ForesightSO May 2026 AI Cyber security East Africa.

QUARTERLY POLICY BRIEFING

May 2026  |  TECHNOLOGY & GOVERNANCE SERIES

Digital Frontiers, Shared Stakes:

The Imperative for East African Cooperation on Artificial Intelligence and Cybersecurity

East Africa is at a crossroads. The region’s digital boom — from mobile money to broadband corridors — has opened doors that were unimaginable a decade ago. But those same doors swing both ways. Without real coordination on AI and cybersecurity, the promise of a connected East Africa could be undone by the very technologies driving its growth.

ISSUED BY Foresight for Practical Solutions (FPS) www.foresightso.com

CLASSIFICATION Public Policy Document May 2026

Executive Summary

East Africa is in the middle of one of the most remarkable digital transformations happening anywhere in the developing world right now. Mobile penetration is up, fintech is thriving, and broadband is spreading — laying the groundwork for a regional digital economy that could exceed $180 billion by 2030. But the speed of that growth has left governance, security, and policy badly behind. Critical systems are exposed. The gap in technological capability between East Africa and advanced economies is, if anything, widening.

This briefing from Foresight for Practical Solutions (FPS) makes a straightforward argument: East African states are individually ambitious but collectively under-resourced, and they need shared frameworks, joint investment, and real cooperation agreements on Artificial Intelligence and cybersecurity — now. The cost of waiting is not just economic. It is geopolitical, sovereign, and democratic.

CORE ARGUMENT Cooperation on AI and cybersecurity is not a technical luxury — it is a governance imperative. The region’s fragmented digital policy environment creates vulnerabilities that no single country can fix on its own. A coordinated regional architecture is the only credible path to digital sovereignty, economic resilience, and democratic integrity as technology accelerates.

This briefing works through five areas: the regional digital landscape and where it is vulnerable; the AI governance gap; the cybersecurity threat picture; what a regional cooperation framework should look like; and concrete recommendations for governments, regional bodies, and development partners.

I. The Digital Landscape: Promise and Peril

East Africa’s digital economy has grown faster than most analysts expected. Kenya’s M-Pesa ecosystem is now a global reference point for mobile financial inclusion. Rwanda has bet its national brand on becoming the continent’s technology hub. Ethiopia — with more than 120 million people — is pushing hard on its Digital Ethiopia 2025 strategy. Tanzania and Uganda have expanded mobile coverage steadily. And Somalia, long written off as a failed state, has paradoxically built one of the most open and innovative telecoms markets on the continent.

The numbers tell the story. Internet penetration across the East African Community has climbed from under 5 percent in 2010 to over 35 percent in 2024. Mobile money accounts run into the hundreds of millions. Digital government platforms are going live across the region — handling taxes, land records, healthcare delivery.

Country	Internet Penetration	Mobile Money Users	Digital Gov. Index
Kenya	~42%	32M+	High
Rwanda	~61%	11M+	Very High
Ethiopia	~22%	38M+	Medium
Tanzania	~38%	28M+	Medium
Uganda	~30%	20M+	Medium-Low
Somalia	~18%	7M+	Emerging

But under this progress sit some serious vulnerabilities. Most of the region’s internet traffic flows through a handful of undersea cable landing stations — single points of failure that could cripple connectivity if disrupted. Virtually all data processing happens on servers outside the region, in Europe, the US, or increasingly China. And most EAC member states have no dedicated cybersecurity agency, no AI regulatory body, and no coherent national AI strategy to speak of.

The Sovereignty Dimension

Digital sovereignty sounds like an abstract concept until you realize what it means in practice: who controls the data, the algorithms, and the infrastructure that modern governance depends on. When a government’s financial systems, census database, or electoral infrastructure runs on foreign-owned cloud platforms subject to foreign law, that government’s sovereignty is genuinely compromised — not in theory, but operationally.

East Africa has not yet suffered a catastrophic digital sovereignty crisis. But the conditions for one are already in place. Foreign technology companies, multilateral development banks, and bilateral donors have invested genuinely in the region’s digital infrastructure — and much of that has been beneficial. But it has also created dependencies that limit strategic autonomy and, in some cases, put African governments at a systematic disadvantage in regulatory and commercial negotiations.

II. The AI Governance Deficit

AI is already being deployed across East Africa at scale — in agriculture, healthcare, education, financial services, and increasingly in public administration and security. Predictive policing tools, automated benefits eligibility systems, and AI-assisted credit scoring are in active use across multiple EAC member states. In most cases, these systems have been adopted with no accompanying regulatory framework, no audit mechanism, and no public accountability structure whatsoever.

That’s not a problem unique to East Africa — governments everywhere are struggling to regulate systems that move faster than legislation. But the stakes are especially high here, for reasons worth spelling out.

Algorithmic Bias and Democratic Integrity

AI systems trained mainly on data from wealthy countries carry built-in assumptions about human behavior, economic life, and social organization that often don’t travel well. When those systems are deployed in criminal justice, social welfare, or voter registration in an East African context, the potential for discriminatory outcomes is real — and without regional standards for transparency and accountability, affected people have no meaningful avenue for redress.

