupported software with minimal firewalls. Databases holding citizen records were easily infiltrated or interrupted, often causing downtime.
• Universities Breached: Student portals at several universities were compromised, with grades altered and personal information exposed. These incidents undermined confidence in education systems.
• Hospitals Disrupted: Public hospitals, already under strain, reported service outages linked to ransomware attempts. Patient data was exposed to risk, while outages in systems slowed admissions and treatment.
• Counties Exposed: Counties rolling out digital revenue systems faced frequent interruptions from intrusion attempts. Market traders complained of disrupted transactions, and the credibility of county digitalisation drives suffered setbacks.

4. Law Enforcement and Judicial Gaps

Despite existing laws, enforcement was weak and fragmented.

• Low Convictions: Since the Computer Misuse and Cybercrimes Act (2018) was enacted, fewer than 350 successful prosecutions had been recorded by 2022, despite thousands of complaints filed annually.
• Forensic Deficit: The DCI’s cybercrime unit lacked modern forensic laboratories, forcing investigators to rely on limited tools. Many cases stalled for lack of credible evidence.
• Judicial Unpreparedness: Courts struggled with digital evidence, leading to inconsistent rulings and delayed cases. Victims rarely saw justice, reinforcing perceptions of impunity.
• Criminal Confidence: With low risk of arrest or conviction, cybercriminals acted boldly, creating syndicates that targeted ordinary Kenyans with near-certainty of escape.

5. Public Trust Deficit in Digital Platforms

Perhaps the most corrosive effect of 2022 was the erosion of citizen trust in digital platforms.

• Fear of Leaks: Many citizens avoided uploading sensitive data such as land title records to eCitizen, fearing manipulation or leaks.
• Rural Hesitancy: Families in rural areas limited mobile money use to basic transfers, unwilling to risk larger sums.
• Professional Scepticism: Professionals avoided online credit products and fintech apps, citing widespread scams.
• Traders’ Resistance: Market vendors preferred cash over digital systems, undermining Kenya’s push toward cashless commerce.

6. Impact on National Reputation

 

Kenya’s global image as Africa’s Silicon Savannah was at risk due to rising insecurity in its digital systems.

• Investor Caution: International firms flagged Kenya’s weak protections when evaluating data centre investments, demanding higher risk premiums.
• Regional Competition: Kigali and Lagos marketed themselves as safer ICT hubs, threatening to pull investment away from Nairobi.
• Sector Growth Limits: Development partners flagged cyber insecurity as a bottleneck to expanding Kenya’s fintech and ICT industries.
• Eroded Brand: Kenya’s brand as a secure environment for innovation was under pressure, undermining decades of progress in positioning Nairobi as Africa’s tech capital.

7. Regional and Continental Implications

Kenya’s vulnerabilities did not stop at its borders; they had ripple effects across East Africa.

• Banking Contagion: Regional banks integrated with Kenya’s networks faced fraud risks spreading from local breaches.
• Cross-Border Transfers: Mobile money remittances linking Uganda, Rwanda, and Tanzania were disrupted by fraud originating from Kenyan accounts.
• AfCFTA Participation: Weak cybersecurity reduced Kenya’s ability to lead confidently in digital trade under the African Continental Free Trade Area.
• Diplomatic Concerns: Neighbouring states increasingly pressed Nairobi to strengthen its systems, as Kenyan weaknesses jeopardised regional stability.

8. Social Impact on Citizens

Beyond statistics, the burden of cybercrime was acutely personal in 2022.

• Students’ Losses: University students lost tuition to fraudulent apps and fake scholarships, derailing academic progress.
• Household Devastation: Families fell into poverty after overnight theft of digital savings, with little recourse for recovery.
• Trader Disruptions: Market vendors missed deliveries and supplies when mobile payments failed, disrupting livelihoods.
• Youth Freelancers Compromised: Online workers lost accounts to identity theft, forfeiting income and global contracts.

Summary of 2022

Kenya’s digital expansion in 2022 outpaced its capacity to protect itself. Laws existed, but enforcement was weak; institutions were digitising, but systems were outdated; households and businesses were transacting digitally, but losing billions to fraud. Public trust was collapsing, investor confidence was shaken, and regional partners were demanding action. This was the crisis baseline that demanded urgent reform under the new administration.

