New Free Cyber Insurance Readiness Check
← Back to blog
Regulation 7 min read June 22, 2026

The National Cybersecurity Agency Order 2026: what your SME needs to know

On 6 May 2026, President Ruto signed Legal Notice No. 89 — the National Cybersecurity Agency Order. It creates a new regulatory body with the power to audit, certify, and enforce cybersecurity standards across the private sector. Here's what it means for your business.

What is the NCSA?

The National Cybersecurity Agency is an autonomous body established under the State Corporations Act (Cap. 446). It was gazetted on 15 May 2026 as Kenya Gazette Supplement No. 121. The Agency is headquartered in Nairobi and operates under the direction of the Cabinet Secretary for Internal Security.

This is not a policy paper. It is law. The NCSA has legal standing to sue and be sued, acquire property, receive funding from Parliament, and — critically — levy fees for services rendered.

Why does it matter for SMEs?

Section 6 of the Order gives the NCSA functions that directly affect private-sector businesses:

  • Cybersecurity strategies for the private sector (§6a) — the NCSA will formulate rules that apply to you, not just government.
  • Audit and certify cybersecurity resilience (§6b) — the Agency can assess your readiness and issue (or withhold) certification.
  • Periodic technical assessments (§6e) — vulnerability scans and compliance checks on private-sector networks.
  • Enforce technical guidelines (§6i) — rules against malware, unauthorized access, and digital disruptions, with enforcement powers.
  • Professional certification programs (§6g) — the NCSA will define what cybersecurity training looks like in Kenya.

Who runs it?

The Board of Directors (§7) includes the Principal Secretaries for Internal Security, Treasury, and ICT; the Attorney-General; the Chief of the Kenya Defence Forces; the Inspector-General of Police; the Director-General of National Intelligence; the Director of Public Prosecutions; one academia representative; and one private-sector representative. The Director-General is competitively recruited and must have at least 10 years of senior management experience in cybersecurity or related fields.

This is a heavyweight board. When they ask for compliance evidence, they will expect real documentation.

What can the NCSA do that affects your business?

  1. Conduct assessments. The Agency can scan your digital infrastructure and flag vulnerabilities.
  2. Enforce guidelines. Non-compliance with technical administrative guidelines may carry consequences.
  3. Charge fees. The Board can levy fees for any services rendered (§9f).
  4. Collaborate internationally. The Agency will share threat data with global peers (§6j), meaning Kenyan businesses operate in a globally visible compliance environment.

5 things to do right now

  1. Take the free readiness check. Codec8's 21-question assessment now includes NCSA-aligned regulatory compliance questions. Know where you stand before anyone asks.
  2. Know your current posture. Can you answer basic questions about your email security, payment verification, backup status, and access control? If not, your first task is documentation.
  3. Designate a cybersecurity lead. It does not need to be a full-time hire. One person in your business should own the topic and be the point of contact if the NCSA or an insurer asks.
  4. Document what you already do. Many SMEs already have decent practices — password policies, regular backups, M-Pesa verification. Write it down. Evidence is what regulators want.
  5. Start staff training. The NCSA will define professional certification programs. Get ahead by training your team now on phishing awareness, payment verification, and incident reporting.

How Codec8 helps

Codec8 does not certify NCSA compliance — only the Agency can do that. What we do is help you prepare:

  • Readiness check — free, 21 questions, now including NCSA regulatory compliance.
  • Readiness certificate — evidence of your posture for insurers, partners, and regulators.
  • Protect — continuous posture monitoring with actionable remediation steps.
  • Training — staff security awareness modules with completion tracking.
  • Compliance dashboard — track your alignment with DPA 2019, NCSA Order 2026, and KE-CIRT/CC guidance in one place.

The NCSA is coming. Know where you stand.

Get Your Free Readiness Score

21 questions. 3 minutes. Now includes NCSA alignment.

Source: Legal Notice No. 89, The National Cybersecurity Agency Order 2026. Kenya Gazette Supplement No. 121, 15 May 2026. Published under the State Corporations Act (Cap. 446).