The electoral picture is particularly concerning. AI-powered disinformation tools — deepfakes, synthetic audio, automated social media manipulation — are already appearing in African electoral contexts. Several recent East African elections have featured documented cases of coordinated inauthentic behavior on digital platforms, including AI-generated content designed to suppress turnout among specific communities.

FPS FINDING Not a single EAC member state currently has an AI regulatory framework that is enforceable, adequately resourced, and interoperable with its neighbors. This isn’t a temporary gap — it is an accelerating risk. Every month that passes without regional coordination raises the probability of a serious, cross-border AI incident that no individual government is equipped to handle.

The AI Investment Gap

Global AI investment surpassed $300 billion in 2024. East Africa received a fraction of a percent of that. The consequences go well beyond the numbers. As AI becomes the foundational layer of economic competitiveness — embedded in logistics, agriculture, healthcare, manufacturing — countries without domestic AI capacity will find themselves falling further behind in ways that are very hard to reverse. Regional cooperation is the most realistic way to close that gap. No single East African state has the market size, talent pool, or capital to compete in AI development on its own. But the region collectively — over 450 million people, valuable agricultural and resource datasets, a growing technical workforce has the raw ingredients for a meaningful AI ecosystem, if the right investment, data-sharing, and talent mobility frameworks are put in place.

• Joint regional AI research consortia, built on existing pan-African scientific networks, could pool expertise and cut duplication.
• A regional AI development fund — drawing on member state contributions, development bank lending, and diaspora investment bonds — could anchor the infrastructure investment needed.
• Harmonized data-sharing agreements would allow AI models to be trained on data that actually reflects East African populations — a basic requirement for systems that work fairly across the region.
• Regional centers of excellence in AI ethics, safety, and governance would build the institutional capacity to regulate AI responsibly over the long term.

III. The Cybersecurity Threat Environment

The cybersecurity threats facing East Africa are getting more sophisticated, more frequent, and more damaging. The region’s rapid digitization has expanded the attack surface available to malicious actors — state-sponsored and criminal alike — far faster than defensive capacity has grown. Cybercrime losses in Africa run to more than $4 billion a year, with East African countries among the most frequently targeted.

The threat picture breaks down into several distinct categories, each with different implications for how the region needs to respond.

Financial Cybercrime

Concentrating so much financial activity in mobile money platforms creates high-value targets. Attacks on mobile payment infrastructure, SIM-swap fraud at scale, and social engineering campaigns targeting mobile banking customers have caused substantial losses across Kenya, Tanzania, Uganda, and Ethiopia. These attacks are typically orchestrated from outside the region, with proceeds laundered across multiple jurisdictions — which makes them nearly impossible for any single national authority to address on its own.

Critical Infrastructure Threats

East Africa’s power grids, water systems, communications networks, and transport hubs are increasingly networked — and increasingly vulnerable. The 2021 attack on Kenya’s Integrated Population Registration Service, and multiple documented intrusions into Ethiopian government systems, are not isolated incidents; they are a preview of what happens when digital government expands without parallel investment in security. As more services go online, the consequences of successful infrastructure attacks grow proportionally.

State-Sponsored Espionage and Influence Operations

East Africa sits at the intersection of significant geopolitical competition. Multiple external powers — major Western states, China, Russia, Gulf states — maintain active intelligence and influence presences in the region, and the digital domain has become their preferred arena. Spyware targeting journalists, civil society leaders, opposition politicians, and government officials has been documented across the region. AI-powered influence operations designed to shape political discourse and election results represent an especially dangerous emerging threat

Threat Vector	Primary Targets	Regional Cooperation Gap
Financial Cybercrime	Mobile money, banking systems	No joint incident response
Ransomware	Government agencies, hospitals	No regional threat intelligence sharing
State-sponsored espionage	Officials, civil society, media	No coordinated attribution framework
AI disinformation	Electoral processes, public opinion	No shared content moderation standards
Infrastructure attacks	Power, water, telecoms	No regional CERT coordination

The Cooperation Deficit

Despite sharing borders, economies, and increasingly digital infrastructure, East African states have no binding regional cybersecurity cooperation framework. Some bilateral information-sharing arrangements exist, but they are inconsistent, non-standardized, and narrow in scope. There is no regional CERT, no shared threat intelligence platform, and no agreed protocol for responding to a major cross-border cyber incident.

This fragmentation is not just a missed opportunity — it is itself a vulnerability. Cybercriminal networks and state-sponsored actors exploit jurisdictional gaps as a matter of routine. When threat actors know that intelligence won’t be shared across borders and joint prosecution is nearly impossible, they operate with a degree of confidence that undermines the entire regional digital ecosystem.

IV. The Case for a Regional Cooperation Architecture

The case for regional cooperation on AI and cybersecurity is built on three overlapping arguments. Economically, shared infrastructure and pooled expertise reduce duplication and lower costs. From a security standpoint, collective defense and joint threat response are simply more effective than fragmented national efforts. And from a sovereignty perspective, building regional capacity is the only way to reduce structural dependence on external actors whose interests do not always align with those of East African states and their people.

