
LAWS OF KENYA
COMPUTER MISUSE AND CYBERCRIMES ACT
COMPUTER MISUSE AND CYBERCRIME (THE CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIME MANAGEMENT) REGULATIONS
LEGAL NOTICE 44 OF 2024
- Published in Kenya Gazette Vol. CXXVI—No. 18 on 16 February 2024
- Commenced on 9 February 2024
1. Citation.
These Regulations may be cited as the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024.2. Interpretation.
In these Regulations, unless the context otherwise requires-"Act" means the Computer Misuse and Cybercrimes Act (Cap. 79C);"accreditation certificate" means an accreditation certificate issued by the Information and Communication Technology Authority established under the Information and Communications Technology Order (L.N. 182 of 2013);"attribution" includes the process of tracking and identifying the perpetrators of a cyber-attack;"auditor" means a person designated or appointed by the Director to conduct a cybersecurity audit of a critical information infrastructure as provided under regulation 33;"certificate practice statement" means the rules and operating practices guiding the Certification Authority in providing digital certificate services which may include a description of service offered, detailed procedures for certificate lifecycle management, operational information, legal obligations or financial liabilities;"certificate policy" means a set of rules that indicate the applicability of the certificate practice statement to a particular community or class of applications with common security requirements;"Chief Information Security Officer" means the person designated or appointed as a Chief Information Security Officer pursuant to regulation 32;"critical information infrastructure" means a system designated pursuant to section 9 of the Act and includes critical information infrastructure system or data and national critical information infrastructure;"cybersecurity" means tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;"cryptography" includes the use of system to secure information or data;"cybersecurity incident" means an occurrence that-3. Objects of the Regulations.
The object of these Regulations is to—4. Guiding principles.
The guiding principles under these Regulations shall be to promote—5. Regulations.
These Regulations shall apply to cyber security matters in the Scope of public sector and private sector, particularly—Part II – ADMINISTRATION AND MANAGEMENT OF THE COMMITTEE
6. Responsibilities of the Committee.
7. Conduct of business of the Committee.
The conduct of business of the Committee shall be in the manner provided under the First Schedule of these Regulations.8. Role of the Secretariat.
In performing the functions of the Secretariat provided under section 7(3) of the Act, the Secretariat shall—Part III – CYBERSECURITY OPERATIONS CENTRES
9. Cybersecurity Operations Centres.
10. National Cybersecurity Operations Centre.
11. Sector Cybersecurity Operations Centres.
12. Critical Information Infrastructure Cybersecurity Operations Centre.
13. Outsourced capabilities.
14. Monthly briefs and compliance reports.
15. Monitoring and inspection of the Cybersecurity Operations Centres.
Subject to section 13(3) of the Act, the Director shall in collaboration with the relevant sector Regulator, and on an annual basis, monitor and inspect any Cybersecurity Operations Centres to ensure compliance with the Act and these Regulations.16. Technical support to Cybersecurity Operations Centres.
Where there is an imminent threat in the nature of a cyber-attack that may result to a computer and cybercrime to any Cybersecurity Operations Centre, the Director may upon request, inquire or provide the requisite technical or non-technical support to the Cybersecurity Operations Centre.17. Risk assessment and evaluation of Cybersecurity Operations Centres.
Part IV – CRITICAL INFORMATION INFRASTRUCTURE
18. Designation of critical infrastructure.
19. Notice to owner on designation.
20. Directives upon designation.
21. Failure to implement directives.
22. Gazettement of critical information infrastructure.
23. Application by owner of critical information infrastructure
24. Consideration of application for declaration of critical information infrastructure
Upon receiving an application for declaration of a system as critical information infrastructure under section 9 of the Act, the Director shall-(a)be guided by the criteria specified under section 9(2) of the Act in order to determine whether the system qualifies for designation as a critical information infrastructure;(b)evaluate the potential risk of the system, taking into account-(i)the probability of failure, disruption or destruction of the system in question or threat thereof;(ii)the impact and consequence of failure, disruption or destruction of infrastructure or threat thereof; and(iii)the extent to which the designation as critical.25. Register of critical information infrastructure.
