The Communications Authority of Kenya (CA) has mandated that telecommunication companies and managers of critical digital systems comply with new cybersecurity regulations by year-end or face sanctions. Effective January 1, 2026, all companies managing Critical Information Infrastructure (CII) must exclusively use digital certificates and Public Key Infrastructure (PKI) services from CA-approved providers.

• All designated CII systems must adopt digital certificates and PKI from licensed and accredited Electronic Certification Service Providers (E-CSPs) by January 1, 2026.
• The directive, stemming from the National Computer and Cybercrimes Coordination Committee (NC4) on August 1, 2024, applies to telecoms, banks, ISPs, e-commerce platforms, and health/government systems.
• Non-compliance could result in fines, penalties, license revocation, or public notices damaging a company's reputation.