Part 2 — 2023: Stabilisation Phase

The year 2023 represented a period of stabilisation after the turbulence of 2022. The government moved from recognising the scale of the cyber crisis to putting structures in place that would anchor resilience. The emphasis was on enforcement of existing laws, preparation of stronger legislation, institutional strengthening, and awareness programmes. For citizens, this year began to offer assurance that digital platforms could become safer, even as challenges persisted.

1. Legal and Regulatory Anchoring

The backbone of stabilisation in 2023 was the gradual embedding of legal and regulatory mechanisms into active practice.

• Amendments to KICA in Draft Stage: Parliament processed proposals to amend the Kenya Information and Communications Act (KICA) to empower the Communications Authority (CA) with authority to impose penalties on institutions that failed to protect user data. These proposals were motivated by widespread complaints about fraudulent SIM swaps and unreported data breaches.
• ODPC in Action: The Office of the Data Protection Commissioner (ODPC) expanded its mandate from registration drives to compliance reviews. By September 2023, more than 1,000 data controllers and processors had been registered, and over 300 entities had been subjected to preliminary audits, including telcos, banks, and ministries.
• Cybercrime Prosecutions: The Computer Misuse and Cybercrimes Act (2018) was applied more actively. Over 150 new cybercrime cases were in progress by the end of the year, a significant increase from previous years. Courts began working with forensic experts to improve the handling of digital evidence.
• Citizen Impact: These actions created visibility. Households began to see cases moving through courts, businesses received compliance notices, and the public understood that data protection obligations now carried consequences.

2. Institutional Strengthening

Cybersecurity stabilisation in 2023 also required strengthening existing institutions and expanding their reach.

• KE-CIRT/CC Upgrade: The National Computer Incident Response Team at the CA expanded its monitoring capacity, building real-time dashboards that tracked billions of attempted attacks. Reports were shared with ministries and parastatals, helping them close weaknesses more quickly.
• County Linkages: Five counties, (Nairobi, Mombasa, Kisumu, Nakuru, and Uasin Gishu), were connected directly to KE-CIRT/CC as part of pilot programs. These counties were chosen because of their high volumes of digital revenue collection.
• Training of Public Officers: More than 2,000 government officers across sectors such as health, education, and county administration received training on cyber hygiene. Simple steps like identifying phishing emails, restricting use of external flash drives, and enforcing access control policies were rolled out.
• Citizen Impact: The visible difference was fewer prolonged outages. eCitizen, NTSA, and iTax platforms became more reliable, with downtime measured in hours instead of days, giving citizens more confidence to transact online.

3. Compliance and Enforcement

By 2023, institutions began to feel the pressure of compliance obligations.

• ODPC Compliance Drive: More than 500 compliance notices were issued to entities that had failed to register as data controllers or processors. Some institutions faced public naming, creating reputational pressure to comply.
• SIM Registration Exercise: The CA enforced stricter Know Your Customer (KYC) standards for SIM registration. Thousands of suspicious or fraudulent SIM cards were deactivated, directly disrupting criminal networks that had relied on them for SIM-swap scams.
• Voluntary Breach Reporting: Banks and fintechs began voluntary reporting of cyber incidents under CBK guidance, creating a culture of openness ahead of the mandatory 2024 framework.
• Citizen Impact: Citizens reported fewer sudden SIM-swap incidents. The deactivation of fraudulent SIMs meant households were safer when using mobile money, and some banks compensated victims of breaches, restoring a measure of trust.

4. Financial Sector Stabilisation

The financial sector, which had carried the heaviest burden in 2022, became the testing ground for reform.

• Heavy Bank Investments: Commercial banks allocated billions of shillings to cybersecurity, including forensic labs, fraud detection systems, and penetration testing.
• Cyber Insurance Growth: Insurance products designed for cyber incidents began entering the Kenyan market. SMEs were offered policies covering losses from fraud and data breaches, giving them financial buffers.
• Customer Compensation: Leading banks, while not legally bound, began refunding affected customers in select cases. This demonstrated that financial institutions were beginning to prioritise consumer protection.
• Citizen Impact: Families and businesses gained confidence that stolen money could sometimes be recovered and that banks were investing to safeguard deposits.

5. Public Awareness and Education

Education and sensitisation became essential to stabilisation in 2023.

