The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

Section 50 of the Data Protection Act provides that the Cabinet Secretary may prescribe, based on the grounds of strategic interests of the state or protection of revenue, processing of a certain nature that should only be conducted through a server or data centre located in Kenya. Regulation 26.1 of the Data Protection (General) Regulations further clarifies that, pursuant to Section 50 of the Act, a data controller or data processor who processes personal data for the purposes of strategic interests of the state outlined in Regulation 26.2 should process such personal data through a server and data centre located in Kenya; or store at least one serving copy of the concerned personal data in a data centre located in Kenya (whereby no definitions have been provided for the term 'serving copy'). The strategic purposes contemplated in Regulation 26.1 include the processing of personal data for:
- administering the civil registration and legal identity management systems;
- facilitating the conduct of elections for the representation of the people under the constitution;
- overseeing any system for administering public finances by any state organ;
- providing primary or secondary healthcare for a data subject in the country;
- offering any form of early childhood education and basic education under the Basic Education Act No. 14 of 2013; and
- running any system designated as a protected computer system in terms of Section 20 of the Computer Misuse and Cybercrimes Act.
Under the Computer Misuse and Cybercrimes Act, a protected system is defined as a computer system used directly in connection with or necessary for:
- the security, defence, or international relations of Kenya;
- the existence or identification of a confidential source of information relating to the enforcement of a criminal law;
- the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities, or public transportation, including government services delivered electronically;
- the protection of public safety, including systems related to essential emergency services, such as police, civil defence, and medical services;
- the provision of national registration systems; or
- such other systems as may be designated relating to the security, defence, or international relations of Kenya, critical information, communications, business, or transport infrastructure, and protection of public safety and public services as may be designated by the Cabinet Secretary responsible for matters relating to information, communication, and technology.

Pursuant to Section 28 of the "Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024", proprietors of critical information infrastructure within Kenya are mandated to ensure that such infrastructure is physically situated within the national territory. Should an owner seek to store critical information outside the country, an application must be submitted to the National Computer and Cybercrimes Co-ordination Committee. The Committee is tasked with evaluating whether the application satisfies prescribed security standards and is required to render a decision within thirty days. In its deliberations, the Committee shall consider factors including, but not limited to, the adequacy of security measures, the necessity of the proposed arrangement, implications for national security, the public interest, data protection requirements, and representations made by the operator. In addition, the Committee is obliged to consult the National Security Council and other relevant agencies during the review process.
Under Section 2 of the "Computer Misuse and Cybercrimes Act, 2018", the term critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets, and services that are essential to the health, safety, security, or economic well-being of Kenyans, as well as to the effective functioning of Government.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract, for any matter of public interest, for the establishment, exercise or defence of a legal claim, in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

Kenya is a party to the Patent Cooperation Treaty (PCT).

The Copyrights Act provides a regime of copyright exceptions that follows the fair dealing model, which enables the lawful use of copyrighted work by others without obtaining permission. According to Art. 26, it is permitted the use of copyrighted works for educational purposes, the incidental inclusion of works in a broadcast or film, the non-for-profit use of works in public, the broadcast of works intended to be used for systematic instructional activities, the use of works by the government, public libraries and non-commercial documentation centres as well as the use of works for judicial purposes, provided the author and the source are indicated.

Copyright is not adequately enforced online in Kenya. Copyright piracy and the use of unlicensed software are reported to be prevalent in the country. Businesses in the country have also expressed concern about the online distribution of copyright-infringing content.

Kenya has signed the World Intellectual Property Organization (WIPO) Copyright Treaty in December 1996, but has not ratified it.

Kenya has signed the World Intellectual Property Organization (WIPO) Copyright Treaty in December 1996, but has not ratified it.

Kenya does not have a comprehensive framework in place that provides effective protection of trade secrets, but there are limited measures addressing some issues related to them. The protection of trade secrets is mostly by way of common law and equity (and there are a few judicial decisions on this topic). Trade secret protection can be inferred from common law protection of confidentiality. However, regarding whether trade secrets are kept confidential during court proceedings, there is currently no clear judicial precedent on the handling of evidence containing a trade secret while still maintaining its confidentiality. A review of the available case law shows that such matters are determined on a case-by-case basis, and one must demonstrate that the trade secret is indeed useful and applicable in the relevant trade or industry; is not public knowledge or public property; is of economic value to the business seeking to protect it and that the disclosure of such information would be prejudicial to the business.
Moreover, protection is granted locally by virtue of the Constitution (Arts. 2.5 and 2.6). Some forms of protection of trade secrets can also be found in various pieces of legislation, such as those relating to employment and contracts.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

According to Art. 34.2 of the Industrial Property Act of 2001, an applicant whose ordinary residence or principal place of business is outside Kenya is obliged to be represented by an agent who shall be a citizen of Kenya admitted to practice before the Kenya Industrial Property Institute.

Kenya is not a signatory of the 1996 World Trade Organization (WTO) Information Technology Agreement (ITA) nor the 2015 expansion (ITA II).

According to Section 157.8 of the Public Procurement and Asset Disposal Act, exclusive preferences are given to citizens of Kenya where the funding is 100% from the national government, county government or a Kenyan body, and the amounts are below the prescribed threshold. The prescribed threshold for exclusive preference should be above five hundred million shillings (approx. USD 3,600,000)

According to The National Information Communication and Technology Policy Guidelines of 2020, Kenyan-built ICT solutions are preferred over any other solution in the award of public tenders. Where there are no local Kenyan businesses that meet tender requirements, the successful tenderer must provide adequate proof that they will implement a skills transfer program to local firms and personnel as part of the tender award process. Foreign companies have until August 2023 to adhere to this requirement.