Kenya Cloud Policy 2025 for Cloud Engineers: Sovereign Cloud & GEA Compliance Deep Dive

The Strategic Context of Kenya’s Cloud-First Mandate

The Kenya Cloud Policy (KCP) 2025 represents a landmark regulatory initiative, transforming the operational landscape of Information and Communications Technology (ICT) across the Kenyan public sector. Rather than merely recommending cloud adoption, the policy establishes a mandatory framework designed to leverage cloud computing to accelerate digital transformation, enhance service delivery, and fundamentally restructure the government’s approach to data management and security.   

Policy Genesis: Vision 2030 and BETA Alignment

The KCP 2025 was formulated under the auspices of the Ministry of Information, Communications, and the Digital Economy (MICDE)  as a core component of Kenya’s overarching national development strategy. The policy is explicitly aligned with foundational national agendas, including Kenya Vision 2030, the Bottom-up Economic Transformation Agenda (BETA), and the National ICT Policy. This alignment positions cloud adoption not as an IT upgrade, but as a strategic enabler for macroeconomic objectives, focusing on cost savings, innovation, enhanced cybersecurity, and driving economic growth.   

The rationale underpinning the policy addresses several critical challenges faced by traditional on-premises IT infrastructure within Ministries, Counties, and Agencies (MCAs). These challenges include financially burdensome maintenance, high costs associated with hardware upgrades and resource redundancy, inherent security risks due to often-outdated on-premises protections, persistent issues with scalability, and the detrimental operational effects of fragmented data silos, which reduce collaboration and efficiency. By incentivizing the shift to cloud infrastructure and solutions-based services, the government aims to create a more controlled, efficient, and secure information-sharing environment.   

The economic foresight driving the KCP 2025 is substantial. The cloud computing market size in Kenya was estimated at US$959.0 million in 2024, with a projected Compound Annual Growth Rate (CAGR) of 9.08% through 2032. The digital economy, accelerated by this policy, is expected to contribute KSh 662 billion to the Gross Domestic Product (GDP) by 2028, and cloud adoption alone is forecast to contribute as much as KSh 1.4 trillion (approximately $10–12 billion) to the economy by 2033. This projected value underscores the strategic necessity for compliant, high-quality public sector cloud implementation.   

The Defining ‘Cloud-First’ Mandate and Immediate Technical Timelines

The KCP 2025 establishes a definitive ‘cloud-first’ mandate. This requirement compels all public entities to prioritize cloud-based solutions when making any ICT investments. This covers a vast scope of technological acquisition and deployment, including infrastructure, hardware, software, information security, licensing, storage, data provision, and specific services such as security, development, and virtualization. Exemptions from this mandate may only be granted upon approval by the Cloud Adoption Committee (CAC).   

This mandate has immediate, high-pressure implications for engineering teams. The policy, which was officially published and in force as of May 2, 2025 , dictates a critical operational timeline. Public entities are required to implement a phased migration plan, guided by the national cloud framework, within twelve months of the policy’s publication. This compressed timeline generates an intense, immediate, and sustained demand for technical professionals capable of executing compliant cloud migration at scale.   

This accelerated timeline is directly proportional to a projected critical skill gap. The public sector must now rapidly acquire or upskill personnel capable of managing complex migrations while adhering to strict regulatory frameworks. The high market demand for these specialized skills is driving up compensation, with Cloud Architects commanding annual salaries between Ksh 1.8 million and Ksh 3.5 million. This phenomenon is a direct consequence of the policy’s aggressive implementation deadline, forcing public institutions to compete with the private sector for a scarce talent pool.   

Governance and Oversight Mechanisms

Effective policy implementation relies on structured institutional oversight. The policy is governed by several key agencies, which dictate technical standards and compliance requirements:

1. Ministry of Information, Communications, and the Digital Economy (MICDE): Retains overall authority for policy formulation and guiding the national cloud framework.
2. The Cloud Adoption Committee (CAC): This committee holds a critical, gatekeeping function. It is responsible for the registration and accreditation of all Cloud Service Providers (CSPs) that intend to offer services to the Government. The CAC’s decisions effectively determine which vendors have market access for government contracts.
3. ICT Authority (ICTA): The ICT Authority is mandated to set and enforce ICT standards and guidelines across the public service, including the pivotal Government Enterprise Architecture (GEA) Framework. ICTA ensures a coherent and unified approach to ICT acquisition, deployment, management, and operation across all Ministries, Counties, and Agencies (MCAs).
4. Office of the Data Protection Commissioner (ODPC): Oversees compliance with the Data Protection Act (DPA) 2019, including mandatory registration of data controllers and processors, and providing guidance on Data Protection Impact Assessments (DPIAs).

