Introduction

The Micro, small, and medium enterprises (MSMEs) are key drivers of economic growth, job creation, and innovation in Kenya.  According to the Kenya National Bureau of Statistics 2026 Economic Survey, informal sector employment, driven overwhelmingly by MSMEs, stood at 18.1 million workers in 2025, accounting for a significant percentage of total employment. MSMEs contribute an estimated 24 to 32 percent of Kenya’s Gross Domestic Product (GDP) and remain a major source of employment.  With Kenya’s economy growing by 4.6 percent in 2025 and the formal-sector job creation unable to keep pace with labour market demand, MSMEs continued to play a central role in driving economic growth and job creation.

Given the critical role MSMEs play, any regulatory framework that affects how businesses adopt and use emerging technologies warrants careful scrutiny. It is against this backdrop that the Artificial Intelligence Bill, 2026, Senate Bill No. 4 (the Bill), sponsored by Nominated Senator Karen Nyamu and currently before the Senate, should be examined. While the Bill represents Kenya’s first comprehensive attempt to regulate artificial intelligence (AI), some of its provisions may impose significant compliance burden on smalls businesses and MSMEs.

As Kenya marks International MSMEs Day on 27th June this year under the theme, “Human-Centered Entrepreneurship in an AI-Driven Future: Economic Empowerment for the Next Generation”, the question is not whether AI should be regulated. That presents an obvious answer. Rather, the more important issue is whether the Bill currently under debate is designed with Kenya’s 7.4 million MSMEs in mind or whether it will become yet another obstacle to the growth and formalisation of small businesses in an already complex regulatory environment.

What the Bill Proposes

The Bill adopts a definition of AI that closely mirrors that in the European Union’s AI Act. It defines AI as a machine-based system or collection of technologies that leverage machine learning, data processing, algorithmic systems or other methods to operate with varying levels of autonomy and adaptiveness, inferring outputs such as predictions, content, recommendations, or decisions from inputs, and includes systems or technologies that perform tasks typically requiring human intelligence, such as automated decision-making, language processing and computer vision.

The Bill places legal responsibilities on two principal actors in the AI ecosystem: providers and developers. Providers develop AI systems and make them available on the market under their own name or brand, while deployers use or put AI systems into operation under their own authority. Individuals who use AI solely for personal and non-professional purposes are excluded from these obligations.

At the heart of the Bill is the proposed Office of the Artificial Intelligence Commissioner, which would oversee compliance, investigate violations, and enforce the law. The Commissioner would have broad powers to enter premises and inspect AI systems, issue enforcement notices, impose administrative fines and collaborate with international AI bodies while providing technical and policy guidance through an advisory committee.

The Bill adopts a four-tier, risk-based framework comprising unacceptable risk for systems that pose severe threats, high risk for systems used in critical sectors including healthcare, education, agriculture, finance, security, employment or public administration, limited risk for systems with moderate risks, and minimal risk for systems with negligible risks. Businesses operating high-risk and unacceptable-risk systems would face particularly significant regulatory requirements.

The Classification Problem in relation to MSMEs

The Bill largely draws from the European Union’s AI Act, adapting several aspects of its risk-based regulatory framework. While this provides a useful reference point, Kenya’s economic and business environment differs significantly from that of the European Union. Kenya’s economy is dominated by MSMEs, many of which operate with limited financial, technical, and compliance capacity.

A notable concern is that the Bill leaves the detailed criteria for risk classification to future regulations, creating significant uncertainty for businesses seeking to understand where their AI systems fall.  This is not a minor technical gap. This uncertainty is compounded by the Bill’s apparent focus on the sector in which an AI system is used rather than the nature and impact of the specific use case.  As a result, businesses with vastly different risk profiles may be subject to the same regulatory requirements. For instance, a large bank using AI to make lending decisions may be treated similarly to an MSME using AI for bookkeeping, invoice processing, or business analytics, simply because both operate within the financial sector.

Commentators from the African Antitrust and Competition Law network have observed that unclear risk-classification rules can hinder MSME’s ability to understand their legal responsibilities, creating uncertainty that may discourage the uptake of beneficial AI tools.