• National Awareness Campaigns: The Ministry of ICT ran national campaigns on TV, radio, and social media to teach citizens how to recognise fraudulent links, update passwords, and report suspicious activity.
• University and TVET Involvement: Over 40 universities and technical institutions established cyber clubs, encouraging innovation and training future professionals in defensive strategies.
• Grassroots Outreach: Chiefs’ barazas and county meetings incorporated short sessions on safe digital practices, bringing the conversation to villages and markets.
• Citizen Impact: Families became more vigilant. More cases of fraud were reported early, reducing losses. Students and young professionals began adopting stronger security practices in their daily use of digital platforms.

6. Regional and International Cooperation

Kenya used 2023 to build cooperative frameworks beyond its borders.

• East African Community (EAC): Kenya spearheaded discussions within the EAC to harmonise cybercrime reporting and threat intelligence sharing.
• African Union (AU): Kenya aligned the National Cybersecurity Strategy 2022–2027 with the AU Digital Transformation Strategy, ensuring continental consistency.
• Cross-Border Policing: Kenyan, Ugandan, and Tanzanian investigators carried out joint operations, disrupting at least two syndicates that had been exploiting cross-border money transfers.
• Citizen Impact: Kenyans sending or receiving mobile money from neighbouring countries faced fewer fraudulent disruptions, enhancing trust in regional systems.

7. Social and Economic Outcomes

The stabilisation measures of 2023 yielded measurable outcomes across households, businesses, and national systems.

• Decline in Household Losses: Reported losses dropped by an estimated 15–20 percent compared to 2022, largely due to stricter SIM registration and early compensation practices.
• Improved Service Continuity: Outages on eCitizen, NTSA, and iTax declined in frequency and severity, allowing citizens to access services more predictably.
• SME Resilience: SMEs that had withdrawn from digital systems in 2022 returned cautiously, reassured by insurance options and greater banking protections.
• Investor Reassurance: Global partners noted Kenya’s stabilisation efforts, maintaining Nairobi’s position as a regional hub for fintech and digital services.

Summary of 2023

The year 2023 provided the stabilising foundation that Kenya needed after the disruptions of 2022. Laws began to move from text to practice, institutions grew stronger, enforcement gained momentum, and awareness reached citizens. Fraud had not disappeared, but its impact was less destructive. The confidence of households and businesses was gradually restored, creating the conditions for accelerated reforms in 2024.

Part 3 — 2024: Acceleration

The year 2024 stands out as a watershed in Kenya’s cybersecurity journey. After years of operating with partial enforcement, the full legal and institutional framework finally came into force. The revival of the Computer Misuse and Cybercrimes Act (2018) in 2024, following the Court of Appeal decision to lift earlier suspensions, created an enforceable backbone for combating cybercrime. Combined with new Central Bank of Kenya (CBK) cybersecurity guidelines, amendments to the Kenya Information and Communications Act (KICA), and the operationalisation of the National Cybersecurity Committee, Kenya accelerated reforms from stabilisation to decisive action.

For citizens, 2024 was the year they began to experience digital safety as a present reality.

1. Full Enforcement of the Computer Misuse and Cybercrimes Act

The revival of the CMCA 2018 in 2024 transformed the fight against cybercrime.

• Legal Clarity: Provisions that had been contested in court, including those on cyber fraud, identity theft, publication of false information, and interference with computer systems, became fully enforceable.
• Law Enforcement Empowered: The Directorate of Criminal Investigations (DCI) established a specialised cybercrime command centre with enhanced powers to seize digital evidence, trace IP addresses, and disrupt networks.
• Judicial Effect: Courts now had a clear legal basis to admit evidence and deliver rulings. By the end of 2024, more than 500 cybercrime cases were in various stages of prosecution.
• Citizen Impact: Victims of fraud who had previously faced dead ends now saw cases investigated and prosecuted. For households and SMEs, the sense that cybercriminals could finally face justice restored confidence in reporting crimes.

2. Central Bank Cybersecurity Guidelines

In January 2024, the CBK issued guidelines that redefined accountability in the financial sector.

