Cyber Security Services in Kenya

Kenya has established itself as East Africa’s technology and financial innovation hub, with Nairobi’s Silicon Savannah hosting one of Africa’s densest concentrations of fintech startups, venture capital, and digital financial services infrastructure. This digital maturity has driven both regulatory sophistication and cyber risk concentration. Kenya’s Data Protection Act 2019, enforced by the Office of the Data Protection Commissioner (ODPC), established a comprehensive data privacy framework that applies to any organisation processing the personal data of Kenyan residents. The Central Bank of Kenya (CBK) issued detailed Cybersecurity Guidelines in 2019 imposing structured cybersecurity programme requirements on banks, microfinance banks, mortgage finance companies, and payment service providers. The Computer Misuse and Cybercrimes Act 2018 criminalises cyber offences and creates reporting obligations for critical infrastructure operators. Kenya’s Communications Authority (CA) regulates cybersecurity for telecommunications and internet service providers. For organisations operating in Kenya — whether Kenyan entities, regional businesses with Nairobi operations, or multinationals processing Kenyan personal data — the combined regulatory burden demands documented, proportionate security programmes. eShield IT Services delivers cybersecurity and data protection compliance services for organisations operating across Kenya and East Africa.

Kenya’s Cybersecurity Regulatory Framework

Kenya Data Protection Act 2019 — Office of the Data Protection Commissioner

The Data Protection Act (DPA) 2019 is Kenya’s principal data protection statute, enforced by the Office of the Data Protection Commissioner (ODPC). The DPA applies to any data controller or processor that processes the personal data of Kenyan residents, regardless of where the controller or processor is established. Key compliance obligations include: registration with the ODPC as a data controller and/or processor; appointment of a Data Protection Officer (DPO) for controllers that process personal data at scale, process sensitive data, or undertake systematic monitoring; a documented privacy notice served to data subjects at or before the point of collection; lawful basis documentation for each processing activity; a Records of Processing Activities (RoPA) covering all processing operations; data subject rights procedures (access, correction, deletion, portability, restriction); cross-border transfer controls — transfers outside Kenya require either ODPC-recognised adequate protection or specific transfer mechanisms; and data breach notification to the ODPC within 72 hours of becoming aware of a breach that is likely to result in risk to rights and freedoms. Penalties under the DPA reach KES 5 million (approximately USD 38,000) for organisations and include criminal liability for deliberate violations. The ODPC has demonstrated enforcement intent, investigating significant breaches and issuing improvement notices. Sensitive personal data categories — health, biometric, financial, genetic, racial/ethnic origin, political, religious, trade union membership — carry additional processing restrictions including explicit consent requirements and enhanced security safeguards.

CBK Cybersecurity Guidelines 2019 — Financial Sector

The Central Bank of Kenya issued Cybersecurity Guidelines (Guideline No. CBK/PG/18) in 2019, applicable to all CBK-regulated institutions: commercial banks, microfinance banks, mortgage finance companies, payment service providers, and foreign exchange bureaus. The Guidelines establish a comprehensive cybersecurity governance framework covering: Board and senior management accountability for cybersecurity risk; a documented cybersecurity policy and framework reviewed annually; risk assessments covering information assets, threats, and vulnerabilities; access control including privileged access management and MFA for administrative accounts; network security architecture including segmentation and perimeter controls; application security for banking applications including secure development and testing; third-party and vendor risk management with contractual security obligations; an incident response plan tested against cyber-specific scenarios with CBK notification requirements for significant incidents; annual penetration testing of internet-facing systems and periodic network VAPT; business continuity arrangements covering cyber-specific scenarios. CBK examinations assess documentary evidence and operating effectiveness — gap assessments structured around the CBK examination criteria are strongly recommended before the supervisory visit.

Computer Misuse and Cybercrimes Act 2018

Kenya’s Computer Misuse and Cybercrimes Act 2018 (CMCA) criminalises a broad range of cyber offences — unauthorised access, data interference, system interference, identity theft, cybersquatting, and publication of false information. The CMCA creates reporting obligations for critical infrastructure operators and provides the Kenya Police Service and Director of Public Prosecutions with cybercrime investigation powers. Organisations operating critical systems in Kenya benefit from understanding the CMCA’s reporting obligations and ensuring incident response procedures include CMCA notification assessment as a step in the incident classification process.

