The Communications Authority of Kenya (CA) has issued a directive requiring all telecommunications companies and Critical Information Infrastructure (CII) providers to adopt licensed and accredited digital certification services by January 1, 2026.
In a public notice dated October 7, 2025, the CA stated that the decision follows a determination by the National Computer and Cybercrimes Coordination Committee (NC4) made on August 1, 2024. The directive mandates that all designated CII systems use digital certificates, digital certification, and Public Key Infrastructure (PKI) services exclusively from licensed and accredited Electronic Certification Service Providers (E-CSPs).
“All systems designated as CII must adopt and only use digital certificates and PKI services from E-CSPs licensed and accredited by the Communications Authority of Kenya,” the notice reads.
Starting January 2026, the Authority will inspect licensees in the telecommunications sector to ensure compliance. Non-adherence will be treated as a regulatory breach, attracting penalties as outlined under existing laws.
Strengthening Kenya’s Digital Security
The new measure forms part of Kenya’s ongoing efforts to bolster cybersecurity, enhance data protection, and ensure the integrity of digital transactions across vital ICT infrastructure.
Digital certificates — which verify digital identities and encrypt data — play a crucial role in preventing unauthorized access and forgery. Their adoption will also make it harder to fake documents such as contracts and cheques, while enabling secure remote signing of official papers.
Moreover, the licensing framework will empower the ICT Authority to issue digital signatures for e-government services, promoting efficiency, transparency, and trust in public digital transactions.
The CA has published the list of accredited E-CSPs on its official website under the Telecommunications Services Licensee Register for industry reference.