The Compliance Burden on MSMEs

For high-risk AI systems, the Bill places significant compliance obligations on those who develop or use them. Before such systems are deployed, providers and users must carry out human rights impact assessments and general risk assessments. They must also conduct data protection impact assessments, as required under the Data Protection Act, Cap. (411C). Where the AI system is likely to affect jobs, a workforce impact assessment must be undertaken, and reskilling programmes should be introduced where necessary.  In addition, the way the AI system makes decisions must be clear, traceable, and capable of being explained. Providers must also submit annual compliance reports to the AI Commissioner.

Beyond high-risk AI systems, the Bill imposes transparency obligations on all providers and deployers of AI systems, irrespective of the level of risk involved. They must disclose to users the nature, purpose, and limitations of the AI system, the extent to which decision-making is automated, and the measures taken to mitigate bias. While transparency is an important objective, applying these requirements uniformly to all businesses, regardless of their size, resources, or the sophistication of the AI tools they use, may be disproportionate. Such an approach could impose unnecessary compliance costs on MSMEs that rely only on low-risk applications, such as a mobile accounting software or automated WhatsApp chatbots to support their day-to-day operations.

The disproportionate risk presented by penalties

The Bill proposes criminal penalties of up to Kshs. 1 million or Kshs. 5 million, and imprisonment of up to six months or two years, depending on the nature of the offence. Individuals or entities that misuse AI, particularly to create false, harmful, or deceptive content such as deepfakes, may be subject to more severe sanctions.

Although the criminalisation of deepfakes represents a legitimate policy response to a genuine problem, its potential application to MSMEs raises important practical considerations. For instance, an MSME that relies on an AI image-generation tool developed by a third-party provider could potentially face liability, if the resulting content is later found to be misleading. The Bill does not clearly provide a defence for businesses that acted honestly and took reasonable steps to comply with the law, nor does it contain explicit good-faith safeguards to protect businesses from liability where they exercised due diligence and had no intention to deceive.

The Broader Regulatory Landscape

The proposed AI Bill operates alongside existing laws regulating digital businesses, including the Data Protection Act, which imposes obligations on entities that process personal data, and the Computer Misuse and Cybercrimes Act (Cap. 79C), which regulates various aspects of digital operations. For MSMEs operating in sectors such as fintech, agritech, and health technology, the introduction of a dedicated AI regulator may create additional compliance challenges. In particular, such businesses could find themselves subject to overlapping regulatory oversight from multiple agencies, including the Office of the Data Protection Commissioner (ODPC), the Communications Authority of Kenya, the Central Bank of Kenya, and the Competition Authority of Kenya. As a result, there are concerns that regulation could become fragmented, repetitive, and more costly for businesses to navigate.

To address these concerns, the Bill should provide clear guidance on the relationship between the proposed AI Commissioner and existing sectoral regulators. Establishing mechanisms for regulatory coordination would help prevent conflicting or duplicative requirements and ensure that MSMEs are not subjected to unnecessary compliance burden from overlapping regulatory mandates.

Recommendations for Parliament

As the AI Bill progresses through the legislative process, Parliament has an opportunity to ensure that it promotes responsible AI adoption without imposing disproportionate burdens on MSMEs.

First, the Bill should set out a clear, objective, and proportionate risk classification criterion in the primary legislation, rather than leaving these matters to subsidiary regulations. Businesses should be able to determine with reasonable certainty whether their AI systems fall within the high-risk category, before the Commissioner publishes regulations.

Second, compliance obligations should be proportionate to the size, resources, and role of a business. MSMEs that use off-the-shelf AI tools, should not be subject to the same regulatory requirements, as large companies that develop or deploy sophisticated AI systems at scale. The Bill should adopt a risk-based and proportionate approach, similar to that reflected in the EU AI Act.

Third, the Bill should introduce safe-harbour protections for businesses that make genuine efforts to comply with the law. Such safeguards would encourage responsible adoption of AI, while preventing well-intentioned businesses from being penalised for inadvertent non-compliance.

Conclusion

Many MSMEs in Kenya already rely on AI-powered tools, including mobile banking platforms, digital lending services, customer-support chatbots and logistics software. The Artificial Intelligence Bill, 2026 has the potential to provide a clear regulatory framework that promotes trust, protects consumers, and addresses harmful uses of AI.

However, the regulation must be proportionate and practical. Rules designed for large-scale companies using advanced AI may impose unnecessary burdens on small businesses that use basic AI applications.  As Kenya marks International MSMEs Day, lawmakers should ensure that the AI Bill fosters innovation and growth among MSMEs, rather than creating additional barriers for the businesses that form the backbone of the economy.

Download the Alert here.