Licentium

AI Regulation Hub

Kenya

Kenya has no comprehensive AI Act. Its framework rests on the National AI Strategy 2025–2030, the Data Protection Act and sectoral rules. The strategy sets direction; binding compliance comes mainly from existing law.

Key provisions

Kenya National AI Strategy 2025–2030

In force

Core pillars: AI digital infrastructure, data and AI governance, research, innovation and commercialisation. Policy instrument, not a licensing law.

Data Protection Act applies to AI

In force

Where AI processes personal data. ODPC has addressed AI-related privacy issues including rights, safeguards and DPIAs where necessary.

Sectoral overlays

In force

Financial services, healthcare, education, employment, public services, telecoms, advertising and consumer services may trigger sector-specific obligations.

Detailed overview

Kenya does not currently have a comprehensive AI Act. Its AI framework is based on national AI strategy, data-protection law, sectoral rules and digital-government policy.

Kenya National AI Strategy 2025–2030

Kenya has published the Kenya National Artificial Intelligence Strategy 2025–2030. The strategy is built around core pillars including AI digital infrastructure, data and AI governance, research, innovation and commercialisation. It is intended to support responsible AI adoption and position Kenya for AI-driven economic and public-sector development.

The strategy is a policy instrument, not a general AI licensing law. It sets direction for AI capability, governance, skills, infrastructure, data use and innovation, but it does not create a full EU-style high-risk AI compliance code.

Data Protection Act

Where AI processes personal data, Kenya's Data Protection Act applies. The Office of the Data Protection Commissioner has addressed AI-related privacy issues, including data-subject rights, technical and organisational safeguards and data-protection impact assessments where necessary.

Sectoral overlays

AI systems used in financial services, healthcare, education, employment, public services, telecommunications, advertising or consumer services may also trigger sector-specific obligations.

Penalties

Kenya does not currently have one AI-specific penalty table. Penalties depend on the breached law, such as data protection, consumer protection, financial regulation, healthcare regulation, employment law, public-sector rules or criminal law.

Practical requirements & details

Sourced from the Kenya National AI Strategy 2025–2030, the Data Protection Act 2019 + Regulations 2021, ODPC guidance, and sectoral rules (CBK, IRA).

National AI Strategy 2025–2030 — pillars

  • AI digital infrastructure.
  • Data and AI governance.
  • Research, innovation and commercialisation.

Data Protection Act 2019 — 8 principles

  • Lawful, fair, transparent processing; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability; data subject rights respected.

ODPC guidance + DPIAs

  • DPIA mandatory for high-risk processing (large-scale profiling, biometrics, sensitive-data processing, AI-driven decisions affecting rights).
  • DPIA template published by ODPC.

Penalties

  • ODPC administrative fines: up to KES 5M or 1% of preceding year's annual turnover (lower of the two).
  • Criminal sanctions for serious breaches.
  • Sectoral fines under CBK, IRA as applicable.

Sector overlays

  • CBK AI in digital credit and banking.
  • IRA AI in insurance underwriting.
  • Consumer protection (CCPA) for AI-driven marketing and pricing.

Ready to launch without the regulatory guesswork?

Book a 30-minute consultation. We'll map your AI or licensing path and tell you exactly what's required, in plain language.

Get Started