Regulation 5 of the Registration of SIM-Cards Regulations requires every telecom operator to register its users, including the provision of personal data such as names and national identity cards.

Section 13 of Act No. 12 creates the offence, and outlaws hate speech, and Section 62 makes an offence for any media enterprise to publish words intended to incite feelings of contempt, hatred, hostility, violence or discrimination against any person, group or community on the basis of ethnicity or race. A media enterprise can be fined up to one million shillings (USD 8,800) for publishing hate speech.
In addition, under the "Guidelines for the Prevention of Dissemination of Undesirable Bulk Political SMS and social media content via Electronic Communications Networks", intermediaries (bulk messaging and social media service providers) can be held liable for spreading falsehoods, hate speech and insults. Art. 13.6 of the Guidelines establishes that it shall be the responsibility of the Administrator of a social media platform to moderate and control undesirable content and discussions that have been brought to their attention on their platform. In this respect, Art. 13.7 provides that social media service providers shall be required to pull down accounts used in disseminating undesirable political content on their platform that have been brought to their attention within 24 hours.

The Communications Authority of Kenya (CA) is mandated to license all telecommunications systems and services in the country, including content service providers. The Content Service Provider licence allows a licensee to provide content-related services to end users who are customers of the application service providers. Content service providers use the infrastructure of network facilities providers and the application service providers' systems to reach their customers. The services offered by content service providers are of information, entertainment, education, health, social, etc. nature, which can either be text, voice, or video clips delivered to a customer’s mobile device on request or as subscribed to by the customer.
CA is guided by the provisions of the relevant statutes, including the Kenya Information and Communications Act, 1998 (Section 25) and the Kenya Communications Regulations 2001 (Part V). The CA has a Unified Licensing Framework (ULF) in place, which is technology- and service-neutral. The ULF market is structured into three main licenses: Network Facilities Provider, Application Service Provider, and Content Service Provider.

The Environmental Management and Coordination (Extended Producer Responsibility) Regulations impose obligations for importers of used electronic goods such as licences, registration for compliance schemes and reporting to ensure that the products comply with the Extended Producer Responsibility (EPR), amongst other requirements.

It is reported that there is a requirement to obtain a Certificate of Conformity from a Kenya Bureau of Standards appointed pre-export verification of conformity (PVoC) partner. To import any commodity into Kenya, an importer has to enlist the services of a clearing agent who will process the import documentation through Kenya Customs electronically on the Simba 2005 system and clear the goods on the company's behalf. It is the seller’s responsibility to ensure that shipments to Kenya happen only after issuance of a Certificate of Conformity. In addition, products containing the QMark do not have to go through inspection for compliance upon entry into another Partner State of the East African Community.

Companies have expressed concerns regarding the prolonged duration for Kenyan Customs to release shipments, along with the excessive formalities involved. The one-stop customs clearance system in Kenya reportedly does not function as expected, and the pre-arrival processing of electronic documents is ineffective. Additionally, there are reports of inconsistent application of classification and valuation decisions within the system, as well as unnecessary transit inspections.

According to the Communications Authority of Kenya, an application for Type Approval must be made using the Application Form for Type Approval/Type Acceptance of ICT Equipment. It is reported that the homologation procedure in Kenya is more complicated than in most African countries. Depending on regulations and type of equipment, the authority may require product samples for further examination or simply issue an exemption letter. The validity period of conformity documents can be unlimited (exemption letters) or limited to 6 months (certificates of conformity) after which the authority automatically issues an unlimited certificate.

Pursuant to Section 42 (1) and (2) of the National Intelligence Service Act 2012, the Director General of Intelligence may obtain warrants from the High Court of Kenya to obtain any information and monitor communication in order to preserve national security.
Despite the law requiring a warrant, an investigation by Privacy International in March 2017 revealed that the National Intelligence Agency (NIS) has direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content. Direct access describes situations where state agencies have a direct connection to telecommunications networks, which allows them to obtain digital communications content and data (mobile and/or internet) without prior notice or judicial authorisation and without the involvement of the telecommunications provider or internet service provider that owns or runs the network.

Section 6 of the Official Secrets Act requires “any person who owns or controls any telecommunications apparatus used for the sending or receipt of any data to or from any place outside Kenya” to provide such data to the government. Such requests may be authorised by the president’s cabinet security rather than through the courts. Those who refuse risk a one-year prison term, a fine of 1 million shillings (USD 8,800), or both.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Communication Authority of Kenya, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

Section 50 of the Data Protection Act provides that the Cabinet Secretary may prescribe, based on the grounds of strategic interests of the state or protection of revenue, processing of a certain nature that should only be conducted through a server or data centre located in Kenya. Regulation 26.1 of the Data Protection (General) Regulations further clarifies that, pursuant to Section 50 of the Act, a data controller or data processor who processes personal data for the purposes of strategic interests of the state outlined in Regulation 26.2 should process such personal data through a server and data centre located in Kenya; or store at least one serving copy of the concerned personal data in a data centre located in Kenya (whereby no definitions have been provided for the term 'serving copy'). The strategic purposes contemplated in Regulation 26.1 include the processing of personal data for:
- administering the civil registration and legal identity management systems;
- facilitating the conduct of elections for the representation of the people under the constitution;
- overseeing any system for administering public finances by any state organ;
- providing primary or secondary healthcare for a data subject in the country;
- offering any form of early childhood education and basic education under the Basic Education Act No. 14 of 2013; and
- running any system designated as a protected computer system in terms of Section 20 of the Computer Misuse and Cybercrimes Act.
Under the Computer Misuse and Cybercrimes Act, a protected system is defined as a computer system used directly in connection with or necessary for:
- the security, defence, or international relations of Kenya;
- the existence or identification of a confidential source of information relating to the enforcement of a criminal law;
- the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities, or public transportation, including government services delivered electronically;
- the protection of public safety, including systems related to essential emergency services, such as police, civil defence, and medical services;
- the provision of national registration systems; or
- such other systems as may be designated relating to the security, defence, or international relations of Kenya, critical information, communications, business, or transport infrastructure, and protection of public safety and public services as may be designated by the Cabinet Secretary responsible for matters relating to information, communication, and technology.