Kenya: Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations including cybersecurity regulation were adopted

On 8 February 2024, the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations were adopted. The Director of the National Computer and Cybercrimes Co-ordination Committee oversees the designation of critical information infrastructure (CII), identifying systems and their owners, notifying them of their obligations, and requiring the appointment of a chief information security officer. Designation follows criteria set in the Act, with details published in the Kenya Gazette, except for exempt information under the Access to Information Act. Owners are notified in writing within seven days, including the reasons for designation. Within thirty days, the Director issues directives, which may cover risk assessments, security measures, incident response plans, and staff training. Non-compliance may result in a notice to show cause, potentially leading to sanctions such as reporting to the National Security Council, regulatory enforcement, or law enforcement investigations. Owners can appeal Committee decisions to the High Court. The Committee, in consultation with the owner, submits recommendations for gazettement within seven days, or the owner may apply directly. Owners may also request their systems to be designated as CII, submitting details on sector, operations, security, and risks. The Director assesses applications based on risk and impact, responding within thirty days. Approved systems are designated by Gazette notice, while rejected applications can be appealed. A designated CII register will be maintained, and owners must report changes within twenty-one days. Significant modifications require prior notification and a security assessment. Ownership changes must also be reported in advance. Non-compliance constitutes an offence under the Act.