Across the Horn of Africa, digital spaces have become an integral part of politics, economy, and security. Governments are increasingly faced with rapidly shifting digital threats, from cybercrime and online fraud to disinformation, election interference, and threats to critical infrastructure. Consequently, in most countries across the region, cybersecurity is being incorporated into the national security domain, prompting a wave of new laws, regulations, and institutional frameworks in the past decade, aimed at governing digital activity.
This is not a shift unique or exclusive to the region, nor is it inherently illegitimate. As states integrate digital infrastructure in public services, financial and communication systems, among other areas, there are increased cyberspace threats, ones that can yield heavy national security consequences. As such, protecting data integrity and securing networked communication is now widely viewed as an essential duty of the modern state.
This duty can however extend beyond technical cybersecurity concerns, and legal frameworks designed to counter digital risk may infringe on civil liberties, especially in politically sensitive environments. Across the region, digital and cybersecurity laws and regulations raise concerns about political authority, civic space, and state-society relations. Broad legal mandate, expansive security language, and discretion given to enforcement authorities means that the same frameworks intended to protect national security can also significantly alter how dissent and information flows are governed.
It is therefore imperative to interrogate how securitised language affects digital and cybersecurity laws and regulations across the region, and the implication for political risk and governance. This calls for focus on the legal and regulatory infrastructure that underpins state responses to digital activity. The question is not whether cybersecurity regulation is necessary as it is critical not only for governments but also for other organisations and people as a whole, but how the framing and application of these laws can generate unintended political and institutional risks over time.
Today, governments in the Horn of Africa region increasingly rely on formal legal instruments to regulate digital spaces. Cybersecurity acts, data protection laws, and criminal codes amendments have been introduced or expanded. Many times, decisions to enact these regulations are justified through reference to national security, public order, and economic stability. They insist on the protection of critical infrastructure, the prevention of cybercrime, and the containment of harmful or destabilising content online.
From a state’s perspective, the appeal of digital laws hedged on security is incontestable. Unlike as hoc measures such as internet shutdowns, legal frameworks provide a sense of permanence, legitimacy, and predictability. This paves the way for the control of digital spaces through regulatory institutions, licensing requirements, and enforcement mechanisms that can be presented as rule-based rather than exceptional or emergency decrees. In regions facing political volatility or transnational security threats, legislation of digital control is often considered to be a stabilising measure.
Additionally, national security narratives reinforce this process. In many cases, cyber threats are framed as external, coordinated, and potentially destabilising even when they originate domestically. Disinformation is positioned as a risk to countries’ sovereignty, online mobilisation as a threat to public order, and digital platforms as vectors through which hostile actors can undermine state authority. These kinds of narratives and framing incentivise policy makers to prioritise control, speed, and discretion when designing legal frameworks (African Declaration on Internet Rights and Freedoms, Malabo Convention, AU Digital Transformation and Cybersecurity Guidance).
At the same time, the scope of many digital laws extends well beyond narrowly defined cybersecurity concerns. Provisions on online speech and information dissemination are embedded within broader security legislation. This risks blurring the line between actual threat mitigation and manipulation of legal provisions for political ends. This is coupled with limited oversight mechanisms and enforcement authority that is concentrated within executive or security agencies.
The result is a legal environment where digital governance is securitised by default. Laws meant to protect data and networked services can be inadvertently used to regulate behaviour, shape and control narratives, and affect civic engagement in online spaces. While this convergence does not automatically translate to repression, it does alter the balance between security and governance in ways that carry long-term implications for institutional trust, political legitimacy, and state resilience.
Take Kenya for instance, one of the countries in the region with fairly established cyber legislation. The National Cybersecurity Strategy 2022-2027 lays out an explicit roadmap for ‘strengthening institutional frameworks, protecting critical information infrastructure, fostering cooperation, and enhancing policy and legal capability in cyberspace.’ The argument is that this will safeguard state security, critical infrastructure, and ensure socio-economic stability. This is echoed in the strategy’s key pillars which emphasise a coordinated approach to countering cyber threats, involving government agencies, the private sector, and international partners.