Existing Frameworks and Their Limitations

Some regional groundwork already exists. The EAC has adopted a regional cybersecurity framework. The African Union’s Convention on Cyber Security and Personal Data Protection — the Malabo Convention — provides a continental baseline. IGAD has engaged on digital governance in the Horn of Africa context. These are useful starting points.

But they all share three problems. Ratification is incomplete: the Malabo Convention has been adopted by only a small fraction of AU member states. Implementation capacity is thin: frameworks exist on paper without the institutions, budgets, or technical expertise to make them real. And none of these instruments adequately address AI — which is less a criticism of their drafters than a reflection of how quickly the technology has moved.

A Proposed Regional Architecture

FPS recommends the development of a dedicated East African Digital Cooperation Framework (EADCF), negotiated under EAC auspices and open to non-EAC states including Somalia, Djibouti, and Eritrea. The framework should rest on four institutional pillars:

PILLAR ONE: East African Cyber Defense Alliance (EACDA) A binding mutual defense and intelligence-sharing arrangement, modeled on established international CERT networks. The EACDA would set up joint incident response protocols, a shared threat intelligence platform, and agreed procedures for attribution and coordinated response when significant cyber incidents occur. A permanent secretariat staffed by technical experts from member states would provide continuity.

PILLAR TWO: Regional AI Governance Council (RAGC) An intergovernmental body charged with developing harmonized AI regulatory standards, running joint algorithmic audits of high-impact AI systems in public use, and publishing annual regional AI accountability reports. The RAGC would work alongside national AI regulatory bodies where they exist, and offer technical assistance to states that are still building their own frameworks.

PILLAR THREE: East African AI Development Fund (EAADF) A dedicated investment vehicle, targeting $500 million over five years, to finance regional AI research, shared computing infrastructure, AI talent programs, and early-stage domestic AI ventures. Governed by a board drawn from member states, development finance institutions, and private sector partners.

PILLAR FOUR: Digital Sovereignty Standards Board (DSSB) A technical standards body responsible for developing and enforcing regional norms on data localization, cross-border data flows, cloud procurement, and algorithmic transparency. The DSSB would give East African states a unified voice in international standards processes — at ITU, ISO, the Global Partnership on AI — where the region is currently barely represented.

V. Policy Recommendations

FPS offers the following recommendations to East African governments, the EAC Secretariat, IGAD, and the development partners working in the region’s digital economy.

For Heads of State and Government

• Make a firm, high-level commitment to negotiating the East African Digital Cooperation Framework within 18 months. The EAC Extraordinary Summit on Digital Governance is the natural venue for that commitment.
• Direct finance ministries to carve out dedicated domestic budget lines for cybersecurity and AI governance — treating them as national security investments, not discretionary technology spending.
• Establish or reinforce national AI advisory councils with clear mandates to align domestic AI strategy with emerging regional frameworks.
• Issue a joint regional statement on digital sovereignty: East African states have the right to regulate AI systems deployed within their borders, regardless of where those systems were built or who owns them.

For the EAC Secretariat and IGAD

• Convene a technical working group on East African cybersecurity cooperation this quarter, with a 12-month mandate to produce draft EACDA articles.
• Commission an independent regional AI readiness assessment — a clear-eyed baseline of where member states actually stand on governance capacity, infrastructure, and talent, and where the gaps are deepest.
• Set up a joint EAC-IGAD Digital Governance Task Force to make sure the broader Horn of Africa — Somalia, Ethiopia, Djibouti, Eritrea — is inside the tent from the start, not retrofitted in later.
• Develop a regional curriculum standard for cybersecurity and AI education, integrated into member state university systems, with a goal of 100,000 certified digital security professionals across the region by 2030.

For Development Partners and the International Community

• Shift digital development financing away from fragmented, country-by-country projects and toward regional architecture — starting with capitalizing the East African AI Development Fund.
• Back the development of East African AI datasets and computing infrastructure that are owned and governed regionally, not by foreign technology providers.
• Respect East African digital sovereignty in technology partnership negotiations: data processing agreements, cloud contracts, and AI deployments should comply with emerging regional standards, not circumvent them.
• Fund independent civil society capacity to monitor AI and cybersecurity governance across the region — investigative journalism, academic research, community-based digital rights work.

Conclusion

East Africa’s digital moment is genuine. The region’s young, growing, increasingly connected population represents one of the most significant concentrations of human capital and economic potential on the planet. AI and cybersecurity are not peripheral to that future — they are foundational to it.

The question is not whether East African governments will engage with these technologies. They already are, and that will only accelerate. The question is on what terms. Will the region engage with shared governance, coordinated defense, and sovereign control over the digital infrastructure that daily life increasingly depends on? Or will it engage in ways that deepen dependency, widen vulnerability, and erode the democratic accountability that citizens deserve?

The case for urgent, ambitious, and binding regional cooperation is clear. The institutions, frameworks, and investments proposed here are achievable. What they require, above all, is the political will to act on a simple truth: in the digital age, shared stakes demand shared solutions.

FORESIGHT FOR PRACTICAL SOLUTIONS (FPS) www.foresightso.com This briefing is published for public policy purposes. Reproduction is permitted with attribution.