port254

CII Cybersecurity Advisory

Kenya's Critical Information Infrastructure (CII) Regulations are in force.

The compliance deadlines have passed. Most designated infrastructure operators haven't met them — we help close the gap.

Advisory for Kenya's designated CII operators, covering the operational technology layer — SCADA (Supervisory Control and Data Acquisition) systems, energy management systems, and industrial control systems — that IT security firms don't reach. Every engagement maps to Kenya's mandatory compliance obligations: annual risk assessment, CISO designation, and readiness for formal compliance audits by Kenya's CII enforcement authority.

View Services Get in Touch

Policy deadline (Aug 2024) passed. Annual risk assessment (Feb 2025) overdue. Most designated CII owners are already behind.

9 Feb Regulations in force (2024)
24 hrs Incident reporting window
Annual Mandatory risk assessment
16 Designated CII sectors
Reg 17 · Reg 31(2)(j)

CII Risk Assessment

Annual mandatory cybersecurity risk assessment with risk register. Overdue for most designated operators. We deliver a structured assessment that satisfies the Regulation 17 compliance requirement and gives your Chief Information Security Officer (CISO) a defensible risk posture.

Learn More →
Reg 31 · Reg 71(3)

IEC 62443 Gap Assessment

Regulation 71(3) permits CII owners to adopt global best practices on their own initiative. IEC 62443 is the only international standard purpose-built for industrial control systems — and we hold all four certificates.

View Credentials →
Reg 32 · Reg 33

CISO Advisory

Every designated CII owner must appoint a CISO. The qualification requirements are specific — and most organisations don't have a person who meets them. We help with CISO function design, policy development, and ongoing advisory support.

Learn More →
Reg 65 · Reg 31(2)(m)

Incident Response Planning

CII owners must report all cybersecurity incidents to the relevant Sectoral Cybersecurity Operations Centre within 24 hours. Without an IR plan and tested procedures, most organisations cannot meet this obligation. We build and exercise the capability.

Learn More →

Legal Notice 44 of 2024

Kenya's CII Regulations — What They Actually Require

Annual risk assessments. Mandatory CISO. 24-hour incident reporting. Data must stay in Kenya. Annual internal audits. Formal compliance audits by the enforcement authority. Understand the full obligation stack before a directive lands.

Read the Regulations →

Sectors We Work With

Designated CII sectors under the Second Schedule of the Regulations.

Energy

Electricity generation, transmission/distribution, petroleum, natural gas

Water

Drinking water storage, distribution, quality assurance, wastewater treatment

Transport

Aviation, rail, road, maritime and port operations

Financial Services

Banking, payment systems, stock exchange

16 sectors are formally designated under the Second Schedule — see the full list →