Key Updates - Computer Misuse and Cybercrimes (Amendment) Act, 2024

On October 15 2025, the Computer Misuse and Cybercrimes (Amendment) Act, 2024 was signed into law. This Amendment Act introduced a raft of changes to the existing Computer Misuse and Cybercrimes (Cap 79C), and the immediate reason, as stated in the memorandum that comes with it, is the urgent need to stop electronic mediums being used to promote terrorism, and interestingly, also extreme religious and cultic practices.

Access

Section 1 of the Amendment Act is aimed at expanding the language of cybercrime, bringing it up to speed with today’s reality. The drafters on this Amendment Act took cognizance of the fact that hackers aren't always manually typing in passwords anymore. The definition of access therefore has to be explicitly broadened. It now means entering, or importantly, obtaining entry through a program or a device.

This may sound a bit technical on the surface, but the real-world impact of broadening the definition of access lies in the fact that previously, prosecutors found it tricky to prove that someone actually got in, or maybe that the breach was fully successful, or if the attack used automated tools, which complicated things. Now, presumably, even running a common hacking tool or a simple Python script, against a system just to see if it's vulnerable; such an automated attempt itself could now meet the legal definition of unauthorized access. It significantly lowers the bar for prosecution. It targets those very early preparatory stages of an attack.

Virtual Assets

The Amendment Act doesn't just stop with technical access but also into the assets, specifically modern virtual assets, which have now been pulled into the legal net. The very definition of asset in the Amendment Act is no longer limited to movable, immovable, tangible, property but now also includes virtual property. It basically ensures that digital forms of wealth, things like NFTs, your crypto holdings, maybe even virtual land in some metaverse, are no longer operating in some kind of legal gray zone anymore. The main goal here, we surmise, is to make sure things like Bitcoin wallets or other virtual stashes can be legally seized, just like a bank account or a car could be in a civil recovery case. It essentially gives the court and the accompanying law enforcement machinery the legal footing they need to go after and freeze illicit funds that are held virtually, both here in Kenya and potentially internationally.

Identity Theft

The Amendment Act has defined identity theft as the illegal use of personal identification info. The common targets criminals go after in fraud have been explicitly listed, namely: Your name, ID number, SIM card details, bank card, bank account, even subscriber information. In this connection, Section 42A introduces a key new offence – unauthorized SIM swap. It makes it a specific crime for any person who willfully and without authorization takes ownership of someone else's SIM card with the intent to commit another offense using it. And the penalty is a fine of up to 200,000 shillings or prison for up to two years or potentially both

Closely connected to identity theft is the crime of cybersquatting which refers to acquiring a domain name in bad faith - one that's identical or confusingly similar to someone else's trademark or name.

Cyber Harassment

Cyber harassment in itself is not a new feature, as the same has previously been addressed by the original Act. The import of the amendment to Section 27, however, is to widen its scope.

Communication is now illegal if it is “likely to cause the recipient to commit suicide.” Under this expanded definition, the penalty if someone is convicted of cyber harassment jumps dramatically to a fine not exceeding 20 million shillings or imprisonment for up to 10 years or both.

That scale of punishment sends an incredibly strong message about how seriously online bullying and abuse are being viewed.

Phishing

Under Section 30, the scope of phishing also gets broadened quite a bit. Previously, the Act focused mainly on sending a message like an email or SMS. Now, the offense explicitly includes making a call. This means that voice calls for the purpose of tricking someone into giving up personal info to gain unauthorized access now falls under the legal definition of phishing. The potential loophole where voice-based social engineering with the intent to defraud might have escaped the full force of the existing law has now been closed, liable to a fine not exceeding 300,000 shillings, or imprisonment up to three years, or both.

Aiding and Abetting

Aside from the main perpetrators, there's a heavy focus on people who help commit the aforementioned crimes. This means being complicit, even in the planning stages, maybe selling malware or even helping a perpetrator access stolen funds, now carries potentially massive financial and legal consequences. Under Section 42, the penalty for aiding, abetting, or even just attempting to commit any offense in the entire Act is Ksh 7 million shillings, or imprisonment up to four years, or both.

The National Computer and Cybercrimes Coordination Committee (NC4)

The Amendment Act focuses on the increased regulatory power and oversight by the NC4. Clause 3 in particular fundamentally boosts its power over online content by granting it the power to issue a directive. Basically, an order to make a website or an application inaccessible.

The grounds for this directive would be where it's proven that the site or app promotes illegal activities, child pornography, terrorism, or, and this is the really critical new addition, extreme religious and cultic practices, with the stated intent of curbing harmful extremism. The lack of a definition as to what counts as extreme of cultic, however, makes the exercise of this power potentially very subjective. The implication is that the committee would need to make that call based on evidence presented to them showing that the content promotes harmful or illegal activity.

Up until now, the role of the NC4 has been limited to advising the government on emerging issues such as blockchain, mobile money, critical infrastructure. They develop security frameworks for that critical infrastructure and coordinate threat analysis, incident response, etc. This new function, the power to issue takedown directives, gives them significant executive power on top of their existing advisory and coordination roles.

Conclusion

In summary, the issues canvassed in this brief, namely, the expansive new definitions, the increased penalties, the new regulatory powers, indicate that our legal system is pushing to adjust rapidly to the realities of a world where so much value, identity, and social influence now exist purely online.

It signals a very aggressive, almost zero-tolerance stance on digital misconduct. Considering the very broad definition of access, entry through a program or device, even if it fails, and the explicit new definitions of asset and virtual account, the Amendment Act has the capacity to drastically change the prosecution, maybe the conviction rates, for those really complex local and even cross-border crimes, involving digital currencies or other non-traditional online wealth. It seems pretty clear the law is watching the blockchain now, and it's definitely learning the language needed to prosecute what it finds there.