FAQs
General Overview
NC4 is a Committee established under the Ministry of Interior and National Administration mandated to coordinate all cybersecurity matters in Kenya. The Committee is made up of nine entities which are: Ministry of Interior & National Administration; Ministry of Information, Communications and the Digital Economy; The office of Attorney General; The Kenya Defence Forces; The National Police Service; The National Intelligence Service; Communications Authority; Office of Director of Public Prosecutions and the Central Bank of Kenya.
In any case that you are affected by a cyber-incident, immediately report it to NC4 though email (info@nc4.go.ke) or through a phone call on our official number. Equally, you can do so by filling the incident reporting template which can be found here https://nc4.go.ke/templates/report-cybercrime-incident/
.
Do not worry if you cannot ascertain whether an incident you’ve experienced is an offence or not. Check out the offences under the Computer Misuse and Cybercrimes Act Cap 79C here https://nc4.go.ke/offences/
Contact NC4 through the telephone number; +254 71614341, or through email; info@nc4.go.ke. You ca also visit NC4 offices which are located in Nairobi at Lt. Tumbo Lane, Herufi Hse, 2nd Flr.
The Computer Misuse and Cybercrimes Act, 2018 is a Kenyan law that provides a framework to prevent, detect, and respond to cybercrimes. It outlines offenses related to computer misuse, cybersecurity, and the protection of critical information infrastructure.
The Act was enacted to address the rising threats and incidents of cybercrime in Kenya. It aims to protect users, data, and computer systems from unauthorized access, misuse, and cyber-attacks.
The Act applies to individuals, organizations, and government entities that use, access, or provide computer systems, data, or electronic communications services in Kenya.
Cybercrime includes offenses such as unauthorized access to computer systems, unauthorized interception of communications, unauthorized interference with data or systems, cyber espionage, identity theft, and cyberbullying.
Penalties vary depending on the offense. They can range from fines to imprisonment for several years, or both. For example, unauthorized access may result in a fine not exceeding five million shillings or imprisonment for up to three years.
Computer Misuse & Cybercrime Act 2018
The Act is designed to prevent, detect, and address cybercrimes, including unauthorized access to computer systems, data theft, cyberbullying, and other forms of online misconduct. It also establishes legal procedures for investigating and prosecuting cybercrimes.
Unauthorized access refers to the act of gaining entry into a computer system or network without permission from the owner, which is punishable under the Act.
Data theft, including unauthorized copying, transfer, or disclosure of data, is criminalized under the Act. Offenders can face severe penalties, including fines and imprisonment.
Cyberbullying, including harassment, defamation, and threats made through digital platforms, can result in fines and imprisonment. The severity of the penalty depends on the impact of the bullying.
The Act includes provisions for combating cyberterrorism, which involves using computer systems or networks to carry out acts of terrorism. Such acts are considered serious offenses with heavy penalties.
The Act prohibits the creation, distribution, and possession of child pornography. Offenders can face long-term imprisonment and significant fines.
The Act criminalizes electronic fraud, including activities such as phishing, online scams, and identity theft. It also outlines penalties for individuals found guilty of such crimes.
Yes, the Act provides for international cooperation in investigating and prosecuting cybercrimes that cross borders, including the sharing of information and evidence with foreign jurisdictions.
The Act includes provisions for the protection of critical information infrastructure, such as government systems, financial institutions, and other essential services from cyberattacks.
Individuals have the right to privacy and protection of their personal data. However, these rights are balanced with the need to prevent and prosecute cybercrimes.
CII & Cybercrime Management Regulations, 2024
The 2024 Regulations provide a framework for safeguarding critical information infrastructure (CII) and managing cybercrime incidents effectively. They build on the 2018 Act by introducing specific measures and responsibilities for CII owners.
The Regulations place the responsibility on CII owners and operators, who must implement security measures, conduct regular risk assessments, and report any incidents to the relevant authorities.
CII refers to systems, assets, and networks that are essential for the functioning of society, such as those in banking, healthcare, telecommunications, and government services.
CII owners are required to report any cyber incidents or breaches to the National Computer & Cybercrimes Coordination Committee within a specified time-frame. Failure to report can result in penalties.
The Regulations outline procedures for incident response, including containment, eradication, recovery, and post-incident analysis. They also establish the roles of various stakeholders in managing cyber incidents.
Non-compliance with the security measures and reporting obligations can result in fines, imprisonment, or both, depending on the severity of the breach.
The Regulations mandate that CII owners implement strong data protection measures, including encryption, access controls, and regular audits to ensure the confidentiality and integrity of data.
Yes, the Regulations require CII owners to conduct regular risk assessments to identify vulnerabilities and implement appropriate mitigation measures. These assessments must be documented and updated periodically.
The Regulations encourage cooperation with international entities in sharing threat intelligence, best practices, and coordinating responses to cross-border cyber threats.
While the Regulations primarily focus on organizations, individuals are also expected to adhere to cybersecurity best practices, especially if they work with or have access to CII.