The policy demands that CSPs adhere to international compliance standards prescribed by regulatory authorities and maintain meticulous documentation of data hosting locations, along with real-time tracking of data movement across jurisdictions. This requires technical collaboration between engineering teams and regulatory bodies from the inception of any cloud project.   

Legal and Regulatory Compliance Blueprint: Data Sovereignty and Segregation

The KCP 2025 is intricately woven with existing statutory frameworks, primarily the Data Protection Act (DPA) 2019 and the Computer Misuse and Cybercrimes Act (CMCA) 2018. For DevOps and Cloud Engineers, these laws are not peripheral legal matters but fundamental technical specifications that must be enforced programmatically within the infrastructure architecture.   

The Mandated Data Classification Framework: A Technical Requirement

The policy’s reliance on data sovereignty necessitates a mandatory data classification framework. Data is categorized into three tiers: Top Secret, Secret, and Non-Sensitive/Open Data. This classification is the primary determinant of the mandatory hosting location and the required security controls.   

This framework mandates a comprehensive pre-procurement exercise. Public entities are required to conduct thorough data classification exercises before initiating any cloud procurement. The exercise ensures that data sensitivity is accurately mapped to appropriate hosting models and vendor capabilities, shifting procurement selection criteria from purely cost-based metrics to mandatory compliance and security alignment.   

Data Residency, Sovereignty, and Localization Rules

The localization rules create a tiered, or bifurcated, cloud architecture that technical professionals must design for:

1. Top Secret/Secret Data: This highly sensitive data category must be hosted within a Government Cloud Service Provider (CSP) utilizing a private or Government dedicated cloud infrastructure located physically within Kenya.
2. Restricted Data (often encompassing Open Data): This data must be hosted with Government CSPs in a public cloud infrastructure located in Kenya. Alternatively, Open data may be hosted by a suitable third-party CSP subject to approval by the CAC, provided the Government CSPs do not meet the required standards.

The technical implication of these rules is the establishment of a Sovereign Cloud Imperative. Architects must devise hybrid or multi-cloud strategies that guarantee classified data never leaves the dedicated Kenyan environment while non-sensitive workloads leverage the scale and services of international hyperscalers. This necessity guarantees investment and growth in specialized local sovereign cloud stacks , requiring expertise in complex cross-border data flow management and highly resilient network boundaries between disparate cloud environments.   

Compliance with the Data Protection Act (DPA), 2019

The DPA 2019 governs the handling of personal data and is a cornerstone of cloud compliance. Public sector organizations are classified as “Public entities” and are mandated to register as Data Controllers or Data Processors with the ODPC, regardless of their size or annual turnover.   

For Cloud Engineers, the DPA translates into concrete technical requirements, which collectively form the basis of a SecDevOps mandate:

• Lawful Processing: Data processing must adhere to principles such as lawfulness, fairness, and transparency; data must be adequate, relevant, and limited to what is necessary for its purpose. This requires engineers to implement robust logging, auditing, and fine-grained access controls to demonstrate compliance with legal grounds for processing.
• Data Protection Impact Assessments (DPIA): Organizations must adhere to strict security standards and conduct DPIAs for sensitive data. The ODPC guidance mandates DPIAs for activities involving high-risk processing, such as automated decision-making. The technical team is responsible for providing the necessary documentation regarding encryption, segregation, and access control mechanisms for the DPIA process.
• Data Residency and Transfer: The DPA strictly regulates the transfer of personal data outside Kenya, requiring confirmation of appropriate safeguards and often the explicit consent of the data subject. Cloud Architects designing data pipelines involving cross-border transfers must prove adherence to these legal safeguards, reinforcing the localization mandate of the KCP 2025.

Cybersecurity Obligations under the Computer Misuse and Cybercrimes Act (CMCA), 2018

The CMCA 2018 provides the statutory framework for cybersecurity, aimed at protecting the confidentiality, integrity, and availability (CIA triad) of computer systems and data. The Act criminalizes various offenses, including unauthorized access, data breaches, illegal interception, computer fraud, and cyberespionage.   

