Kenya’s digital economy is growing. By 2028, GSMA estimates that Kenya's digital economy will contribute KES 662 billion to the nation's GDP. In the fourth quarter of 2024, connection to mobile networks reached 66.1 million, with a penetration rate of 128.3%. To support digital transformation, the government introduced initiatives such as the Digital Economy Blueprint and the Ajira Digital Program. Additionally, Kenya is collaborating with international partners, including the World Bank, which approved USD 390 million in April 2023 for the Digital Economy Acceleration Project, as well as the African Continental Free Trade Area.

But what do Kenya’s domestic digital policies stand for? Our DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Kenya-specific points of emphasis.

• Data governance: Kenya has implemented the Data Protection Act and established cybersecurity and data localisation rules for critical infrastructure.

• Content moderation: Kenya has set guardrails for illegal content and is deliberating a proposal to restrict access to platforms associated with illegal activities.

• Competition policy: Kenya is deliberating competition rules for digital markets and has conducted sector-specific inquiries.

• Artificial Intelligence: Kenya is developing an AI Strategy and participates in international initiatives on the governance of AI.

• Kenya’s points of emphasis include the taxation of the digital economy and digital payments and assets.

Jump directly to the section that interests you most:

Discover the details of Kenya's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Maria Buza and Sherif Taha. Edited by Tommaso Giardini.

In November 2019, Kenya implemented the Data Protection Act. The Act establishes a comprehensive framework for protecting personal data and grants data subjects rights to access, correct, and delete their data. It requires data controllers to process personal data in a lawful, fair, and transparent manner and sets age verification requirements for processing children's data. The Act also established the Office of the Data Protection Commissioner (ODPC), which has the power to issue additional rules.

The Data Protection Act is supplemented by several implementing regulations:

• In July 2022, the Data Protection Regulation entered into force, requiring data controllers and processors to register with the ODPC. 

• In February 2022, the Data Protection (General) Regulations came into force, expanding on data subject rights and the obligations of data controllers and processors, including data minimisation, storage limitation, and security measures.

• Also in February 2022, the Enforcement Procedures Regulations established mechanisms for addressing data protection violations, including enforcement penalty notices. 

• In December 2024, the ODPC issued two draft rules for consultation. The Conduct of Compliance Audit Regulations would establish accreditation criteria and requirements for data controllers and processors to cooperate with audits. The Data Sharing Code would regulate ethical and responsible data-sharing in government and private organisations. 

Kenya's cybersecurity framework is primarily based on the 2018 Computer Misuse and Cybercrimes Act, which established the National Computer and Cybercrimes Coordination Committee (NC4). In February 2024, Kenya implemented regulations, establishing additional requirements for critical infrastructure, comprising systems or data deemed essential for national security and public welfare. The regulations require cyber risk assessment, incident response planning, and breach reporting within 24 hours. NC4 designates critical infrastructure and issued an order designating the telecommunications, banking, and finance sectors as such in January 2022. Currently, the government is deliberating the Draft Critical Infrastructure Protection Bill, which would establish a National Critical Infrastructure Protection Committee and create a database of critical infrastructure.

Kenya maintains several localisation requirements for specific data types. 

• Under the Data Protection Act, the Cabinet Secretary may prescribe, based on strategic interests of the state or protection of revenue, that certain types of processing be carried out only through servers or data centres located in Kenya.

• Since February 2022, the Data Protection General Regulations require data controllers or processors handling personal data for the purpose of strategic interest of the state to process the data through servers and data centres in Kenya or to store a local copy. These strategic interests include civil registration, elections, public finance-protected computer systems, education services, and primary or secondary healthcare. 

• Since February 2024, owners of critical infrastructure must ensure that such infrastructure is located within the country unless they obtain approval from NC4. 

• Since December 2024, the Cloud Policy encourages data localisation when entities adopt cloud solutions, particularly for sensitive government and critical infrastructure data.

The Data Protection Act and the Data Protection General Regulations establish four mechanisms for cross-border transfers of personal data: 

• Proof of appropriate data protection safeguards, based on legal instruments, such as binding corporate rules, and the circumstances in the recipient country. Transfers based on such safeguards must be documented.

• An adequacy decision from the ODPC, confirming sufficient protection levels in the recipient country. In May 2024, Kenya and the European Union launched an adequacy dialogue, the first such dialogue in Africa.

• Necessity, including for the performance of a contract, the protection of vital interests, or the pursuit of legitimate interests that do not override the rights of data subjects. 

• Explicit informed consent from the data subject. Consent is always required for transfers of sensitive personal data.

The ODPC oversees data protection and regularly issues guidelines.

