Kenya: Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations including data localisation requirement entered into force

On 9 February 2024, the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations entered into force. Owners of critical information infrastructure in Kenya must ensure that such infrastructure is located within the country. If they wish to store critical information abroad, they must apply to the National Computer and Cybercrimes Co-ordination Committee. The Committee will assess whether the application meets security standards and decide within 30 days. Factors considered include security measures, necessity, national security, public interest, data security, and operator submissions. The Committee will consult the National Security Council and relevant agencies when reviewing such applications.