For cloud deployments, adherence to CMCA demands a security-first approach to infrastructure design:

• Prevention of Unauthorised Access: This requirement necessitates robust Identity and Access Management (IAM) policies, continuous monitoring, and intrusion detection systems integrated into the cloud environment. Cloud configurations must be hardened to prevent the unauthorized access explicitly prohibited by the Act.
• Service Provider Accountability: The Act holds Cloud Service Providers (CSPs) accountable for misuse of their platforms, requiring them to cooperate with law enforcement and report suspicious activities. Engineers deploying workloads on CSPs must ensure robust logging, real-time security telemetry, and audit trails are established and maintained to facilitate potential investigations and prosecution of cybercrimes.

The confluence of DPA and CMCA transforms security from a traditional perimeter defense model to an embedded function within the entire development lifecycle. The implementation of security controls must be programmatic and continuous, enabling the “shifting left” of security practices to prevent policy violations before deployment.

The Technical Compliance Framework: GEA and ICTA Standards

The ICT Authority (ICTA) translates the government’s digital vision into practical engineering requirements through the Government Enterprise Architecture (GEA) Framework. The GEA and its accompanying standards serve as the core technical blueprint for public sector cloud adoption, dictating how cloud solutions are acquired, deployed, and managed.

Government Enterprise Architecture (GEA) Framework Overview

The GEA Framework defines the minimum components of an ICT Plan and provides standards and guidelines for implementation across all Ministries, Counties, and Agencies (MCAs). The overarching goal of the GEA is to ensure a “coherent and unified approach” to ICT, promoting service integration, adaptability, and cost savings through economies of scale in ICT investments.   

The GEA is not static; it builds a blueprint for improving government programs by aligning business processes, information flows, and technology consistently across the government. Its vision is to provide seamless integration for citizen services empowered through inter-departmental collaboration via ICT standardization.   

The enforcement of these GEA standards is rigorous. The ICT Authority’s Directorate of Programmes and Standards has the oversight role for management and enforcement and conducts quarterly audits in all MCAs to determine compliance. Achieving compliance earns agencies a certificate from ICTA. Conversely, failure to comply with these architecture principles or standards results in substantial operational and regulatory risk, confirming that compliance is a continuous operational priority, not a one-time setup.   

Mandatory Cloud Computing Standards (ICTA-8.002:2019)

The ICTA-8.002:2019 Cloud Computing Standard offers specific mandatory controls regarding the adoption of cloud services. This standard covers deployment models (Private, Public, Hybrid, Community Cloud) and service models (SaaS, PaaS, IaaS).   

A non-negotiable requirement of this standard is the Risk Evaluation Mandate. Specifically, a cloud computing solution shall only be considered after a thorough risk evaluation, performed according to the GoK Information Security Standard, has been completed, reviewed, and formally accepted by the MCA’s Chief Information Security Officer (CISO) or delegate. This formal sign-off step elevates the importance of risk management within the deployment process, requiring DevOps and Cloud Engineers to document and justify security controls against identified threat vectors.   

Information Security Standard and International Alignment

The KCP 2025 mandates that CSPs adhere to internationally recognized compliance standards. This requirement is a direct technical specification for Cloud Security Engineers. CSPs must conform with ISO standards, including:

• ISO/IEC 27001: For overall Information Security Management Systems (ISMS).
• ISO/IEC 27002:2022: For Information Security, Cybersecurity, and Privacy Protection.
• ISO/IEC 27017: Code of practice for information security controls for cloud services.
• ISO/IEC 27018: Code of practice for protection of Personally Identifiable Information (PII) in public clouds.

Public sector customers utilizing cloud services must also ensure their configurations meet the security in the cloud requirements, adhering to principles established in the Government ICT Standards and the Information Security Standards. Using industry best practices, such as the AWS Well-Architected Framework, assists customers in meeting the design requirements for a secure deployment that aligns with these national standards.   

The technical requirement for encryption and segregation is paramount, driven by the Data Classification Framework. Engineers must implement mandatory encryption-in-transit (e.g., strong TLS/SSL) and encryption-at-rest (using cloud Key Management Services, KMS). Furthermore, logical segregation, typically achieved through Virtual Private Cloud (VPC) segmentation, Virtual Local Area Networks (VLANs), and sophisticated network access control lists, must be enforced to maintain the strict boundary rules required for Top Secret and Secret data.   

The National Public Key Infrastructure (NPKI) and Application Identity

The operationalization of the National Public Key Infrastructure (NPKI) is a core deliverable project managed by the ICT Authority. The NPKI functions as the Government Certification Authority (GCA), issuing digital certificates used to verify the virtual identity of systems, users, and applications. The Communications Authority of Kenya (CAK) manages the Kenyan Government Root Certificate Authority (RCA).   

