There is a particular kind of timing that makes a policy decision feel inevitable rather than procedural. Kenya's parliament approving the National Cybersecurity Agency Order, 2026, on June 22 is that kind of decision.
It comes one week after the United States government pulled Anthropic's most powerful AI models offline after they reportedly breached almost all NSA classified systems during authorized testing — in hours, not weeks. It comes as the world's most powerful governments are, for the first time in history, treating AI software itself as an export-controlled national security item. It comes as Kenya's own digital economy — built on M-Pesa, e-government platforms, mobile banking, and a startup ecosystem attracting over a billion dollars in annual investment — faces cyber threats at a scale the country's existing institutional architecture was not designed to handle.
The approval of the NCSA Order isn't just a bureaucratic milestone. It's Kenya's answer to a question that every digital economy eventually has to answer: who is actually responsible for keeping this country's digital infrastructure safe?
What Was Just Approved — and What It Actually Means
The National Cybersecurity Agency Order, 2026, was originally issued by President William Ruto on May 6, 2026, under the State Corporations Act. Parliamentary approval, received today, gives the order legal force and clears the path for the President to formally establish the agency.
The NCSA will be an autonomous regulatory and technical body — meaning it sits outside the direct operational control of any single ministry and has independent mandate to act. Its headquarters will be in Nairobi, with the power to establish specialised satellite units across the country.
On paper, its responsibilities are sweeping. The agency will formulate and oversee national cybersecurity strategies for both the public and private sectors. It will audit and certify the cybersecurity resilience of designated critical information infrastructure — government networks, financial systems, telecoms, hospitals, energy grids. It will manage Kenya's National Cybersecurity Operations Centre and coordinate responses to cyber incidents as they happen. It will conduct technical vulnerability assessments of digital networks and issue advisories to stakeholders when threats are identified.
Perhaps most practically significant for the long term, the NCSA will establish a Cybersecurity Centre of Excellence focused on research, innovation, and professional certification — specifically designed to address Kenya's growing cybersecurity skills gap.
The Numbers Behind the Urgency
If there's any doubt about why this agency was needed, the threat data makes the case plainly.
Between April and June 2025 alone, Kenya recorded more than 4.5 billion cyber threat events — a 463% rise from the previous quarter. Financial institutions, government platforms, and mobile money infrastructure were among the most targeted systems. The country's financial inclusion rate has grown from 26% in 2006 to 84.8% today, almost entirely on the back of digital financial services. That success story has a shadow side: tens of millions of Kenyans who now depend on digital platforms for their basic financial lives are also exposed to digital threats at a scale that didn't exist a decade ago.
The government's own figures suggest the digital exposure is accelerating in both directions simultaneously. M-Pesa alone now processes over 100 million transactions daily across 40 million active customers. The Daraja 3.0 API platform connects over 100,000 developers. Government services from tax filing to land registration to identity verification are increasingly delivered digitally. Each layer of digital infrastructure added is also a layer of potential vulnerability — and until today, Kenya had no single institution whose primary mandate was to protect all of it.
The Governance Structure: Who Runs It
The NCSA will be governed by a board of directors with a non-executive chairperson appointed by the President. The board composition is deliberately broad — representatives from the Ministry of Interior, the National Treasury, the ICT and Digital Economy Ministry, the Office of the Attorney-General, the Kenya Defence Forces, the National Police Service, the National Intelligence Service, and the Office of the Director of Public Prosecutions, alongside members from academia and the private sector.
That cross-institutional design is one of the more significant aspects of the order. One of the persistent weaknesses in Kenya's existing cybersecurity response has been fragmentation — different agencies responding to incidents independently, with limited information sharing and no clear coordination authority. An agency whose board literally includes representatives from every institution that touches national security, legal authority, and digital infrastructure is designed to solve exactly that problem.
To lead the agency, the Director-General must be a Kenyan citizen holding at least a master's degree and ten years of senior management experience in fields including cybersecurity, law, or economics. The government has requested KSh 4 billion to establish the agency — a signal of how seriously it is treating the mandate.
The Global Context Kenya Is Operating In
It would be easy to read the NCSA as a purely domestic policy story. It's not.
The same week Kenya was finalising parliamentary approval of its cybersecurity agency, the world's most powerful governments were sitting down with the CEOs of OpenAI, Anthropic, and Google DeepMind at the G7 summit in Évian-les-Bains, France, to negotiate the first-ever international framework for governing frontier AI — precisely because AI has started demonstrating offensive cyber capabilities that no existing institution was designed to handle.
The United States applied export controls to an AI model for the first time in history last week. The European Union used the moment to accelerate a €420 billion technology sovereignty package. The question of who controls frontier AI capability, and who gets to set the rules around it, is being decided right now in rooms that Kenya is not in.
What Kenya can do — and what the NCSA Order represents — is build the domestic institutional infrastructure to engage seriously with those global developments rather than simply absorbing their consequences. A country with a functioning national cybersecurity agency, a cybersecurity law framework, and a credible AI regulatory agenda is in a fundamentally different position from one without them when bilateral and multilateral digital governance conversations happen.
What Changes for Kenyans Now
The honest answer is: not immediately, and not overnight.
The order has been approved. The President now formally establishes the agency. A board must be appointed, a Director-General recruited, offices opened, staff hired, and the Cybersecurity Operations Centre stood up. That process will take months, possibly the better part of a year before the NCSA is fully operational in any meaningful sense.
What changes today is the mandate. Kenya now has a legal and institutional architecture for national cybersecurity. The question of "who is responsible" has an answer it didn't have before.
For private sector organisations — banks, telcos, fintechs, hospitals, logistics companies — the NCSA's audit and certification authority is the detail worth watching most closely. The agency will have the power to assess and certify the cybersecurity resilience of designated critical information infrastructure. What ends up on that "critical" list, and what the certification process looks like, will determine how significant the compliance burden is for businesses operating in Kenya's digital economy.
For ordinary Kenyans, the most visible near-term sign of the agency's existence will likely be the Cybersecurity Centre of Excellence and the professional certification programmes it's mandated to establish. Kenya has a severe shortage of trained cybersecurity professionals — a gap that constrains both the private sector's ability to protect itself and the government's ability to recruit and retain the talent it needs. An institution specifically designed to close that gap, if properly funded and effectively run, addresses a problem that has been identified and deferred for years.
The Bigger Picture
Kenya has, in the space of a few weeks in June 2026, tabled its first AI Bill, approved a National Cybersecurity Agency, and watched the global debate over who controls digital infrastructure move from think tanks to G7 summit tables.
These things are connected. The country that builds the regulatory institutions, the technical workforce, and the governance frameworks for AI and cybersecurity in this decade is the country that attracts the investment, the partnerships, and the talent that defines its digital economy in the next one.
Today's parliamentary approval is one piece of that picture. It's a significant piece — the kind that gets forgotten in the daily news cycle but remembered in the policy histories. Kenya just decided, formally and legally, that cybersecurity is a strategic national priority. The work of making that decision real starts now.
Need help building software?
Talk to the AjiNova team about web applications, mobile platforms, AI integrations, and cloud solutions.