• Mandatory Breach Reporting: Banks and mobile money operators were required to report all cyber incidents within 72 hours. By September 2024, more than 450 breaches had been disclosed, ranging from phishing to denial-of-service attempts.
• Customer Protection: Banks became responsible for compensating customers in cases where negligence was established. Over KES 1.3 billion was refunded to households by year-end.
• Board Oversight: Banks were required to assign cybersecurity responsibilities to board committees, elevating accountability to the highest level of corporate governance.
• Audit Standards: Institutions were compelled to conduct quarterly system audits and submit compliance reports to CBK.
• Citizen Impact: For the first time, families saw banks accept liability for fraud cases. Refunds and strengthened authentication protocols built confidence in mobile and online banking.

3. Amendments to the Kenya Information and Communications Act

Parliament passed amendments to KICA in 2024, enhancing the regulatory powers of the Communications Authority (CA).

• Penalties Introduced: The CA was authorised to impose fines on telecoms and ISPs for data breaches or failure to disclose incidents. At least two ISPs were fined during 2024.
• Fraudulent SIM Prevention: Telcos were compelled to deploy biometric registration for new SIM cards, leading to a 35 percent reduction in SIM-swap fraud.
• Content Oversight: The CA gained authority to block fraudulent apps and websites, resulting in more than 200 platforms being shut down in 2024.
• Citizen Impact: Consumers noticed a marked drop in scam messages and fraudulent calls, and penalties against telcos reassured the public that companies were being held accountable.

4. National Cybersecurity Committee

The National Cybersecurity Committee was operationalised in 2024 as the central coordination body.

• Membership: Chaired by the Cabinet Secretary for ICT and Digital Economy, it included representatives from Defence, Interior, Treasury, CA, ODPC, and the private sector.
• Mandate: The committee coordinated policy, escalated major incidents, and oversaw the protection of critical information infrastructure.
• Integration: Sectoral cyber units were established in ministries such as Health, Education, Energy, and Finance, reporting to the Committee.
• Citizen Impact: The existence of a single coordinating authority reduced duplication and confusion. Citizens saw fewer service outages in critical areas such as tax systems, health records, and electricity billing.

5. Institutional Strengthening

With laws and committees in place, institutions deepened their technical capabilities.

• KE-CIRT/CC Expansion: The national incident response team adopted AI-driven monitoring tools, cutting detection-to-response times to hours instead of days.
• ODPC Enforcement: The Office of the Data Protection Commissioner imposed its first fines, up to KES 20 million, on firms mishandling personal data.
• Judiciary Training: The Judiciary Training Institute introduced mandatory courses for judges on digital evidence, raising admissibility rates to 70 percent.
• Citizen Impact: Citizens saw real penalties reported in the media and began trusting that breaches would no longer vanish without consequences.

6. Digital Government Services

Government services that were prone to attacks in 2022 saw significant upgrades.

• eCitizen Security: Multi-factor authentication was introduced for sensitive services. Over 1 million users registered for the new secure login within six months.
• County Systems: More than 20 counties established cybersecurity units to monitor revenue portals and service delivery systems.
• Sectoral Upgrades: Health records and education systems were prioritised, securing hospital data and exam portals.
• Citizen Impact: Citizens experienced smoother, more reliable services, with fewer fears of manipulation or data loss.

7. Awareness and Skills Development

Awareness and capacity building accelerated nationwide.

• Grassroots Outreach: Chiefs’ barazas, churches, and schools hosted awareness sessions in local languages on safe digital practices.
• Youth Training: Over 5,000 students participated in cybersecurity hackathons and competitions, creating a new pipeline of skilled professionals.
• Professional Certification: Government ICT staff were supported to pursue international certifications such as CISSP, raising the technical standard of public defenders.
• Citizen Impact: Surveys showed that 70 percent of Kenyans could identify common scams in 2024, up from 45 percent in 2022.

8. Regional and Global Integration

Kenya advanced its role as a continental leader in digital security.

• EAC Cooperation: Kenya spearheaded an East African Cybersecurity Framework, harmonising standards for reporting and response.
• AU Engagement: Nairobi hosted the African Union Digital Security Forum 2024, attended by 30+ member states.
• Global Partnerships: Partnerships with the EU and US provided forensic tools and advanced training for investigators.
• Citizen Impact: These moves boosted investor confidence, attracting data centre investments and fintech partnerships that created jobs for young Kenyans.

9. Social and Economic Outcomes

The acceleration phase yielded measurable results.