The NPKI serves a critical function in e-government: ensuring authentication, data integrity, and non-repudiation—the ability to prove that an entity cannot later deny having performed a specific transaction.   

This system transforms key management and digital certificate lifecycle handling from a localized IT task into a high-priority cloud integration problem for DevOps teams. All critical infrastructure components, including API Gateways, load balancers, and service mesh endpoints, must be built to seamlessly integrate with and rely upon GCA-issued digital certificates for encrypted communication and user authentication. Failure to correctly integrate the NPKI renders the system non-compliant and invalidates the government’s guarantee of transactional trust for citizens.   

The Systems and Applications Standard (ICTA-6.002:2019)

The Systems and Applications Standard provides the common framework for the software lifecycle, governing acquisition, supply, development, operation, maintenance, and disposal of software systems and E-Government Applications. This standard dictates the architectural model for e-government, interoperability, integration, and licensing requirements.   

The emphasis on interoperability and integration across MCAs suggests a strong push toward decoupled application architectures. The GEA’s goal of achieving “seamless integration for citizen services”  inherently favors modern, cloud-native approaches such as microservices, deployed within containerization platforms (e.g., Kubernetes) and managed via Platform-as-a-Service (PaaS) tools. These architectures allow the necessary scale, resilience, and API-based data exchange mandated by the GEA principles for government-wide coherence.   

The DevOps and Cloud Engineering Implementation Blueprint

The strict regulatory requirements established in Section II (Data Sovereignty, DPA, CMCA) and the governance standards set in Section III (GEA, ISO, NPKI) converge to necessitate the adoption of mature DevOps practices. Manual configuration and deployment models are incapable of delivering the consistency, speed, and auditability required by the policy.

The Operational Necessity of Continuous Delivery (CI/CD)

The GEA’s core principles—coherence, standardization, efficiency, and unified approach across state agencies —translate directly into a mandate for automated application delivery pipelines (CI/CD). CI/CD provides the repeatable processes essential for managing the software lifecycle (acquisition, maintenance, and disposal) as defined in the Systems and Applications Standard.   

Implementing continuous delivery pipelines ensures that application updates and infrastructure configurations are deployed consistently across the government, reducing the likelihood of human error that could lead to compliance violations or security gaps. Furthermore, CI/CD is fundamental to achieving SecDevOps.

• Security Shift-Left: Compliance with CMCA  demands that security is automated and integrated early in the pipeline. CI/CD must incorporate automated static application security testing (SAST), dynamic testing (DAST), and container vulnerability scanning to guarantee the integrity and policy adherence of code and deployment packages before they reach production. This ensures that security checks are enforced programmatically, providing the auditable evidence required for ICTA’s quarterly compliance assessments.

Infrastructure as Code (IaC) as a Policy Enforcement Tool

Infrastructure as Code (IaC) is not merely a best practice; it is the most effective technical mechanism for enforcing the policy’s regulatory and governance mandates at scale. IaC defines and manages computing infrastructure using declarative configuration files , allowing engineers to deploy and manage resources consistently and scalably.   

The adoption of IaC is dictated by several regulatory requirements:

1. GEA Consistency and Auditability: The GEA demands standardization across Ministries, Counties, and Agencies (MCAs). IaC ensures that the configuration template, for instance, defining VPC segmentation or security group rules, is version-controlled and deployed identically across all 47 counties, meeting the GEA’s mandate for coherence.
2. Continuous Compliance Proof: To satisfy continuous compliance audits  and adherence to detailed international standards (ISO 27017, 27018) , IaC provides the historical record (through version control) and the mechanism to constantly drift-check the deployed state against the desired compliant state. This programmatically demonstrates that ISO 27017 controls—such as specific access controls or logging mechanisms—are correctly applied and maintained.
3. Data Movement Tracking: The policy requires CSPs to document data hosting locations and track data movement across jurisdictions. IaC configurations explicitly define the geographic region where cloud resources are provisioned, providing the foundational technical documentation necessary to comply with the Data Residency and Sovereignty rules (Section II).

DevOps engineers must master IaC tools like Terraform, CloudFormation, or the AWS CDK. The required expertise extends to advanced techniques such as modularization, testing, and incorporating security-as-code principles directly into infrastructure templates.   

