Kenya: Directive on use of digital certification services by critical information infrastructure (CII) providers enters into force

On 1 January 2026, a Directive on the use of digital certification services by Critical Information Infrastructure (CII) providers enters into force. It requires designated CII systems in sectors such as telecommunications, banking, and healthcare to use digital certificates and Public Key Infrastructure services exclusively from licensed and accredited Electronic Certification Service Providers. The Directive follows a determination by the National Computer and Cybercrimes Coordination Committee and aims to strengthen cybersecurity by ensuring system and user authentication and by securing data in transit through cryptographic keys.