• Reduced Household Losses: Reported household fraud losses dropped by 30–35 percent compared to 2023.
• SME Protection: SMEs embraced cyber insurance and faced fewer business-crippling ransomware attacks.
• Public Confidence: A national survey indicated that 68 percent of Kenyans trusted digital services in 2024, compared to 52 percent in 2023.
• Economic Gains: Nairobi consolidated its role as Africa’s fintech capital, with stronger global investment flows into ICT and innovation sectors.

Summary of 2024

The year 2024 accelerated Kenya’s cybersecurity transformation. The full enforcement of the Computer Misuse and Cybercrimes Act (2018), coupled with CBK guidelines, KICA amendments, and the National Cybersecurity Committee, provided a complete legislative and institutional framework. For citizens, this translated into refunds for fraud, fewer SIM-swap scams, stronger data protection, and more reliable government services. For the nation, it marked the emergence of Kenya as a serious player in regional and global digital resilience.

Part 4 — 2025: Consolidation

By September 2025, Kenya is consolidating the gains made over the past three years in cybersecurity. The legal frameworks are operational, institutions are coordinating more effectively, and enforcement is visible across financial services, telecoms, government platforms, and county systems. This year is characterised by integration of laws into practice, of national and county systems into coordinated monitoring, and of cybersecurity into national security and economic transformation agendas.

1. Enforcement and Legal Application

• Operational Use of the CMCA: The Computer Misuse and Cybercrimes Act (2018), fully enforceable since 2024, is being applied consistently in 2025. More than 500 cases are active in courts, ranging from SIM-swap syndicates to online fraud and ransomware. Conviction rates are improving as prosecutors and judges apply clearer precedent.
• KICA Amendments in Practice: The Communications Authority (CA) is enforcing penalties aggressively. By September 2025, more than KES 150 million in fines has been imposed on telcos and ISPs for negligence, breaches, or delays in disclosure.
• ODPC Audits: The Office of the Data Protection Commissioner is carrying out compliance audits of over 2,500 registered organisations, with dozens of penalties issued for mishandling personal data. Sensitive sectors such as health and education are being prioritised for oversight.
• Citizen Impact: Families and businesses are experiencing fewer disruptions, and when they occur, affected companies face visible financial penalties, strengthening accountability.

2. Financial Sector Safeguards

• Quarterly Reporting Regime: All banks and fintechs are currently filing quarterly cybersecurity audit reports to CBK, enabling sector-wide monitoring.
• 72-Hour Rule: Breaches are being disclosed within 72 hours, creating transparency. By September 2025, over 500 reports have been submitted since the rules came into force.
• Refunds and Compensation: Banks have refunded more than KES 2.5 billion to customers since early 2024, with more than half of those refunds processed in 2025.
• Advanced Authentication: Biometric verification for high-value transactions is being introduced, reducing fraud attempts that previously succeeded through social engineering.
• Citizen Impact: Customers are carrying out digital transactions with confidence, knowing that their money is protected not only by systems but also by regulation and legal obligation.

3. Telecoms and Digital Infrastructure

• Biometric SIM Migration: Telcos are rolling out biometric registration nationwide, with millions of existing subscribers migrating to the system in 2025. This is reducing the risk of SIM-swap fraud, which has fallen by 45 percent compared to 2022.
• ISP Oversight: ISPs are being audited continuously. Those failing to comply with standards are facing escalating fines or the threat of suspension.
• Fraudulent Content Control: The CA is blocking hundreds of scam websites and fake apps monthly. Platforms posing as micro-lenders or investment firms are being taken down within days of detection.
• Citizen Impact: Consumers are receiving fewer scam SMS and calls. There is a visible decline in the harassment of households through fake loan demands or bogus promotions.

4. Government and County Systems

• eCitizen Expansion: By 2025, more than 8,000 government services are accessible through eCitizen. All sensitive transactions now require multi-factor authentication. Daily traffic averages 200,000 users, with fewer outages than in previous years.
• County Integration: At least 30 counties have established cybersecurity desks. These units monitor county revenue portals, automate licence issuance, and respond to intrusion attempts. Counties like Nakuru and Kisumu have reported measurable reductions in fraud related to trader permits and revenue collection.
• Sectoral Systems: The Ministry of Education is monitoring exam portals in real time during the 2025 national examinations. The Ministry of Health is embedding digital safeguards in referral hospitals, protecting patient data for millions of Kenyans.
• Citizen Impact: Traders are paying county fees without fear of system collapse, students are accessing results without manipulation risks, and patients are assured their records are secure.