NPKI Integration and Advanced IAM

The integration of the NPKI mandates an advanced approach to Identity and Access Management (IAM) far beyond standard user credentials. IAM architecture must be explicitly designed to trust and integrate with NPKI-based authentication.

The operational complexity for DevOps and Security Engineers includes:

• Certificate Lifecycle Management: Deploying and maintaining applications requires automated handling of the issuance, renewal, and revocation of GCA-issued digital certificates. This involves deep technical knowledge of cloud Key Management Services (KMS) and integrating them with the ICTA Government Certification Authority (GCA) infrastructure.
• Cryptographic Enforcement: Applications and infrastructure components must enforce cryptographic non-repudiation and authentication using these digital certificates. This often requires leveraging managed cloud services that support custom Certificate Authorities (CAs) and implementing strong policy enforcement at the network layer.

Ensuring Portability and Avoiding Vendor Lock-in

The KCP 2025 incorporates protective contractual guardrails intended to prevent vendor lock-in, acknowledging the power imbalance between large multinational cloud providers and government entities. These mandatory provisions include:   

• Mandatory Exit Clauses and Terms: Contracts must specify exit clauses and terms that allow entities to migrate between platforms based on suitability.
• Use of Open-Access Formats: The policy requires the use of open-access data formats.
• Non-acceptance of Excess Penalties: Contracts must stipulate the non-acceptance of excess penalties for contract termination.

These legal requirements translate directly into architectural design decisions. The Cloud Architect’s role is elevated to one of strategic technical diligence, where they must assess and approve procurement decisions based on technical feasibility and compliance with these portability mandates.

• Technical Portability Engineering: Engineers must utilize non-proprietary cloud services and databases (e.g., standard PostgreSQL or MySQL over highly optimized, vendor-specific NoSQL solutions). Furthermore, robust data export mechanisms must be designed and regularly tested to externalize data into standardized, open formats, effectively guaranteeing the technical feasibility of the mandatory exit strategy. The use of IaC further supports this by decoupling the infrastructure definition from the underlying cloud provider through abstraction layers (e.g., using Kubernetes for orchestration).

The Cloud Adoption Committee’s role in public sector procurement has also been formalized via the mandatory use of the Electronic Government Procurement (e-GP) platform. All cloud procurements must flow through e-GP, subjecting them to enhanced transparency requirements and automated compliance checks, integrating them with internal government financial systems like KRA’s iTax and IFMIS. This digital procurement environment further demands that technical specifications are detailed, auditable, and clearly aligned with GEA and KCP 2025 mandates.   

Career Opportunities and the Technical Skills Premium

Kenya’s digital transformation, bolstered by international funding such as the $390 million World Bank-funded Kenya Digital Economy Acceleration Project (KDEAP) , ensures a sustained, long-term market opportunity for skilled technical professionals. The confluence of strict regulatory compliance and ambitious migration timelines has created a substantial skill premium for engineers capable of performing compliant cloud deployment.   

Market Opportunity and Role Segmentation

The implementation of the KCP 2025 generates specialized roles within both the public sector (MCAs, ICTA, ODPC) and the private sector (accredited CSPs and systems integrators):

1. Cloud Architects (Regulatory Design Focus): Responsible for ensuring the overall cloud architecture adheres to the Data Classification Framework, DPA, and GEA principles. Their primary deliverable is often regulatory compliance and risk mitigation, designing hybrid/multi-cloud environments capable of handling the Sovereign Cloud bifurcation.
2. DevOps Engineers (Automation & Consistency): Focused on implementing IaC, CI/CD pipelines, and automated security testing necessary to meet the GEA’s mandate for standardization and the continuous security posture required by ISO and CMCA standards.
3. Cloud Security Engineers (Compliance Enforcement): Specialists in securing the cloud environment, focusing on advanced IAM, NPKI integration, data encryption, network segregation, and maintaining auditable evidence for adherence to ISO 27001/27017/27018.
4. GRC Analysts and Auditors: Professionals who translate the technical implementation into compliance reports, manage DPIAs, and prepare the necessary documentation for ICTA’s quarterly audits.

Required Technical Skills and Core Competencies

The demand for technical talent is acute, particularly for professionals who combine platform mastery with regulatory expertise.   

Platform and Automation Expertise

• Cloud Platforms: Proficiency in leading platforms, notably AWS and Azure, is standard. However, the policy environment necessitates expertise in multi-cloud deployment and integration with local sovereign cloud stacks.
• Programming Languages: Essential languages for automation and application development include Python, JavaScript, Java, SQL, and R. Python is critical for scripting IaC tooling and serverless functions.
• Automation Tools: Deep expertise in IaC (Terraform, CloudFormation), configuration management (Ansible), and container orchestration (Kubernetes/Docker) is essential for delivering the GEA’s standardization mandate.

