Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, Legal Notice 44 of 2024. In force since 9 February 2024.
Kenya's CII Regulations establish mandatory cybersecurity obligations for operators of Critical Information Infrastructure — infrastructure whose disruption would have a significant impact on public health, safety, the economy, or national security.
Governing Act
Computer Misuse and Cybercrimes Act 2018 (Cap. 79C)
Operative Regulations
Legal Notice 44 of 2024, commenced 9 February 2024
Enforcement Authority
Director, National Computer and Cybercrimes Co-ordination Committee (NC4)
CII Designation
16 sectors formally designated, including Energy, Water, Transport, Financial Services, ICT
Key deadlines from the date of commencement — 9 February 2024. Most obligations are already due.
All mandatory obligations under Legal Notice 44 of 2024 take effect. Designated CII owners are immediately bound by the access control, data localisation, outsourcing notification, and incident reporting requirements.
CII owners were required to formulate, review and update organisational policies, procedures and codes of practice to ensure the protection, preservation and management of their CII. This deadline has passed. Most operators are in breach.
The first annual mandatory cyber-risk assessment was due within 12 months of commencement. The Director may issue directives requiring designated CII owners to conduct this assessment. The obligation now recurs annually.
24-hour incident reporting to Sectoral COC, CISO designation, security logging and monitoring, penetration testing, annual internal audits, risk register maintenance, and disaster recovery planning are all continuous ongoing obligations.
What the Regulations require of designated CII owners, organised by category.
Every designated CII owner must appoint a Chief Information Security Officer. The CISO must be a Kenyan citizen, hold a master's degree in information security or a related field, and have at least five years of demonstrable professional experience in CII protection. Multiple CII owners may jointly appoint a single CISO.
Annual cybersecurity risk assessment to identify existing vulnerabilities is mandatory. Results must be maintained in a live cybersecurity risk register that catalogues and profiles the information and cyber risks to the CII.
CII owners must conduct annual internal cybersecurity audits to check compliance with the directives issued under Regulation 20. These complement the external NC4 audit regime and feed into the compliance report.
All cybersecurity incidents must be reported to the relevant Sectoral Cybersecurity Operations Centre within 24 hours of becoming aware. Using Form CMCA 7, which requires incident classification, impact details, response steps taken, and third parties informed.
CII and the critical information it contains must be domiciled and located in Kenya. Any intention to store critical information outside Kenya requires a formal application to and approval from the Committee, in consultation with the National Security Council.
Organisational policies, procedures and codes of practice must be formulated and reviewed annually. Must specify storage and archiving procedures, modalities for sharing CII within the organisation and with third parties, and data lifecycle management procedures.
Regulation 39(d) requires CII owners to adopt procedures for conducting regular security audits and penetration testing to identify vulnerabilities and system weaknesses. This is an explicitly named mandatory measure for virtual access to CII — not a recommendation.
CII owners must establish a disaster recovery and backup site that is geographically distinct from the primary CII location. The backup site must support full data retrieval and system restoration. Routine periodic backup procedures are required.
Identification, classification and cataloguing of all CII assets is a baseline security requirement. Background checks on all personnel handling CII information or data are also mandatory — covering employees, contractors, and service providers.
A cybersecurity awareness programme covering IR, insider threats, risk assessment, and emerging technologies must be implemented. CII owners must also participate in cybersecurity exercises and drills in collaboration with the Committee and other CII sectors.
Owners of critical information infrastructure may on their own initiative identify, evaluate and adopt global best practices and operational standards on cybersecurity. IEC 62443 is the recognised international best practice for OT/ICS security — the appropriate standard for energy, water, and transport CII.
Where any capability relating to the management or operation of CII is outsourced, the owner must notify the Committee and enter written agreements with the service provider. The service provider must comply with the same security standards as the CII owner.
NC4 auditors follow Form CMCA 6 — the prescribed audit report template under Regulation 49. Compliance and risk-based approaches are both used (Regulation 48). Auditors may enter premises with 30-day notice and require the production of any documents.
The audit template does not explicitly list IEC 62443. For OT-heavy CII — energy, water, transport — this is the appropriate standard. We map your OT environment to IEC 62443 and prepare you for audit on the domains that matter most to your infrastructure.
The Second Schedule to the Regulations lists the critical sectors. Formal designation of specific infrastructure was published in the Kenya Gazette on 31 January 2022.
Not sure which obligations apply to your organisation, or how far behind you are? We start with a structured compliance gap mapping — identifying what the regulations require, what you have, and what needs to be done.