Telecom companies and managers of key digital systems have been put on alert after the Communications Authority of Kenya (CA) issued a public notice requiring compliance with new cybersecurity regulations by the end of the year.
In a notice on Tuesday, October 7, the CA announced that by January 1, 2026, all companies which manage Critical Information Infrastructure (CII) must start using digital certificates and Public Key Infrastructure (PKI) from providers that are officially approved by the Authority.
"Pursuant to the determination made by the National Computer and Cybercrimes Coordination Committee (NC4) on August 1st, 2024 which directed that all systems that are designated as Critical Information Infrastructure (CII) as stipulated in Gazette Notice No. 1043, MUST adopt and only use digital certificates, digital certification and Public Key Infrastructure (PKI) services from Electronic Certification Service Providers (E-CSPs) who have been both licensed and accredited by the Communications Authority of Kenya," a statement from the CA read.
Digital certificates essentially act like electronic ID cards for websites and systems, while PKI is the technology that protects data considered sensitive. PKI leverages cryptographic keys and digital certificates, thereby enhancing cybersecurity by authenticating systems and users while securing data in transit.
These digital certificates are crucial in aiding in the confirmation that a website is safe to use, as they make sure that any data shared between users and the system is encrypted, hence free from any unauthorised access.
The directive was first introduced by the National Computer and Cybercrimes Coordination Committee (NC4) in August 2024 and mandates all CII systems designated under Gazette Notice No. 1043 to exclusively use digital certificates and Public Key Infrastructure (PKI) services.
In the notice, the CA also announced that from January 2026, there will be a concerted effort to crack down on licensed operators to ensure compliance with the cybersecurity requirements.
Failure to adhere to the directive will be treated as a regulatory breach, and the companies will be subjected to punishment as per available laws and frameworks.
Notably, the new regulations also apply to functioning and legitimate companies which manage Critical Information Infrastructure (CII) such as telecoms, banks, ISPs, e-commerce platforms, and health or government systems.
All these entities, going forward, must use certificates from licensed E-CSPs as part of the CA's plan to strengthen cybersecurity across the country.
If, for example, a telecoms company is found to be using self-signed digital certificates instead of those issued by a licensed and accredited Electronic Certification Service Provider (E-CSP), it will be classified as non-compliant and can be subjected to fines and penalties.
In the worst-case scenario, the CA can revoke the company's licenses, or a public notice of the company's non-compliance can be published, thereby damaging its reputation.
Elsewhere, the CA also recently invited the public to share their views on the new licenses before they are approved. The authority said it was seeking public comments and objections regarding several applications for broadcasting, postal and telecommunications licenses.
