The Independent Electoral and Boundaries Commission (IEBC) is among government agencies that will now be obligated to have its servers hosted locally.
This is after the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime management) Regulations, 2024 came into effect.
The regulations — which sought to have government agencies dealing in critical information ensure that their infrastructures are domiciled in Kenya — came into force through Gazette Notice Number 44 dated February 9, 2024.
Interior Cabinet Secretary Kithure Kindiki says that these regulations will enhance the capacity of both public and private sector institutions, such as the telecommunications, banking, transport, and energy sectors, to safeguard critical digital information from cyberattacks and improve cybersecurity readiness.
The regulations effectively operationalize provisions of the Computer Misuse & Cybercrimes Act of 2018, as well as reinforcing the role of the National Computer and Cybercrime Coordination Committee (NC4) as the leading entity in coordinating efforts to detect and respond to cybersecurity threats.
Owners of critical information infrastructure who insist on their servers located in a foreign country will have to apply to the NC4, a body that will be headed by a Director-General.
In case of the aforementioned application, the committee shall then review and verify — if the application meets the security standards provided in the regulations — and provide a verdict within 30 days.
IEBC servers
According to the regulations, critical information infrastructures cover the sectors of the country’s defence, security, banking and finance, judiciary, as well as elections.
IEBC, according to the regulations, deals in critical operations that include voter registration and voting.
The opposition (Azimio La Umoja One Kenya Coalition) contested the 2022 Presidential Election, accusing some IEBC staff and commissioners of colluding with foreigners to access the servers and tamper with election results in favour of President William Ruto.
During the said presidential petition, Azimio Presidential Candidate Raila Odinga and his running mate Martha Karua argued that IEBC had four servers (two in the country and two outside the country), but only one (based in Venezuela) was transmitting “manipulated election results”.
In the event of a cybersecurity incident, the regulations dictate that only authorised individuals will have immediate access to critical information infrastructure.