• In December 2023, the ODPC issued sector-specific guidance for digital credit providers, health data processing, and the communication sector.

• In November 2023, the ODPC released guidance on registration, data protection impact assessments, consent requirements, and complaint management. 

• In April 2023, the ODPC adopted a Personal Data Protection Handbook 

• In January 2023, the ODPC established an alternative dispute resolution framework.

The ODPC actively enforces data protection regulations: 

• In September 2023, the ODPC suspended Worldcoin for 12 months or until it complies with the Data Protection Act. Worldcoin failed to register as a data controller, conduct a data protection impact assessment, obtain valid consent, and lawfully transfer data out of Kenya. 

• Also in September 2023, the ODPC fined Mulla Pride, a digital lender, KES 2.975 million (approx. USD 22,991) for unlawfully using personal data obtained from third parties to send threatening messages and making harassing calls.

• In April 2023, the ODPC fined Whitepath Company and Regus Kenya KES 5 million (approx. USD 38,610) for unlawfully accessing user data to send unsolicited messages.

• In December 2022, the ODPC fined Oppo Kenya, a technological goods provider, KES 5 million (approx. USD 38,610) for using a complainant's social media photo without consent.

Kenya's content moderation framework is primarily based on the Computer Misuse and Cybercrimes Act. The Act prohibits several types of content including false information, obscene or intimate images, child pornography, and content related to cyber terrorism. Service providers, defined as entities that facilitate communication via computer systems or process data on behalf of users, can be compelled by court order to collect or record content data for investigation purposes. The Act also protects service providers from civil or criminal penalties unless they had actual knowledge or willfully facilitated the distribution of prohibited content.

In November 2024, the National Assembly passed an amendment to the Act to empower the National Computer and Cybercrimes Coordination Committee (NC4) to issue directives to restrict access to websites or applications within Kenya. The amendment applies to platforms associated with prohibited content, including child exploitation material, terrorism, or content linked to extreme religious or cultic practices.

At the international level, Kenya participates in several content governance initiatives:

• In February 2024, Kenya joined other African jurisdictions in adopting the Digital and Social Media Guidelines by the Association of African Election Authorities, which establish standards for the responsible use of digital platforms during electoral processes.

• In June 2023, Kenya was among 71 governments that signed the International Statement to Remove Online Child Sexual Abuse Materials, committing to proactive measures against child exploitation online.

• In May 2024, as a member of the African Union, Kenya adopted the African Union Child Online Safety and Empowerment Policy which provides a framework for protecting children online while promoting digital literacy and skills.

There are currently no public, official sources on enforcement action or guidelines related to Kenya’s content moderation framework.

Since May 2024, Kenya is deliberating an amendment to its competition framework focusing on digital activities. The amendment would cover online services such as marketplaces, search engines, and social networking platforms. It would establish a framework for determining dominant positions in digital markets, replacing the concept of "abuse of buyer power" with "abuse of superior bargaining position," and specify forms of prohibited conduct. In addition, it would empower the Competition Authority of Kenya to develop sectoral codes of practice for and impose penalties of up to 10% of annual turnover for non-compliance.

In the meantime, Kenya relies on the 2010 Competition Act. The Act prohibits the abuse of a dominant position, including excessive pricing, the refusal to deal, and exclusionary practices. In December 2019, the Act was amended to address “buyer power,” defined as a purchaser’s ability to obtain more favourable terms from suppliers, impose disproportionate long-term costs or withhold benefits. The Act also regulates mergers and anti-competitive agreements that may prevent, restrict, or distort competition. 

The Competition Act is supplemented by the General Rules of 2019, which establish merger notification thresholds, specifically a combined turnover of KES 1 billion (approx. USD 7.7 million). The General Rules also expand prohibitions against anti-competitive agreements, set marketing standards, and expand the enforcement powers of the CAK.

On the international level, Kenya collaborates on competition policy with several jurisdictions:

• In February 2022, Kenya joined with Egypt, Mauritius, Nigeria, and South Africa to issue a joint statement on cooperation in regulating digital markets.

• In March 2024, Kenya participated in the International Competition Network Agreement on Strengthening Competition Authority Coordination in Digital Markets, which promotes harmonised approaches to regulating digital competition.

The CAK has the authority to enforce competition rules and issue guidelines.

• In June 2020, the CAK issued guidelines on restrictive trade practices, specifying the interpretation and application of provisions addressing anti-competitive practices. 

• In July 2019, the CAK updated its market definition guidelines to address digital markets, requiring an assessment of product substitutability and competitive constraints from digital and physical platforms.

• In November 2016, the CAK issued a guide for trade associations to assist industry groups in complying with competition laws while engaging in collective activities.

