By Ariana Issaias, Partner, and Ibrahim Godofa and Wilson Waithaka Associates, Bowmans Kenya
The recently gazetted Kenya Cloud Policy 2025 (Policy) marks the country’s latest milestone towards establishing itself as the preferred regional and continental digital hub. The Policy, formulated by the Ministry of Information, Communications, and the Digital Economy (the Ministry) aims to spur economic growth by incentivising investment and adoption of cloud-based information and communication structures. Through this Policy, the Government intends to encourage both public and private entities to leverage the benefits of cloud infrastructure and solutions-based services, which provide a more controlled, efficient and secure information-sharing environment.
Key highlights
Scope of application
The Policy generally applies to the National and County Governments and state organs, all public and private enterprises, all individuals and all data controllers and processors. In particular, it applies regardless of whether the end-use is in Government service, citizen use, or for Government data centre needs. This wide scope of application aims to encourage and harmonise the use of cloud service-oriented solutions, in alignment with the Policy’s objectives.
Compliance with the Policy
Public entities will be expected to comply within 12 months from the date of publication of the Policy, which includes prioritising cloud-based solutions when making ICT investments such as the procurement of hardware and software, renewal of existing software licences, ICT infrastructure and emerging technologies. Public entities are also required to implement a phased migration plan guided by the national cloud framework within one year.
While private sector compliance is not mandatory, the Policy is intended to serve as guidance for the private sector and acknowledges the varying levels of cloud adoption. Cloud Service Providers (CSPs), however, are expected to adhere to the Policy, particularly those providing or looking to provide cloud services to the Government. The Ministry is mandated to guide the national cloud framework and the Adoptions Committee to the indicated framework.
Data management and governance
The current state of data handling, access and retention is relatively uncontrolled, with significant issues relating to cybersecurity and data integrity. The Policy expands the protection to all forms of data being utilised and provides the below considerations in relation to cloud computing and data hosting:
Data classification framework
The Policy requires entities utilising data including the Government and all state organs/public enterprises, private entities, and data controllers and processors to implement a data classification framework, with classification levels based on the sensitivity of the data and respective security controls required.
This is a welcome requirement, as it targets the fragmented handling of data without proper cybersecurity considerations. Developing data classification will enable entities to identify low, moderate and high levels of potential harm in relation to compromised data and inform the appropriate technical and security measures necessary.
Robust cybersecurity measures
The risks of existing models of computing and data hosting are significant, including unauthorised access, corruption of data, data theft and similar cyber-attacks. While promoting the migration to cloud solutions, the Policy now mandates CSPs to conform with ISO standards such as information and cybersecurity safeguards, including ISO/IEC 27002:2022 for Information Security, Cybersecurity and Privacy Protection, and its practice codes, ISO 27017 Information Technology Security Techniques — Code of practice for information security controls.
Obligations of CSPs
The Policy has prescribed compliance requirements that apply to CSPs, some of which are considered below:
- Registration/accreditation of CSPs offering services to the Government (with the Cloud Adoption Committee being mandated with accreditation and approval of CSPs).
- Adherence to international compliance standards prescribed by regulatory authorities.
- Potential notification requirements by CSPS.
- Documentation of data hosting locations and real-time tracking of data movement across jurisdictions, as well as compliance with Kenyan laws relating to all hosted data, other jurisdictional frameworks and any related conflicts.
- Disclosure obligations of data storage and documenting an analysis of activities involving Kenyan data in accordance with the Kenyan Data Protection Act.
Obligations of entities/end users deploying cloud-based solutions
Under the Policy public entities are required to procure appropriate cloud solutions based on three categories of data.Top secret data must be hosted within a Government CSP whose model constitutes a private/Government dedicated cloud located in Kenya. Restricted data, on the other hand, must be hosted with Government CSPs in a public cloud infrastructure located in Kenya. Open data must be hosted by a Government CSP in a public cloud infrastructure.
Public entities may also explore suitable third-party CSP services where the Government CSPs do not meet the required standards (subject to approval by the Cloud Adoption Committee).
Both public and private entities will be required to identify risks related to data hosting and address them in the contractual terms. Additionally, end users must ensure that the data is accessible for any legal purposes mandated under Kenyan laws.
Protections for end users of cloud services
To further encourage migration by entities to cloud services and solutions, the Cloud Policy has outlined key considerations that offer protection to entities from vendor lock-ins, allowing migration between platforms based on suitability. For instance, all agreements and terms of service between CSPs and end-users will need to be integrated into the contracts.
The Policy also addresses the issues relating to the management and migration of data hosted by CSPs by recommending exit clauses and terms to be required by end-user entities, the use of open-access formats, and non-acceptance of excess penalties for contract termination.
Green cloud computing
The Policy envisions a sustainable cloud ecosystem and prioritises green energy as a power source. In line with global sustainability goals, this objective is a welcome development that will support efforts to create sustainable data centre operations. It will also encourage both existing and new CSPs to consider green energy alternatives to power their equipment.
Conclusion
The Cloud Policy provides a strategic approach to the procurement and deployment of cloud services, aiming to improve data management and reduce the costs of deploying cloud solutions while ensuring cybersecurity and data integrity, cloud computing and data hosting. With proper implementation, sector players stand to benefit from the outlined objectives on sustainability, data integrity and sovereignty, and cost savings, while leveraging the efficiency of cloud computing.
Also Read: Kenya Unveils Ambitious AI Strategy for 2025-2030
