Introduction
In 2024, the Ministry of Information, Communications and the Digital Economy released the Kenya Cloud Policy.1 The Kenya Cloud Policy is intended to guide the migration and adoption of Cloud technologies. The adoption is intended to be an upgrade of on-premises technologies and to align with long-term development Agendas such as Kenya Vision 2030 and the African Union Agenda 2063.
Before this blog delves deeper into the Kenya Cloud Policy, it is important to define what the cloud is.
What is Cloud Computing?
Cloud computing is “on-demand access to computing resources – physical or virtual servers, data storage, networking capabilities, application development tools, software, AI-powered analytics platforms and more provided over the internet with pay-per-use pricing.”2 Cloud services provide access to remote servers and powerful mainframe computers in large centers, through the Internet.3 In contrast to traditional on-premise IT, cloud computing offers the benefits of cost effectiveness, increased speed, agility and enhanced strategic value.4
Cloud Computing Services
Cloud computing services can be categorised into three main types. Infrastructure as a service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Infrastructure as a Service provides on-demand access to fundamental computing resources, including physical and virtual servers, networking and storage, over the internet.5 Platform as a Service provides software developers with on-demand platforms comprising hardware, a complete software stack, infrastructure and development tools for running, developing and managing applications without the cost of maintaining the platform on premises.6 Software as a service, by contrast, is a cloud-based software solution that provides all the resources for maintenance and support.7 Users can access the software through a subscription.
Besides the different types of cloud computing services, there are different ways to deploy them. These are: public cloud, private cloud and hybrid cloud.8 Public cloud is a type of cloud computing in which a cloud service provider makes computing resources available over the internet.9 The public cloud provider owns and assumes responsibility for the data centres, hardware and infrastructure on which its customers’ workloads run.10 In a private cloud, computing resources are made available to one customer only.11 A private cloud is hosted on-premises in the customer’s data centre and also on rented infrastructure or an independent cloud provider’s infrastructure.12 A hybrid cloud is a combination of public cloud, private cloud and on-premises environments.13
Despite the convenience of cloud computing, security and privacy risks persist. One significant concern is the lack of control over data. When personal data is transferred to a cloud service provider, the client may lose exclusive control and be unable to enforce the necessary technical and organisational measures for data security, such as ensuring availability, integrity, confidentiality, and portability.14 Another risk is insufficient information about data processing. Data controllers and data subjects may remain unaware of the cloud provider’s processing procedures, which poses a threat, as they cannot fully assess potential risks or take appropriate precautions.15
The Kenya Cloud Policy
The Kenya Cloud Policy applies to ‘all entities operating in Kenya and any entity utilising data residing or emanating from Kenya’.16 As previously stated, it mandates all entities to prioritise cloud-based solutions when making ICT investments. Specifically for government investments in cloud computing for the public sector, all investments must be evaluated on a case-by-case basis in three areas: cybersecurity, technical and commercial.17 First, any cloud-based solution must comply with national cybersecurity regulations to safeguard data integrity.18 Each solution will undergo technical evaluation to confirm its suitability, considering factors like latency, required features, and overall system performance.19 Additionally, the commercial viability will be assessed through a Total Cost of Ownership analysis, evaluating economic benefits, customisation needs and comparative costs on a case-by-case basis.20
Key Contractual Terms
The Kenya Cloud Policy outlines key contractual terms that must be incorporated into agreements between entities and Cloud Service Providers (CSPs).21 In line with industry best practices, these provisions ensure accountability, data protection, and compliance with national and international standards.22 Contracts must clearly specify the selected CSP and deployment model, integrate all applicable terms of service, and include comprehensive Service Level Agreements (SLAs) that define performance metrics, monitoring mechanisms, and enforcement measures.23 They must also delineate the respective roles and responsibilities of the entity and CSP, adopt recognised standards such as ISO 22123 for cloud computing, and set out robust security controls in accordance with ISO 27017.24 Further, contracts are required to address privacy obligations under the Data Protection Act, 2019 and ISO 27018, ensure accessibility of data for legal discovery, and mandate CSP cooperation in meeting obligations under the Access to Information Act, 2016 and its subsidiary regulations.25
Governance
The Kenya Cloud Policy establishes a structured governance framework to ensure coordinated implementation and effective oversight of cloud adoption across government and public entities.26 Six key roles are defined within this framework. The Ministry of Information, Communications and the Digital Economy serves as the primary policy body, responsible for defining the objectives and scope of the Policy, setting implementation guidelines, delineating institutional responsibilities, and reviewing or updating the Policy as necessary.27 The Cloud Adoption Committee, a multi-agency body constituted by the Principal Secretary responsible for ICT, oversees the adoption of cloud services across entities, manages pilot projects, provides technical and commercial guidance during migration, and ensures compliance with cybersecurity, technical, and interoperability standards.28 This committee is also tasked with accrediting cloud services and administering the marketplace that links cloud suppliers with public sector buyers.29 The Security Body, acting as the national cybersecurity authority, develops and enforces cloud cybersecurity controls and guidelines in line with existing regulations.