Deep Security and Governance Focus

The policy environment dictates that security skills are the highest value proposition.

• Security Architecture: Understanding cloud security best practices, the nuances of the shared responsibility model , and how to apply the principles of the Well-Architected Framework to meet Kenyan design requirements is critical.
• Compliance Literacy: Professionals must possess working knowledge of the DPA 2019, CMCA 2018, and specific ICTA standards. This includes understanding the technical ramifications of data classification and DPIA requirements.
• Certification Premium: Certifications validate that a professional understands the specific security and architectural principles necessary for compliant public sector deployment. Security-focused certifications like GIAC Public Cloud Security (GPCS), which validates the ability to secure and audit AWS, Azure, and GCP environments, are highly sought after because they directly address the auditing and hardening requirements mandated by the policy.

Addressing the Digital Skills Gap and Compensation

The skill shortage in Kenya is explicitly highlighted as a challenge to digital growth. While 86% of Kenyan organizations reported increasing their cloud spending in 2023, many struggled to find the requisite talent. The rapid evolution of technology, where tech stacks evolve every 2.5–3 years, exacerbates this shortage.   

This environment creates an immense salary premium for certified, policy-aware engineers. The average Cloud Engineer base salary is around KES 1,019,100, but specialized roles like Cloud Architect and those handling AI/ML integration command salaries reaching KES 3.5 million per year. The government, recognizing this challenge, is pursuing strategies to bridge the gap through initiatives such as the DigiTalent program and nationwide digital literacy programs, often in collaboration with global tech giants and academia.   

The public sector’s challenge lies not just in attracting talent, but in retaining them against the strong incentives offered by higher-paying roles both locally and internationally. This underscores the strategic importance of government-backed training and certification programs to ensure a local supply of policy-compliant expertise.   

Actionable Compliance and Strategic Recommendations

Successful engagement with the KCP 2025 mandates a shift in both procurement strategy and technical execution. Compliance must be treated as a primary engineering requirement, integrated into every phase of the cloud adoption lifecycle.

Strategic Phased Cloud Adoption Guidance

Public entities must adhere to the one-year implementation schedule for their phased migration plans. The strategic guidance should prioritize foundational governance and security components:   

1. Phase 1 (Classification and Governance): Conduct the mandatory Data Classification Exercise (Top Secret, Secret, Open). Register the entity with the ODPC as a Data Controller/Processor. Select and pre-approve CSPs based on accreditation status with the CAC.
2. Phase 2 (Architectural Design): Design the bifurcated architecture, ensuring secure separation of sensitive data into local, dedicated, or sovereign cloud environments. Design IAM to integrate with NPKI/GCA authentication. Document the thorough risk evaluation as mandated by ICTA-8.002:2019.
3. Phase 3 (IaC and CI/CD Implementation): Establish compliant IaC templates that enforce data residency rules and ISO 27017 controls. Build automated CI/CD pipelines to ensure consistent deployment and continuous compliance monitoring.
4. Phase 4 (Migration and Audit Preparation): Begin migration of non-sensitive workloads, followed by classified systems once architectural integrity is confirmed. Prepare comprehensive documentation of controls and processes for the ICTA quarterly compliance audits.

Navigating the Procurement Lifecycle and Accreditation

CSPs seeking to contract with the government must successfully navigate the accreditation regime overseen by the Cloud Adoption Committee (CAC). This regime requires CSP registration, adherence to international compliance standards (e.g., ISO 27001), and the ability to track data hosting locations in real-time. These pre-qualification steps introduce significant lead times that public entities must factor into their project planning.   

The mandatory use of the e-Government Procurement (e-GP) platform for all cloud acquisitions introduces automated compliance verification. Technical teams must be integrated into the procurement definition process to ensure contractual terms regarding mandatory exit clauses, data portability, and open-access formats are technically verifiable against the chosen CSP’s offering.   

Mandatory Technical Compliance Checklist for Cloud Engineers

The following checklist summarizes the critical technical actions required for deployment engineers to ensure adherence to Kenya’s regulatory cloud landscape.

Appendix: Government Resource Repository

This section provides descriptive references to key government agencies and statutory frameworks critical for compliant cloud adoption in Kenya, enabling technical professionals and organizations to access foundational regulatory information.