Kenya ICT Authority and Kenya National Cybersecurity Strategy

The Kenya ICT Authority manages national cybersecurity strategy implementation and cybersecurity capacity building for government entities and critical infrastructure. Kenya’s National Cybersecurity Strategy 2022–2027 establishes five pillars aligned with international frameworks: Governance and Institutional Capacity, Cyber Resilience, Cybercrime Response, Cyber Awareness, and International Cooperation. The Kenya Computer Incident Response Team Coordination Centre (KE-CIRT/CC), operated by the CA, serves as Kenya’s national CERT. Government entities and critical infrastructure operators are expected to register with KE-CIRT/CC and report significant cybersecurity incidents.

Cybersecurity Services for Kenya

Kenya Data Protection Act Compliance Programme

eShield IT’s Kenya DPA compliance programme covers the full implementation lifecycle: ODPC registration; data mapping and RoPA build covering all processing activities; DPO appointment advisory and support; privacy notice drafting and implementation; consent management framework design; cross-border transfer assessment for cloud services, international data sharing, and M-Pesa/fintech integrations; data subject rights procedures; and 72-hour breach notification procedure with ODPC template submissions. For East African multinationals with operations in Kenya, Tanzania, Uganda, and Rwanda, our integrated East Africa programme addresses all applicable data protection frameworks through a shared data mapping foundation with jurisdiction-specific addenda.

CBK Cybersecurity Framework Alignment

CBK-regulated institutions benefit from eShield IT’s gap assessment structured around CBK/PG/18 examination criteria. Our assessment delivers a prioritised gap register covering all CBK Guideline requirements, remediation guidance, and a roadmap to examination readiness. For institutions with imminent CBK examinations, our pre-examination readiness service reviews documentation quality, assesses operating effectiveness of key controls, and identifies the highest-risk gaps before the examiner arrives. Annual penetration testing — mandated by CBK guidelines — is delivered with CBK-structured reporting.

ISO 27001 Certification for Kenya

ISO 27001 certification satisfies the information security management requirements of the Kenya DPA, aligns with CBK Cybersecurity Guidelines, and is increasingly referenced in Kenyan government tender requirements. eShield IT delivers ISO 27001 implementation for Kenyan private sector and public organisations: documentation programme (ISMS scope, risk assessment, SoA, policies and procedures); technical control implementation; staff awareness training (available in Swahili and English); internal audit support; and certification coordination with UKAS-accredited certification bodies.

Penetration Testing for Kenya

CBK-regulated institutions require annual penetration testing under CBK/PG/18. eShield IT delivers web application, network infrastructure, API, and mobile application VAPT for Kenyan clients. M-Pesa and mobile money platform security testing is a specialist capability — covering API security, SIM swap vulnerability assessment, USSD security, and agent network security. Test reports are structured for CBK regulatory submission with CVSS-scored findings and remediation guidance. Free retest within 90 days for critical and high-severity findings.

Managed SOC for Kenya

eShield IT’s Managed SOC for Kenyan clients provides 24/7 monitoring with East Africa threat intelligence: SIM swap fraud groups targeting Kenyan banks and mobile money platforms; financial cybercrime actors targeting M-Pesa integrations and SWIFT messaging; ransomware groups with demonstrated East Africa sector interest. Our SOC delivers KE-CIRT/CC compatible incident reporting and Kenya DPA 72-hour breach notification management. Monthly reporting satisfies CBK documentary evidence requirements for cybersecurity programme effectiveness.

Key Kenya Industry Sectors: Cybersecurity Requirements

Fintech and Mobile Money (CBK / M-Pesa Ecosystem)

Kenya’s fintech sector — anchored by M-Pesa’s global reach and a thriving startup ecosystem in Nairobi — represents the highest-risk and highest-value cybersecurity market in East Africa. Mobile money platforms, digital lending apps, SACCOS, and microfinance institutions face combined CBK regulatory requirements and DPA data privacy obligations for very large volumes of financial personal data. eShield IT’s fintech practice in Kenya is experienced in mobile money security architecture, CBK regulatory compliance, and the DPA data privacy requirements specific to fintech data processing at scale.

