(Nairobi, Kenya) – Confusion has arisen over the formation of a powerful National Cybersecurity Agency (NCSA) by President William Ruto, amid questions over whether regulations anchoring the unit have secured parliamentary approval and concerns about its wide-ranging mandate.
While the Ministry of Interior on Monday announced that it had secured Parliament’s approval to establish the agency, set to bring together senior security chiefs, some MPs disputed the claim, saying the National Assembly Committee on Delegated Legislation had not approved the regulations.
In a statement, the ministry said it welcomed the parliamentary approval of the National Cybersecurity Agency Order, 2026, describing it as a key step in the establishment of a national agency to regulate and coordinate cybersecurity and strengthen the protection of Kenya’s digital infrastructure.
The announcement, however, appears to contradict proceedings before the National Assembly’s Committee on Delegated Legislation, which last week halted consideration of the regulations. Instead, committee members directed the ministry to align the proposed order with existing laws, including legislation establishing a committee with a membership structure similar to that of the proposed agency, before resubmitting it for review.
During the session last Thursday, ICT Principal Secretary John Tanui, who represented Interior Cabinet Secretary Kipchumba Murkomen, was questioned on the regulations. MPs raised concerns over the agency’s precise mandate. Lawmakers told the Principal Secretary that it was unclear what the regulations were intended to achieve, pointing to the Computer Misuse and Cybercrimes Act, which already provides for similar provisions and establishes a committee with membership that closely mirrors that of the proposed agency.
They noted that the agency is overseen by a board whose composition also largely mirrors that of the National Computer and Cybercrimes Coordination Committee, an organ established under the Act. The legislators said it was therefore unclear whether the proposed regulations on the formation of the new agency were meant to amend existing provisions under the Cybercrimes Act or to address a specific policy gap.
The committee also raised concerns over the proposed powers of the new agency. In its final resolutions, the committee directed the ICT Principal Secretary to revisit the proposal, address the concerns raised by members and resubmit it for consideration.
Committee chairman Samuel Chepkonga cautioned against approving regulations whose legal effect had not been sufficiently clarified. “This committee does not want to do something that will later be challenged in court. We need to be clear on what we want to achieve with the regulations,” Mr Chepkonga said.
Amnons Business Report confirmed that no meeting was held on Friday or over the weekend to approve the regulations that would have paved the way for the establishment of the agency. “We did not have any meeting on Friday or a retreat over the weekend to confirm the regulations,” said a source in the committee.
However, an MP who sits on the committee, but requested anonymity to speak freely, said the chairperson held consultations with the ministry over the weekend. “The chairperson was consulting with the ministry over the weekend. I do not know the final agreement. You can reach out to him because he represents us. I do not want two centres of power,” the MP said.
Kigumo MP Joseph Munyoro, also a committee member, said he was not aware of any proceedings after last Thursday’s meeting. “I am not aware of any new development, though I am in Ol Kalou campaigning. I will find out,” Mr Munyoro said.
However, on Monday, committee chair Mr Chepkonga confirmed that the regulations had been approved after the ministry submitted a revised set addressing all the committee’s concerns. “That is correct. They have sent a corrigendum in respect of all the issues we had concerns with,” Mr Chepkonga said when asked whether the committee had approved the regulations establishing the agency.
It was, however, still unclear when the committee met to approve the regulations. The contradictory accounts have raised questions over whether the government is attempting to fast track the creation of the agency before fully addressing concerns raised by MPs.
Kenya Human Rights Commission deputy executive director Cornelius Oduor termed the announcement an example of executive overreach, arguing that Parliament can only communicate its decisions through official channels such as the Hansard, Gazette notices or committee reports. He questioned how the National Cybersecurity Agency could be deemed established before Parliament had approved it, warning that the move could be open to legal challenge.
Mr Oduor also raised concerns over Parliament’s ability to appropriate funds to an agency that has not yet been formally sanctioned. He cautioned that, amid existing concerns about privacy and surveillance under current cybersecurity laws, Kenyans had valid grounds to worry about the powers the proposed body could exercise.
Amnesty International Kenya also expressed concern over the development and said it would issue further comments on the matter later this week.
At the centre of the controversy is the proposed National Cybersecurity Agency, a new State corporation the government says is needed to coordinate national responses to growing cyber threats targeting both public and private institutions. The apparent contradiction has triggered debate among legal experts and governance observers, who are questioning whether the agency has already been established through a presidential order or still requires parliamentary approval before becoming fully operational.
