Following the December 31 deadline, the Communications Authority of Kenya (CA) is now enforcing a strict new order mandating all firms that manage critical information infrastructure to use licensed digital certificates.
The measure, which formally took effect on January 1, 2026, is aimed to improve national cyber security and secure highly sensitive digital systems for Kenya’s digital economy.
"All critical information infrastructure systems must adopt digital certificates, digital certification, and public key infrastructure services exclusively from licensed and accredited Electronic Certification Service Providers by January 1, 2026," CA said in its notice.
“Critical Information Infrastructure” includes any network, system, or asset essential to national security, public health, or economic stability, spanning sectors such as energy, finance, water, transportation, telecommunications, and government services.
The directive follows a decision taken by Kenya's National Computer and Cybercrime Coordination Committee in late 2024.
It requires any organisation listed as a critical information infrastructure provider under Gazette Notice No. 1043 to use only digital certificates and public key infrastructure services from Electronic Certification Service Providers recognised and approved by the CA.
Previously, many businesses relied on self-signed certificates or those issued by unaccredited foreign suppliers. Under the new guidelines, these are no longer adequate to ensure compliance.
The directive casts a wide net, focusing on sectors where CA says a digital failure would have a devastating impact on national security or the economy. This includes telecommunications giants like Safaricom and Airtel, commercial banks, mobile money platforms, and utility providers such as Kenya Power.
By mandating CA-licensed certificates, the Kenyan government ensures that all critical information infrastructure is part of a unified security framework managed under the national public key infrastructure.
This reduces the risk of Man-in-the-Middle attacks, where hackers intercept communication between two parties, identity spoofing, where malicious actors impersonate a bank or government server and data tampering, ensuring that sensitive financial or health records are not altered in transit.
The CA has warned that inspections will begin as early as January 14, 2026. Firms found to be non-compliant will face severe consequences, including hefty fines, license revocation and public censure.
Share