In April 2024, the CAK concluded an inquiry into online food and delivery platforms. The report noted that platforms collect consumer data for personalised services, often with mandatory consent for data terms. The CAK noted that it will continue monitoring the market, address consumer protection concerns, and promote self-regulation through industry codes of practice.

Kenya has not yet enacted primary or secondary legislation on artificial intelligence (AI). In January 2025, the Ministry of Information, Communications, and Technology concluded its consultation on the draft National AI Strategy. The strategy establishes an AI governance framework and promotes AI implementation in the manufacturing and financial sectors, among others. 

In November 2023, the Kenya Robotics and AI Society Bill was introduced to Parliament. The Bill would create the Kenya Robotics and AI Society (RSK) to regulate and promote the robotics and AI sector. The RSK would establish industry standards, enforce codes of practice, and conduct inspections to ensure compliance. Individuals or entities involved in robotics or AI would need to register with the RSK and obtain a license to operate, with penalties of up to KES 1 million or imprisonment for up to two years for non-compliance.

In April 2024, the Kenya Bureau of Standards published the Draft Information Technology AI Code of Practice. The draft sets out guidance for organisations to develop, provide, and use AI responsibly, with a focus on safeguarding citizens' rights.

Kenya has engaged in several bilateral and international initiatives on AI governance.

• In April 2024, Kenya and the United States announced a cooperation agreement on AI and digital upskilling, focusing on technical assistance, and knowledge sharing. This was followed by a statement in May 2024 emphasising further cooperation on AI innovation.

• In February 2025, Kenya joined nine other countries in adopting the Paris Charter on AI in the public interest. In addition, the Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet was adopted by members of the African Union, the European Union, the G20, the G7, and the United Nations. At previous AI Action Summits, Kenya participated in the Seoul Declaration on Commitments to Address Severe AI Risks and the Bletchley Declaration on AI Safety.

• The African Union, of which Kenya is a member, adopted the Continental AI Strategy, the AI Governance Framework, the AI for Sustainable Youth Development framework, and the cooperation on AI research and development with China. 

• In December 2024, Kenya joined the EU-Smart Africa cooperation on digital transformation, which includes AI capacity building and measures on regulatory alignment. 

There are currently no public, official sources on enforcement action or guidelines related to Kenya's artificial intelligence framework.

Kenya imposes both direct and indirect taxes on the digital economy.

In terms of direct taxes, in December 2024, Kenya amended its Tax Laws, replacing the existing 1.5% Digital Service Tax (DST) with a Significant Economic Presence (SEP) tax. The SEP tax applies to non-resident entities providing services to users in Kenya and earning over KES 5 million from digital marketplaces. Previously, the DST applied to companies conducting business over the Internet or through digital marketplaces. The amendments also introduced a 15% minimum top-up tax (MTT), aligned with the OECD’s Global Anti-Base Erosion Rules, applicable to multinational groups with annual turnovers exceeding KES 104 billion. 

The December 2024 Tax Law amendments also established a withholding tax on income from digital marketplaces, comprising 20% for non-residents and 5% for residents. In July 2023, the Finance Act introduced a 15% withholding tax on digital content creators earning income from website and social media advertising, paid sponsorships, affiliate marketing, and subscriptions. 

Concerning indirect taxation, in March 2023, Kenya implemented the Value Added Tax (VAT) regulations for digital services. The regulations replace the 2020 digital market supply rules and expand the scope of taxable services to include downloadable content, media subscriptions, software, data management, and online education. VAT is applied at a rate of 16% on services supplied in Kenya, and foreign suppliers are required to either register or appoint a tax representative. Additionally, the December 2024 Tax Law amendments Laws established an excise duty on non-residents providing services via digital platforms.

Kenya's framework for digital payments and assets comprises several legislative and regulatory measures.

• Regarding digital assets, in January 2025, the government introduced the Virtual Assets Service Providers Bill. The Bill aims to establish a licensing framework for virtual asset service providers and defines regulatory standards, compliance requirements, and consumer protection measures.

• Regarding digital payments, in December 2024, the amendment to the Business Laws expanded the  Central Bank’s power to regulate such providers. The amendment builds on the reforms from 2020, which updated laws to support digital transactions. Earlier, in December 2021, the Central Bank (Amendment) Act introduced licensing requirements for digital credit providers. This was followed in September 2022 by the digital credit providers regulations, which set operational requirements for digital lenders, including customer protection and disclosure obligations.

• Regarding mobile money services, in January 2023, the Central Bank issued rules on resumption of charges for transfers between mobile wallets and bank accounts. It established a framework for transaction fees and consumer protections.