On February 16, 2024, Kenya published the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, as Legal Notice No. 44 of 2024 in the Kenya Gazette. The regulations operationalize the Computer Misuse and Cybercrimes Act of 2018 and establish frameworks for monitoring, detecting, and responding to cybersecurity threats across Kenya’s digital infrastructure.
Among the key provisions, the regulations require annual cyber-risk assessments for owners of critical information infrastructure, mandate data localization for critical systems, and establish a National Cybersecurity Operations Centre as the focal point for threat monitoring and incident response. Owners of critical information infrastructure must appoint a Chief Information Security Officer and maintain backup systems for information retrieval.
While the regulations do not specifically address quantum computing threats or post-quantum cryptography migration, they create the legal and institutional framework within which future quantum-readiness measures would be implemented. Kenya’s National Public Key Infrastructure, managed by the Communication Authority of Kenya, relies on encryption standards that experts have flagged as potentially vulnerable to future quantum computing capabilities.