Telecommunications (Communications Authority)

Kenyan telecommunications operators — Safaricom, Airtel Kenya, and Telkom Kenya — are regulated by the Communications Authority with network security and lawful interception requirements, while simultaneously processing very large volumes of consumer personal data under the DPA. Telcos integrated with M-Pesa and other mobile financial services face combined CA, CBK, and DPA compliance obligations. eShield IT delivers integrated ISMS and DPA compliance programmes for telecommunications sector clients in Kenya.

Frequently Asked Questions: Cybersecurity & Compliance in Kenya

Who must register with the ODPC?

Any data controller or processor that processes personal data of Kenyan residents must register with the ODPC. This includes foreign entities processing Kenyan personal data through websites, mobile applications, or service delivery — regardless of whether they have a physical presence in Kenya. ODPC registration requires completion of the online registration form, payment of registration fees (scaled by organisation size), and designation of a data controller/processor representative. Unregistered processing is a violation of the DPA subject to penalty.

What penetration testing does CBK require?

CBK Guideline CBK/PG/18 requires CBK-regulated institutions to conduct annual penetration testing of internet-facing systems and periodic network VAPT. The frequency and scope of testing should be risk-based — institutions with complex digital banking environments (internet banking, mobile banking, API banking) require more comprehensive and frequent testing than institutions with limited digital channels. Test reports must be reviewed by senior management and used to drive remediation programmes. Significant penetration testing findings affecting customer data security should be reported to CBK.

Can eShield IT deliver services to Kenyan clients remotely?

Yes. eShield IT delivers all Kenya DPA compliance, CBK framework alignment, ISO 27001 implementation, penetration testing, and Managed SOC services to Kenyan clients remotely. For on-site requirements — physical security reviews, in-person training, data centre assessments — we coordinate local delivery through our East Africa certified partner network.

Common Cybersecurity Gaps Found in Kenyan Organisations

• ODPC registration outstanding: Many Kenyan organisations — including large enterprises — have not completed ODPC registration despite the obligation being in effect since 2020. This is the most common immediate compliance gap and the easiest to remedy.
• No cross-border transfer assessment for cloud services: Kenyan organisations extensively use AWS (eu-west-1, us-east-1), Azure, and Google Cloud — all non-Kenyan regions. The DPA requires either an adequacy assessment or specific transfer mechanism for data flowing to these regions. Most organisations have no documented transfer assessment.
• M-Pesa API security weaknesses: Organisations integrating M-Pesa’s Daraja API frequently misconfigure OAuth token handling, expose API keys in client-side code, and lack transaction anomaly detection. These are consistently found in Kenyan fintech and e-commerce penetration tests.
• CBK documentation gaps: CBK-regulated institutions often have cybersecurity policies but lack the operating procedures, evidence of effectiveness, and Board governance documentation that CBK examinations look for — creating examination findings despite reasonable technical security posture.
• Mobile banking application vulnerabilities: Insecure data storage, insufficient transport layer protection, and weak authentication in mobile banking applications are the most frequently exploited vulnerabilities affecting Kenyan bank customers.

Why Partner with eShield IT for Kenya Cybersecurity

eShield IT brings Africa and GCC regulatory depth with certified specialists holding CISM, CISSP, CIPP/A, CIPP/E, ISO 27001 Lead Auditor, and OSCP qualifications with direct Kenya DPA, CBK framework, and East Africa regulatory engagement experience. Our pan-Africa programme delivers shared compliance infrastructure across Kenya, Nigeria, South Africa, and other African markets at significantly lower cost than independent national programmes. Contact our team for a no-obligation initial consultation.

Kenya Cybersecurity Programme Costs: What to Budget

Indicative programme costs for Kenyan organisations: SMEs (10–100 employees): Kenya DPA compliance programme KES 1.2M–2.8M; ISO 27001 gap assessment KES 900K–1.8M; full ISO 27001 implementation KES 3M–7M; penetration testing from KES 650K (web application) to KES 2.2M (comprehensive VAPT). Mid-market (100–500 employees): DPA programme KES 2.5M–5.5M; ISO 27001 implementation KES 6M–14M; managed SOC from KES 650K/month. All costs are indicative; contact eShield IT for a scoped proposal.

Next Steps: Starting Your Kenya Cybersecurity Programme

A structured readiness assessment is the most effective starting point — identifying your Kenya DPA, CBK, and ISO 27001 gaps and producing a proportionate remediation roadmap. eShield IT’s Kenya readiness assessments are delivered in 2–3 weeks. Contact our team to arrange a no-obligation initial consultation.