Kenya: National Treasury closes consultation on Virtual Asset Service Providers Regulations 2026 including cybersecurity regulation

On 10 April 2026, the Cabinet Secretary for the National Treasury closes the consultation on the draft Virtual Asset Service Providers Regulations 2026. The Regulations are issued pursuant to section 49 of the Virtual Asset Service Providers Act 2025 (Act No. 20 of 2025). Regulation 93 would require licensees to maintain a cybersecurity strategy, including organisational, human and technological resources to prevent or rectify system and process failures, continuity of operations arrangements, and monitoring mechanisms to detect and prevent cyber incidents. Licensees would be required to ensure senior officer oversight of cybersecurity systems with clearly defined roles and responsibilities, maintain documentation of internal processes, and provide periodic cybersecurity training to all staff. The cybersecurity strategy would be required to be reviewed at least annually and following any cybersecurity incident, with results submitted to the board of directors within one month of the review. Regulation 94 would require that systems and controls be adequate and suitable for the performance of virtual asset business, encompassing confidentiality, accessibility, integrity, maintenance of systems and infrastructure, and procedures to address updates including forks. Licensees would be required to conduct vulnerability assessments, risk assessments and penetration testing on a bi-annual basis in the first year of licensing and at least annually thereafter, and maintain audit trail systems capable of complete and accurate reconstruction of all financial transactions. Under regulation 96, licensees would be required to notify the relevant regulatory authority within 24 hours of any cybersecurity attempt, successful or unsuccessful, and submit a full report within 5 working days where the attempt was successful. Regulation 97 would require preparation of a cybersecurity audit report covering system integrity, identified cybersecurity risks and the cybersecurity programme implemented. Nationwide public participation forums were held between 30 March and 10 April 2026.