NAIROBI, Kenya – The Communications Authority of Kenya (CA) has directed all providers of Critical Information Infrastructure (CII) in the telecommunications sector to fully adopt approved digital certification services by January 1, 2026, as part of efforts to strengthen cybersecurity and data protection.
The directive, issued in line with cybersecurity measures from the National Computer and Cybercrimes Coordination Committee (NC4), requires all CII systems listed in Gazette Notice No. 1043 to use digital certificates, digital certification, and Public Key Infrastructure (PKI) services exclusively from Electronic Certification Service Providers licensed and accredited by the CA.
The determination was made by NC4 on August 1, 2024, and formally communicated to all affected operators this week.
CA said inspections will begin early in 2026 to verify compliance and warned that any failure to meet the requirements will amount to a regulatory breach, attracting enforcement measures provided for under existing laws.
“This directive is intended to strengthen the security of Kenya’s critical digital systems and ensure that all players in the telecommunications sector rely on trusted and verified certification mechanisms,” the Authority said in a statement.
The regulator has urged operators to start implementation early to avoid disruptions or penalties once the compliance checks commence.
Entities can access the current list of licensed and accredited Electronic Certification Service Providers via the Telecommunications Services Licensee Register on the CA website.
The Authority has also invited stakeholders seeking clarification on the compliance process to reach out through its official communication channels.
The move underscores Kenya’s push to safeguard sensitive communication networks and infrastructure amid rising cyber threats targeting both public and private systems.
