port254

CII Cybersecurity Advisory

Kenya's CII Regulations are in force.

The compliance deadlines have passed. Most designated infrastructure operators haven't met them — we help close the gap.

Cybersecurity advisory for Kenya's designated critical information infrastructure operators — specialising in the operational technology environments (SCADA, EMS, DCS) that IT-focused firms don't cover. Anchored in IEC 62443 and Legal Notice 44 of 2024.

View Services Get in Touch

The 6-month policy deadline (Aug 2024) has passed. The annual risk assessment (Feb 2025) is overdue. 24-hour incident reporting to the Sectoral COC is mandatory now. Most designated CII owners are already behind.

9 Feb Regulations in force (2024)
24 hrs Incident reporting window
Annual Mandatory risk assessment
16 Designated CII sectors
Reg 17 · Reg 31(2)(j)

CII Risk Assessment

Annual mandatory cybersecurity risk assessment with risk register. Overdue for most designated operators. We deliver a structured assessment that satisfies the NC4 compliance requirement and gives your CISO a defensible risk posture.

Learn More →
Reg 31 · Reg 71(3)

IEC 62443 Gap Assessment

Regulation 71(3) permits CII owners to adopt global best practices on their own initiative. IEC 62443 is the only international standard purpose-built for industrial control systems — and we hold all four certificates.

View Credentials →
Reg 32 · Reg 33

CISO Advisory

Every designated CII owner must appoint a CISO. The qualification requirements are specific — and most organisations don't have a person who meets them. We help with CISO function design, policy development, and ongoing advisory support.

Learn More →
Reg 65 · Reg 31(2)(m)

Incident Response Planning

CII owners must report all cybersecurity incidents to the relevant Sectoral COC within 24 hours. Without an IR plan and tested procedures, most organisations cannot meet this obligation. We build and exercise the capability.

Learn More →

Legal Notice 44 of 2024

Kenya's CII Regulations — What They Actually Require

Annual risk assessments. Mandatory CISO. 24-hour incident reporting. Data must stay in Kenya. Annual internal audits. NC4 compliance reports. Understand the full obligation stack before your audit notice arrives.

Read the Regulations →

Sectors We Work With

Designated CII sectors under the Second Schedule of the Regulations.

Energy

Electricity generation, transmission/distribution, petroleum, natural gas

Water

Drinking water storage, distribution, quality assurance, wastewater treatment

Transport

Aviation, rail, road, maritime and port operations

Financial Services

Banking, payment systems, stock exchange