Cloud Service Providers (CSPs), both local and international, are responsible for delivering various forms of cloud computing services, including public, private, and government (GovCloud) clouds.30 The National Data Management Office, incorporating the Office of the Data Protection Commissioner (ODPC) and other relevant data governance bodies, oversees the management, governance, and digitisation of national data assets, while formulating and enforcing strategies, policies, and controls to safeguard personal and sensitive data.31 Meanwhile, the implementing entities, comprising government ministries, departments, and agencies, are responsible for adopting and operationalising cloud services in line with the Kenya Cloud Policy’s provisions, ensuring compliance with established standards and contributing to the broader objectives of digital transformation.32
Conclusion
In conclusion, the Kenya Cloud Policy represents a strategic move towards modernising ICT infrastructure, aligning with national and continental development agendas. While it emphasises the adoption of cloud-based solutions across government and public entities, it also addresses critical concerns such as data security, privacy, and compliance. By establishing clear contractual terms, governance structures, and stringent cybersecurity measures, the policy aims to ensure the safe, efficient, and sustainable use of cloud technologies, fostering digital transformation while safeguarding national data assets.
Image was generated by ChatGPT.
1 Ministry of Information, Communications and the Digital Economy ‘Kenya Cloud Policy’ <Kenya Cloud Policy> accessed 27 October 2025. Kenya joins Egypt and South Africa as African countries with a cloud policy see <Publications_2282024000_Cloud_First_Policy_Egypt_2024.pdf> accessed 28 October 2025 and <South-Africas-National-Cloud-and-Data-Policy-20240531.pdf> accessed 28 October 2025.
2 Stephanie Susnura and Iana Smalley, ‘What is Cloud Computing?’ <What Is Cloud Computing? | IBM> accessed on 27 October 2025.
3 ibid.
4 ibid.
5 S K Sowmya, P Deepika and J Naren, ‘Layers of Cloud – IaaS, PaaS and SaaS: A Survey’ (2014) 5(3) International Journal of Computer Science and Information Technologies 4477. Examples of Infrastructure as a service is Amazon Web Services.
6 ibid. examples are Google App Engine.
7 ibid. examples are Microsoft Office 365
8 Stephanie Susnjara and Ian Smalley n(3).
9 ibid.
10 ibid.
11 IBM, What Is Private Cloud? (IBM Think, 2025) https://www.ibm.com/think/topics/private-cloud
accessed 2 February 2026.
12 ibid.
13 ibid.
14 Maksim Teslić, Svetlana Crnogorac, and Dražan Erkić, ‘Challenges and Risks Related to Data Security in the Cloud’ (2025) International Journal of Economics and Law.
15 ibid.
16 Kenya Cloud Policy.
17 ibid 13.
18 ibid 16.
19 ibid.
20 ibid.
21 ibid 17
22 ibid.
23 ibid.
24 ibid.
25 ibid.
26 ibid 19.
27ibid.
28 ibid.
29 ibid.
30 ibid 20.
31 ibid.
32 ibid.