The foundation for this strategy is the Computer Misuse and Cybercrimes Act (2018), which criminalises a spectrum of computer and network offences, and establishes the National Computer and Cybercrimes Coordination Committee. In 2025, there were a raft of amendments to the Act, with the legislative intent of keeping pace with evolving digital threats. However, the amendments which come amidst increased political contestation like recurrent youth-led protests online, raises questions about the expansive reach of enforcement authorities and the potential implications on digital rights.
This creates a dilemma, as states argue such legal frameworks are necessary and are a result of legitimate national security concerns. As cyber threats morph, attacks on critical information systems linked to finance, governance, and essential utilities intensify. Moreover, cross-border digital attacks often necessitate a robust and pre-emptive legal posture, rather than a reactive one. In this environment, these legislations offer a perceived advantage as they enable authorities to coordinate responses across sectors and borders.
There is however a risk, when these laws carry provisions with broad language, expansive enforcement authority, and limited oversight. A recurrent example is the reference to ‘harmful digital content’ or ‘unauthorised communication’. This can be interpreted and applied beyond technical threats to encompass political speech or civic engagement. Tied with weak judicial or parliamentary enforcement mechanisms, especially in a region where the executive arms of government have overreaching powers, creates conditions ripe for discretionary enforcement and imposition on civic freedoms.
This tension is not just unique to Kenya, as seen with the amendments made to the Cybercrime and Computer Misuse Act, but can be seen in other countries in the region, especially in times of heightened political activity. For instance, Uganda’s Computer Misuse (Amendment) Act, 2022, and Tanzania’s 2015 Cybercrimes Act, along with the 2018/2020 Electronic and Postal Communications (Online Content) Regulations include broad language on threats such as ‘false,’ ‘offensive,’ or ‘misleading,’ online content. The conflation of cybercrime, disinformation and misinformation, and threats to public order reinforce the view that the stability and control of digital ecosystems is inseparable from state security. In practice, this risks privileging state interpretations of threats, and may normalise enforcement that encroaches on digital civic freedoms without equivalent safeguards for privacy, expression, or due process.
Kenya’s Cybersecurity Bill sets out a comprehensive national framework built on nine strategic pillars, strengthening governance, critical infrastructure protection, cyber risk management, and incident response. It also addresses the growing challenges posed by Al-driven threats while promoting public-private partnerships and international cooperation to safeguard national security and economic stability.
While there are similarities in legal approaches across the Horn of Africa, institutional capacity and governance context in individual countries dictates how digital and cybersecurity frameworks are operationalised, and the political and governance consequences. Many countries across the region have taken a national security approach in design and adoption of digital governance legal and policy frameworks, but the outcomes vary considerably depending on oversight mechanisms, regulatory independence, and enforcement norms.
In Somalia for example, data protection has been at the forefront of legal framing, with emphasis on individual privacy alongside cybersecurity objectives. The country’s Data Protection Act of 2023 for instance establishes a legal framework governing the collection, storage, processing, and disclosure of personal data, including provisions for enforcement and the creation of an independent supervisory authority (Somali Data Protection Authority). While still nascent, this approach reflects a deliberate effort to embed privacy protections amid expanding digital governance regimes, evidence that securitisation is not the sole trajectory available to states in the region.
At the sub-regional level, there is a growing consensus that harmonised policy frameworks and institutional capacity building can strengthen both security and governance, as seen in efforts such as the Horn of Africa Digital Governance and Cybersecurity Initiative (Djibouti, Kenya, and Somalia). Such initiatives recognise that digital risks transcend national boundaries and promote cooperation and shared principles. However, the adoption of such norms differs, as countries with stringer regulatory institutions and clearer separation of powers are more likely adopt rules-based enforcement, while others lean towards executive-led interpretations that prioritise control.
Continental frameworks such as the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) adds another layer of complexity due to legal interpretations. The treaty encourages member states to adopt national cybersecurity policies, criminalise cyber offences, and harmonise legal frameworks across borders. In states where ratification and domestic incorporation is robust, there is greater potential for alignment of security objectives with data protection and rights safeguards. However, where such elements are underdeveloped, the same frameworks can conversely amplify political and governance risk instead of mitigating it.