5. Institutional and Security Integration

• National Cybersecurity Committee: Meeting quarterly, this body is coordinating major responses and reviewing national risks. It brings together ICT, Defence, Interior, CA, ODPC, Treasury, and county representatives.
• KE-CIRT/CC Monitoring: The national response centre is currently analysing billions of traffic points daily, using AI-driven systems to predict and flag suspicious activity.
• Interior Ministry Leadership: Under the Ministry of Interior, cybersecurity is firmly embedded in the national security framework. Dr. Raymond Omollo, as Principal Secretary for Internal Security and National Administration, is steering coordination between DCI cyber units, county commissioners, and national agencies. His leadership is ensuring that cybercrime is addressed in the same way as other national security threats, with police stations, investigators, and administrators aligned to protect citizens digitally.
• Citizen Impact: Cybersecurity is being mainstreamed into everyday policing and governance. Citizens can report cases at local police stations and see them escalated to national response teams.

6. Social and Economic Indicators

• Declining Household Losses: Reported household losses from cyber incidents are down by 50 percent compared to 2022, reflecting both stricter regulation and improved awareness.
• SME Resilience: SMEs are resuming investment in digital platforms, supported by the growth of cyber insurance and clearer frameworks for reporting fraud.
• Public Confidence Rising: A 2025 survey by the CA shows 75 percent of Kenyans trust digital services, up from less than 50 percent in 2022.
• Investor Confidence: Nairobi is attracting new investment commitments in fintech, ICT outsourcing, and data centres, with cybersecurity reforms cited as a key factor.

Summary of 2025

Kenya in 2025 is consolidating the progress achieved since 2022. The laws are being enforced, institutions are fully operational, penalties are real, and counties are embedding protections. Families are transacting more safely, SMEs are operating with confidence, and investors are returning. Cybersecurity is now treated as a pillar of both national security and economic transformation, coordinated under the leadership of the Interior Ministry and the multi-agency National Cybersecurity Committee.

Conclusion — Kenya’s Cybersecurity Scorecard 2022→2025

Kenya’s cybersecurity journey from September 2022 to September 2025 demonstrates how a nation can transform vulnerability into resilience. The period opened with unprecedented threats and household devastation, and it is closing with enforced laws, empowered institutions, and citizen confidence steadily rising.

• Legal Anchoring: The Computer Misuse and Cybercrimes Act (2018), fully enforceable since 2024, provides the framework for prosecution. The KICA amendments (2024) gave CA enforcement power, while the Data Protection Act (2019) under ODPC is actively used to audit and fine non-compliant institutions. The CBK cybersecurity guidelines (2024) compelled financial institutions to refund victims and disclose breaches.
• Institutional Strengthening: KE-CIRT/CC now monitors billions of threats daily, ODPC is auditing thousands of organisations, sectoral cyber units are operating across ministries, and the National Cybersecurity Committee coordinates national responses.
• Interior Ministry Leadership: The Ministry of Interior, through Dr. Raymond Omollo, has embedded cybersecurity in Kenya’s security framework. His office has ensured cybercrime is escalated alongside physical security threats, police stations can handle citizen complaints, and counties are integrated into the national monitoring system. This coordination has been decisive in moving reforms from policy to practice.
• Citizen Outcomes: Families are receiving compensation for fraud, SIM-swap scams have reduced by nearly half since 2022, county portals are more reliable, and survey data shows 75 percent of Kenyans trust digital services in 2025, compared to under half in 2022.
• Global Standing: Kenya is now hosting AU forums, driving EAC harmonisation, and attracting ICT and fintech investments with stronger resilience guarantees. Nairobi’s reputation as Africa’s Silicon Savannah is anchored in security as well as innovation.

The journey is not complete, but the trajectory is positively promising. Kenya is consolidating cybersecurity as both a national security imperative and an economic enabler. Under Interior’s coordination, and with the leadership of Dr. Raymond Omollo, the state has signalled that digital protection is inseparable from household safety, institutional integrity, and national sovereignty.