26. Changes to critical information infrastructure.
27. Change of ownership.
28. Localisation of critical information
29. Obligations of owners.
30. Capacity building by owners of critical information infrastructure.
31. Baseline security for critical information infrastructure.
32. Designation of the Chief Information Security Officer.
33. Qualifications of the Chief Information Security Officer.
A person shall be qualified as a Chief Information Security Officer if the person-34. Mandatory requirements.
35. Mandatory requirements for licenced operators of international or national internet gateways.
36. Integration of critical information infrastructure.
37. Protection and preservation of premises and surrounding areas.
38. Access to information infrastructure.
39. Virtual access to critical information infrastructure.
40. Register of persons accessing critical information infrastructure.
An owner of a critical information infrastructure shall keep and maintain an up-to-date register of persons having access to a critical information infrastructure.41. Storage and archiving of critical data of information.
42. Disaster recovery of critical information infrastructure.
43. Transfer of critical information infrastructure.
44. Requirements for an auditor.
45. Powers of auditor.
An auditor shall have all powers necessary for the effective discharge of his mandate, including powers to –46. Compliance report by owner of critical information infrastructure.
47. Requirement for audit.
48. Audit approach.
49. Content of audit report.
50. Procedure for submission of audit report.
51. National Public Key Infrastructure components.
52. Root Certification Authority.
53. Certification Authority.
54. Registration Authority.
55. Subscribers.
A subscriber shall obtain a digital certificate from a Certification Authority.56. Responsibilities of the Committee on the National Public Key Infrastructure.
The Committee shall for purposes of managing the National Public Key Infrastructure—Part V – CYBERSECURITY CAPABILITY AND CAPACITY
57. Cybersecurity capabilities.
58. Training Guide.
59. Framework for Information sharing arrangements.
The Committee shall for purposes of establishing effective practices to protect against cyber-threats develop a framework for information sharing for purposes of —60. National Cybersecurity Certification Standards.
The Committee shall, in consultation with the relevant agencies, formulate National Cybersecurity Certification Standards or recommend adoption of International Cybersecurity Certifications, for purposes of —61. Security automation and checklists for Government Systems.
62. Collaboration by Committee.
63. Database of certified cybersecurity institutions and professionals.
The Committee shall maintain an up-to-date database of certified cybersecurity institutions and professionals in Kenya.Part VI – CYBER THREATS REPORTING
64. Objectives of reporting of cyber threats.
The basis for reporting cyber threat as contemplated under section 40 of the Act shall be to–65. Incident reporting for critical information infrastructure.
In the event of a cybersecurity incident, the owner of a critical information infrastructure shall-66. Reporting of cyber threats to the Committee.
67. Establishment of cybercrimes desk.
68. Cybercrimes desk personnel training and qualifications.
69. Public awareness and reporting.
70. Anonymous reporting of cyber threats.
Part VII – MISCELLANEOUS PROVISIONS
71. Adoption of best practice standards.
72. Partnerships and linkages.
Pursuant to section 12 of the Act, the Committee may enter into public-private partnerships and intergovernmental, agreements, partnerships, linkages or collaborations as provided for under the relevant laws to—73. Dispute resolution mechanisms.
74. Data Protection Act.
The Data Protection Act (Cap. 411C) shall apply to processing of personal data pursuant to the Act and these Regulations.History of this document
16 February 2024 this version
09 February 2024
Commenced
Cited documents 5
Act 5
1. | Fair Administrative Action Act | 1926 citations |
2. | Access to Information Act | 335 citations |
3. | Data Protection Act | 96 citations |
4. | Computer Misuse and Cybercrimes | 34 citations |
5. | National Police Service Act | 5 citations |