Importantly, the normative environment in different countries is an important element in digital governance. Legal instruments such as the African Declaration of Internet Rights and Freedoms clearly outlines principles meant to ensure there is fair internet governance. This includes protecting rights and freedoms such as the freedom of expression and the right to privacy, and ensuring any restrictions are proportionate to legitimate aims such as national security.
In practice, some states in the region have pursued expansive application of cybersecurity law against a wide range of digital actors framing enforcement as essential to public order and stability. Others have been more grounded in recognising the legitimate role of digital civic space within national risk management strategies. This difference in approaches illustrates that even with similar legal frameworks, political and governance outcomes can be ultimately different. Outcomes do not only depend on the text of the law itself, but also on the institutional environment and security narratives through which it is applied.
The 2024 protests against Kenya’s Finance Bill, largely mobilised through TikTok, X, WhatsApp and Facebook, reveal the growing power of digital platforms in shaping political participation. Driven mainly by Gen Z and Millennials, the demonstrations highlight how online spaces have become central to civic mobilisation—raising critical questions about digital security, governance, and the fine line between protection and control in the Horn of Africa.
Securitising digital and cybersecurity laws carries implications that extend beyond neutralising immediate cyber threats. While security-framed legal frameworks can enhance state capacity in countering digital risks, their broader design and implementation can influence a country’s political risk environment.
First, is the erosion of state-society trust due to expansive security mandates. Where citizens perceive laws to blur the line between cybersecurity enforcement and curtailing of freedoms of expression or association, public confidence in digital governance institutions may erode. The danger being that over time, this can significantly undermine the legitimacy and consequently efficiency of regulatory bodies tasked with protecting digital ecosystems, especially where enforcement is seen as selective or politically motivated. Rather than bringing stability, this risks intensifying grievances and more adversarial contestation.
Second, is governance and institutional risk. Concentrating enforcement authority within executive agencies or having overbearing executive power on independent institutions without commensurate oversight mechanisms in place can weaken accountability and judicial confidence. If courts or parliamentary bodies lack the capacity or autonomy to scrutinise enforcement decisions, cybersecurity laws can be used as a tool of administrative convenience rather than rules-based governance. Such trends can entrench a securitised practices that are hard to alter once embedded in legal and institutional practices.
Thirdly, political risk implications go beyond domestic concerns. Broad or opaque security regimes increase the likelihood of external scrutiny, especially where enforcement affects media freedom, electoral processes, or cross-border governance. For states seeking to position themselves as digital hubs or stable investment destinations, perceptions of regulatory unpredictability or politicised enforcement affect reputation and commercial interest. Conversely, cybersecurity laws meant to safeguard national interests may inadvertently heighten long-term exposure to diplomatic and investor caution.
The governance and political risks is therefore not about the existence of cybersecurity laws, as they are actually vital in safeguarding both government and private sector interests. It is rather about whether these laws are securitised, how enforcement is carried out, and the constraints on digital civic spaces.
The 2024 protests against Kenya’s Finance Bill, largely mobilised through TikTok, X, WhatsApp and Facebook, reveal the growing power of digital platforms in shaping political participation. Driven mainly by Gen Z and Millennials, the demonstrations highlight how online spaces have become central to civic mobilisation—raising critical questions about digital security, governance, and the fine line between protection and control in the Horn of Africa.
With increasing securitisation of digital governance across the Horn of Africa, governments and regulators now have to contend with a strategic choice: whether cybersecurity laws are used as a tool to build resilience and enhance security, or turn into sources of governance risk. National security objectives can be achieved and strengthened while limiting long-term political and institutional exposure through the following measures:
Cybersecurity is an essential pillar of national security in the Horn of Africa, and the expansion of digital legal frameworks reflects a legitimate response to evolving threats. But with these laws shaping how information, association, and dissent are governed online, their political and governance implications cannot be treated as secondary concerns. Where digital laws lack clarity, oversight, or institutional balance, there is a risk of generating the very instability they are intended to prevent. Managing digital risk in the region will therefore depend not only on stronger technical capacity, but on legal and regulatory approaches that ensure there is trust, accountability, and durable state–society relations in an ever increasingly contested digital space.
Horn Report’s mission is to shape regional narratives and deliver strategic insight that empowers decision-makers to navigate the Horn of Africa’s complexities within an evolving global landscape.
