The Kenya Cloud Policy marks a significant step toward aligning public and private sector IT infrastructure with the demands of modern digital economies. Developed under the Ministry of Information, Communications, and the Digital Economy (MICDE), this policy reflects Kenya’s ambitions to become a regional technology hub while prioritising data sovereignty, cybersecurity, and operational efficiency.
Key highlights of the policy
A ‘cloud-first’ strategy
The policy mandates that all public entities adopt cloud-based solutions when making ICT investments, including hardware procurement, software upgrades, and data centre development. The shift from on-premises systems to cloud computing aims to reduce costs, enhance scalability, and bolster cybersecurity.
Data localisation, residency, and sovereignty
Kenya places a strong emphasis on:
- Data localisation (mandating sensitive data storage within its jurisdiction);
- Data residency (geographic location of data storage); and
- Data sovereignty (legal control over stored data).
This aligns with the requirements of the Data Protection Act (2019).
- Top-secret or secret data: Must be hosted within government cloud service providers.
- Non-sensitive data: Can be hosted by private or third-party cloud service providers upon approval, ensuring technical and cybersecurity requirements are met.
Rationale for the policy
The policy addresses challenges faced by on-premises IT infrastructure, including:
- High costs: Maintenance, upgrades, and resource redundancy are financially burdensome.
- Security risks: On-premises systems often lack robust protection against cyber threats.
- Scalability issues: Traditional infrastructure struggles to meet increasing data demands.
- Data silos: Fragmented data reduces collaboration and decision-making efficiency.
By leveraging Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), the government seeks to unlock innovation, agility, and improved public service delivery.
Implementation and governance
The governance framework includes:
- Cloud adoption committee: Oversees migration to cloud systems and accredits service providers.
- National data management office: Ensures compliance with data protection laws.
- Security body: Issues cybersecurity guidelines and monitors adherence.
Global best practices and alignment
The policy draws on international standards, including:
- ISO 27001 for cybersecurity.
- NIST frameworks for cloud service management.
- ITU recommendations for interoperability.
This ensures Kenya’s cloud infrastructure adheres to global benchmarks, balancing national control with international cooperation.
Impact on businesses and cloud providers
Private enterprises operating in Kenya must comply with new cloud policy requirements, particularly regarding:
- Data hosting agreements.
- Regulatory oversight from the Office of the Data Protection Commissioner (ODPC).
- Clear service level agreements (SLAs) with cloud service providers.
For cloud vendors, this policy presents a significant opportunity to collaborate with government and private entities to drive digital innovation in a compliant, secure environment.
How ITLawCo can help
Navigating the complexities of Kenya’s draft cloud policy requires a clear understanding of data protection, regulatory compliance, and cloud infrastructure governance. At ITLawCo, we specialise in helping organisations:
- Assess the regulatory impact of cloud adoption under Kenya’s Data Protection Act and other applicable frameworks.
- Draft and negotiate robust service level agreements (SLAs) with cloud service providers.
- Ensure compliance with data residency, localisation, and sovereignty requirements.
- Develop comprehensive risk assessments, incident response plans, and data governance strategies.
- Align cloud migration strategies with global best practices for cybersecurity and operational efficiency.
With our legal and technical expertise, ITLawCo empowers businesses and public entities to adopt cloud solutions confidently, securely, and in compliance with emerging laws.
Let’s transform your cloud strategy—ethically, innovatively, and securely. Contact us today.
