Kenya has emerged as a leading hub for data centre investment in Africa, with Nairobi attracting major digital players due to its secure and reliable infrastructure.
By John Syekei, partner and head of IP and technology, and Richard Odongo, senior associate, of Bowmans Kenya
The rapid growth of sectors like fintech, e-commerce, and AI is driving demand for scalable data solutions, supported by evolving legal and regulatory frameworks.
A data centre is a large, centralised group of networked computer servers typically used by organisations for the remote storage, processing, or distribution of large amounts of data. Purpose-built for round-the-clock operations, data centres, unlike ordinary server rooms, incorporate critical IT infrastructure such as servers, storage systems, and networking equipment, alongside industrial-grade cooling systems, backup power supply, and robust physical and cyber security protocols.
In Kenya, leading providers operate tier III-certified facilities in Nairobi and Mombasa. These centres support a range of services, including mobile banking, data sets and internet traffic flowing through various submarine cables, making them a critical enabler of Kenya’s digital ecosystem.
Legal and regulatory landscape
While Kenya is yet to introduce a single, unified legal framework specifically governing data centres, the sector is currently regulated through a layered approach that draws upon the country’s data protection, information and communications technology (ICT), and environmental laws. However, there is an ongoing regulatory review process in Kenya, undertaken by the Communications Authority.
As part of the ongoing review process, the Communications Authority CA”) published a Public Consultation Document in January 2025 relating to the proposed review of the telecommunications market structure in Kenya and the public consultation process is almost complete.
These regulatory changes will likely impact the framework concerning data centres in Kenya.
Layered approach
The Data Protection Act, 2019 (DPA) and its regulations form the cornerstone for data governance in Kenya. The DPA requires that personal data processed or stored in a data centre is handled lawfully, transparently and securely, with strict rules on cross-border transfers and data subject rights. For instance, the Data Protection (General) Regulations, 2021 require that any data centre established for the processing of personal data in connection with a strategic interest of the State must be in Kenya and must store at least one serving copy of the concerned personal data in a Kenyan-based data centre.
Complementing this is the Computer Misuse and Cybercrime Act, 2018 (CMCA), which addresses data security at a data centre by criminalising, among others, unauthorised access, interference, interception, disclosure, misdirection and destruction of data.
ICT sector regulation
The Kenya Information and Communications Act (KICA) and its regulations, overseen by the CA, govern licensing, network infrastructure and cybersecurity. Upcoming legislative changes are expected to reaffirm the CA as the main regulator for data centres.
Under proposed rules from the CA’s recent telecommunications market structure review, data centre operators would need different licences (NFP-T1, T2/ASP) based on their services. International data centre tiering will not be made a requirement under the licences but operators will make their own decisions on whether to subscribe to the practice.
Environmental and land
Data centres require physical space for their establishment and operations, making them subject to the country’s land use and environmental laws, most notably the Physical and Land Use Planning Act, 2019, and the Environmental Management and Coordination Act, 1999. Compliance includes, obtaining all necessary permits and conducting an environmental impact assessment.
Establishment of data centres
Establishing a data centre in Kenya involves multiple licensing and regulatory steps. A prospective operator must first register the business with the Business Registration Services (BRS), then obtain an NFP licence from the CA by submitting the prescribed application and paying the prescribed fees. The business must also register with the Office of the Data Protection Commissioner as a data controller or processor.
Operators are required to secure a single business permit from the relevant county government where the facility is located, along with fulfilling other standard business compliance requirements such as tax registration and employment-related registrations. For data centres established within special economic zones, the Special Economic Zones Authority may facilitate these processes by consolidating approvals and expediting operational timelines.
Technical and operational standards
Kenya lacks a formal regulatory framework for data centres, but the Government Data Centre Standard, 2023, issued by the ICT Authority, serves as a key guideline.
This standard, though designed for government facilities, is widely adopted by private operators and covers site selection, layout, redundancy, environmental controls (cooling, power, fire safety), cabling, operations, physical security, maintenance, and service level agreements (SLAs).
Key requirements include avoiding high-risk locations (for example, near airports, highways, chemical plants), installing 24/7 HVAC, backup generators, UPS, and automatic fire detection/suppression systems. SLAs must ensure at least 99.99% service availability. The standard also mandates compliance with international benchmarks such as the Uptime Institute’s Tier Standard, ISO/IEC 27001, and TIA-942.
Contracting structures and service models
Once operational, data centres offer businesses a variety of commercial models.
Co-location agreements
Customers rent space within a data centre to house their own hardware, while the provider supplies power, cooling, security and the facility. Customers manage their own equipment, and contracts specify terms of use, SLAs, pricing, responsibilities, liability, and termination conditions.
Managed hosting & IaaS agreements
In managed hosting, the provider supplies and operates the hardware and infrastructure, ensuring uptime and data recovery per SLAs. With IaaS, the provider delivers the infrastructure, but customers manage their own operating systems, applications, and data.
Cloud service integration agreements
Data centre providers host and integrate public or hybrid cloud services (e.g., AWS Outposts, Azure Stack) into customers’ IT environments. Agreements focus on seamless cloud integration, bandwidth, and compliance with security standards.
Enterprise agreements and build-to-suit models
These bespoke contracts with large enterprises involve leasing dedicated spaces and custom terms for software, services, space, access controls, audit rights, and exit strategies.
Key considerations in include:
- Data sovereignty and compliance clauses
- Clearly defined SLAS addressing uptime, power, cooling efficiency, and technical support
- Limitation of liability and force majeure provisions
- Disaster recovery and business continuity requirements
- Access control, security, and audit rights.
Emerging trends
- The Kenya Cloud Policy (2024) introduces a cloud-first approach, encouraging organisations to prioritise the adoption of cloud computing technologies over traditional on-premises infrastructure. This is expected to stimulate increased investment in cloud services across the country.
- Data localisation, mandates that certain categories of data, particularly sensitive or restricted data, be stored or processed within the country’s borders. The primary objective is to ensure national data sovereignty over critical data and to enhance domestic data security capabilities. In This approach is expected to drive the development of local data centres and attract increased investment in the country’s data infrastructure ecosystem. The draft Kenya Information and Communications (Infrastructure sharing) Regulations, 2025 aim to reduce ICT infrastructure duplication by setting clear rules for co-location and both passive and active infrastructure sharing, including non-replicable assets. For data centres, this will standardise shared use of fibre, towers, and data hall space, making collaboration the industry norm.
- Global sustainability trends and Kenya’s BETA agenda are driving demand for green cloud computing and energy-efficient data centres. Operators are expected to adopt renewable energy and meet carbon reduction targets.
Kenya’s data centre landscape is experiencing significant evolution, driven by the convergence of digital transformation, increasing demand for infrastructure and growing investor interest. As the country positions itself as a regional hub for digital connectivity, investors and operators must engage with a complex yet maturing legal and commercial environment.
Sustained success in the sector will require not only strategic site selection, but also strict adherence to regulatory requirements, responsiveness to emerging trends, and the adoption of resilient contracting practices that support operational stability and sustainable growth.