Complicating the matter is the fact that President Ruto had already gazetted the National Cybersecurity Agency Order, 2026, through Legal Notice No. 89 on May 15, effectively creating the agency as a State corporation under the State Corporations Act. A gazette notice has established the National Cybersecurity Agency as an autonomous regulatory and technical body mandated to coordinate national cybersecurity matters under the direction of the Cabinet Secretary for Interior.
According to the legal notice, the agency will be a body corporate with perpetual succession and a common seal, capable of suing and being sued, acquiring and disposing of property, entering into contracts, and performing all functions necessary to discharge its mandate.
It will be granted wide ranging powers to formulate and oversee the implementation of national cybersecurity strategies across both the public and private sectors, audit and certify critical information infrastructure, manage the National Cybersecurity Operations Centre, conduct vulnerability assessments and coordinate responses to cyber incidents. The agency will also be tasked with establishing a Cybersecurity Centre of Excellence, developing professional certification programmes, undertaking technical research and collaborating with international cybersecurity agencies.
Its board is expected to bring together some of the country’s most senior security and government officials. Membership will include a non executive chairperson appointed by the President, Principal Secretaries for Interior, Treasury and ICT, the Attorney General, the Chief of the Defence Forces, the Inspector General of Police, the Director General of the National Intelligence Service and the Director of Public Prosecutions. Representatives from academia and the private sector will also serve on the board.
The agency will be overseen by a board of directors whose membership closely mirrors that of the National Computer and Cybercrimes Coordination Committee, established under the Computer Misuse and Cybercrimes Act. The only members of the committee not represented in the agency are the Governor of the Central Bank of Kenya and the Director General of the Communications Authority of Kenya.
The agency will be headed by a Director General appointed by the board through a competitive recruitment process, subject to approval by the Cabinet Secretary. The board will be chaired by a non executive chairperson appointed by the President, in contrast to the committee, whose chairperson is the Principal Secretary responsible for internal security matters.
The Ministry of Interior has defended the formation of the agency, arguing that despite existing cybersecurity laws, significant institutional and governance gaps remain. Interior Cabinet Secretary Kipchumba Murkomen told MPs that the proposed body would enhance the protection of critical information infrastructure, strengthen responses to cyber incidents and improve public awareness of cyber security threats.
Documents presented to Parliament state that the agency is intended to address coordination challenges among multiple government entities currently involved in cyber security and to create a central authority capable of responding swiftly to emerging threats. The ministry has also cited a rise in cyber attacks targeting government institutions and private entities as justification for the agency’s creation.
Kenya has in recent years experienced increased incidents of cybercrime, including ransomware attacks, online fraud, identity theft, malicious software attacks and data breaches affecting both public and private institutions. In its latest statement, the ministry said the country faces growing risks from cyber threats that could undermine national security, economic stability and public confidence in digital services.
The government says the agency will serve as Kenya’s central technical and regulatory institution on cyber security matters and will work closely with security agencies, regulators, businesses, academic institutions and international partners.
However, questions remain over whether the agency’s proposed functions duplicate responsibilities already assigned to existing institutions, including agencies operating under the Computer Misuse and Cybercrimes Act. Those concerns have been amplified by last year’s passage by Parliament of amendments to the Computer Misuse and Cybercrimes Act, following President William Ruto’s assent to the Computer Misuse and Cybercrimes (Amendment) Act, 2024.
The amended law substantially broadened the powers of investigators and courts in tackling cybercrime, including the authority to order the removal of harmful online content, shut down websites hosting illegal material and intervene to prevent content from going viral. Critics have therefore questioned the need for a new agency costing billions of shillings, arguing that the country already has a robust legal framework for addressing cybercrime.
The financial implications are also significant. According to documents tabled in Parliament, taxpayers will be required to spend about Sh4 billion (approximately $30.6 million) to establish the agency. The funds will go towards setting up a National Cybersecurity Operations Centre, acquiring specialised technology and software, developing policies, recruiting staff and building technical capacity. The ministry says the annual operational costs will reduce significantly after the initial establishment phase.
Interior Cabinet Secretary Kipchumba Murkomen has defended the proposal, saying the investment is necessary to position Kenya as a secure and trusted digital economy, while strengthening the country’s regional and global cybersecurity standing.