Why Kenya Is Creating a National Cybersecurity Agency as Digital Risks Grow
As internet use, digital services and connected infrastructure expand, policymakers are moving cybersecurity closer to the center of national economic and security planning.
Parliament approved the creation of a National Cybersecurity Agency, a new state corporation intended to coordinate Kenya’s response to digital threats. The decision arrives as the country’s digital economy continues to expand and as policymakers confront a question that extends beyond cybercrime: how should a modern state protect infrastructure that increasingly exists in software, networks and data systems?
The proposed agency, to be established under the State Corporations Act, will coordinate cybersecurity efforts across government, regulators, security agencies, private companies, academic institutions and international partners. Its responsibilities will include overseeing national cybersecurity strategy, managing the National Cybersecurity Operations Centre, auditing critical information infrastructure and coordinating responses to cyber incidents.
The announcement was accompanied by a familiar statistic. Between January and March 2026, the Kenya Computer Incident Response Team Coordination Centre detected 3.37 billion cyber threat events. The figure is large enough to justify concern, but its composition reveals a more specific challenge than the term “cybercrime” suggests.
Parliament Has Approved a New Cybersecurity Agency as Digital Risks Expand
Kenya’s dependence on digital systems has deepened across government services, banking, telecommunications, commerce and public administration. Each new digital connection creates efficiencies, but it also creates additional points of exposure.
The rationale for a centralized cybersecurity institution becomes clearer when viewed against this backdrop. Government is no longer securing isolated databases or departmental networks. It is securing an interconnected ecosystem that supports economic activity, public services and national infrastructure.
As digital systems become more integrated into daily life, cybersecurity policy increasingly resembles infrastructure policy. The consequences of disruption extend beyond stolen information and into the functioning of essential services.
The Threat Numbers Point to Infrastructure Exposure More Than Conventional Cybercrime
The Communications Authority’s latest sector statistics report provides important context for the 3.37 billion threat events cited in support of the agency.
Of those events, approximately 3.23 billion were classified as system vulnerabilities and system attacks. Malware accounted for 68.7 million incidents, brute-force attacks for 46.4 million, web application attacks for 12.1 million and distributed denial-of-service attacks for 8.2 million.
Those figures indicate that the majority of activity involves automated attempts to probe, exploit or compromise systems connected to the internet. The challenge facing institutions is therefore not limited to criminal investigations after an attack occurs. It includes continuous monitoring, vulnerability management and resilience planning before disruptions take place.
This distinction matters because it changes the nature of the policy response. A country facing large-scale infrastructure targeting requires coordination across sectors that traditionally operate independently.
Kenya Already Has Cybersecurity Institutions, Raising Questions About the Agency’s Role
Kenya is not building its cybersecurity framework from scratch.
The Communications Authority already oversees KE-CIRT/CC, which serves as the country’s national incident response capability. The National Computer and Cybercrimes Coordination Committee exists to support coordination across agencies, while law enforcement and intelligence institutions retain responsibilities related to investigations and national security.
The emergence of a new agency therefore raises a practical question about institutional design. Will the National Cybersecurity Agency absorb existing functions, centralize them under a new structure or act as a coordinating authority sitting above current institutions?
The answer will determine whether the agency changes operational realities or simply adds another layer to an already crowded governance landscape.
The Scale of Monitoring Suggests Coordination Rather Than Detection Is the Missing Piece
The same Communications Authority report shows that KE-CIRT/CC issued 20.58 million cybersecurity advisories during the quarter ending March 2026.
That volume suggests that threat detection and monitoring capabilities already exist at significant scale. Authorities are observing network activity, identifying vulnerabilities and communicating risks across sectors.
What appears less clear is how information moves between institutions responsible for regulation, infrastructure protection, national security and incident response. A dedicated agency could be intended to address that coordination challenge by providing a central authority capable of aligning policy, operations and strategic planning.
Such a role would place the agency closer to a national cyber command structure than a conventional regulator.
Critical Infrastructure Oversight Could Make the Agency One of Government’s Most Influential Digital Bodies
Among the proposed agency’s responsibilities, oversight of critical information infrastructure may prove the most consequential.
Financial systems, telecommunications networks, energy infrastructure, healthcare platforms and government digital services all depend on complex technology environments. Any institution empowered to audit, certify and assess those systems acquires substantial influence over how digital infrastructure is built and maintained.
The significance of that authority will depend on the legal framework that accompanies it. Questions around reporting requirements, enforcement powers, access to technical information and relationships with sector regulators remain unresolved.
Those details will shape the balance between resilience, regulation and operational independence.
The Real Test Will Be How Power and Accountability Are Distributed
The creation of the National Cybersecurity Agency signals a recognition that cybersecurity has become a strategic state function. Kenya’s expanding internet usage, growing broadband penetration and increasing reliance on digital services have widened the surface area that must be protected.
The institution’s long-term impact will depend less on the announcement itself than on the architecture that follows. The central issue is not whether cybersecurity deserves greater attention. It is how authority will be distributed among existing institutions, how oversight will operate and how the agency’s mandate will be defined in relation to the systems it is expected to protect.
Those decisions will determine whether the National Cybersecurity Agency becomes a coordinating body, an operational command centre or a powerful new regulator at the centre of Kenya’s digital economy.
Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent and across the world.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
