Kenya’s e-Citizen platform is impressive by regional standards. Over 22,000 government services, 14 million registered users, and somewhere between KES 750 million and KES 1 billion flowing through it every single day.
The platform handles everything from passport applications to land searches, and Kenya’s Online Services Index score of 0.7770 is the highest in East Africa. That is not nothing.
But this month, the National Treasury published draft regulations to govern this platform, and a civil society organization called KICTANet responded with a 56-page memorandum arguing that the government has fundamentally misunderstood what e-Citizen actually is, and therefore has reached for the wrong legal tool to fix it.
The Treasury’s approach was to create the Public Finance Management (e-Citizen System Management) Regulations, 2026, using the Public Finance Management Act as the legal foundation.
The argument from KICTANet is that the PFM Act only allows Treasury to regulate how money moves, gets counted, and gets reported.
It cannot legally reach service delivery standards, data protection, algorithmic accountability, accessibility requirements, or the institutional permanence of a platform that now underpins the country’s entire digital government operation.
Several provisions in the draft regulations already try to do exactly those things, which means they are vulnerable to being struck down in court for exceeding the powers of the law they were made under.
Kenya has seen this happen before, including with the Digital Health Act 2023 regulations, which were nullified partly on similar grounds.
KICTANet’s core argument is that e-Citizen is not a payment gateway. It is Digital Public Infrastructure, meaning it is the shared foundational layer of identity verification, payments, data exchange, and messaging that the entire government now depends on.
Treating it as a revenue collection tool with some digital features attached is like treating a national road network as a toll booth management problem.
The Auditor-General’s special audit of e-Citizen, published in 2025, did not help Treasury’s case for business as usual. The audit found governance failures exceeding KES 10.8 billion.
The most striking item was KES 127.85 million that was diverted from the e-Citizen Paybill in four transactions on a single day in January 2024, through a manual administrative configuration change. Not a hack, not a technical failure.
Someone changed a setting and KES 127.85 million went somewhere it should not have gone, and nobody noticed until a special audit was commissioned after the fact.
The audit also found approximately KES 6.3 billion channeled through an account called “Pesaflow” that was not actually a party to the main consortium contract, and KES 549.69 million paid in maintenance fees to a company called Electronic Citizen Solutions Ltd, which was also not a contracting party.
On top of all this, the platform had never been registered with the Office of the Data Protection Commissioner and had no Data Protection Impact Assessment on file, despite holding the personal data of 14 million people.
The platform is operated by a private consortium of three companies under a contract signed in May 2023. The contract contains an exit clause that allows the consortium to switch the platform off if the government terminates the agreement.
A platform processing nearly a billion shillings a day in public revenue can legally be shut down by a private party. The draft regulations say nothing about this.
KICTANet’s proposed solution is a two-tier legal architecture. The PFM regulations would continue to exist, but narrowly, governing only the financial layer of e-Citizen: how fees are collected, how revenue settles to the Consolidated Fund, and what the fee schedule looks like.
Sitting above that would be a new primary law, a Digital Government and Digital Public Infrastructure Act, that would apply across every government digital platform, not just e-Citizen.
That means iTax, the Social Health Authority (SHA) platform, Ardhisasa, the National Education Management Information System, the 47 county revenue platforms, and IFMIS would all fall under the same framework.
Citizens would experience one consistent standard of service regardless of which government department they were dealing with.
This is not an abstract policy preference. The government itself has already reached essentially the same conclusion. In September 2025, the Ministry of ICT and Digital Economy convened an Inter-Ministerial Steering Committee on Digital Public Infrastructure.
At that meeting, the Principal Secretary for ICT stated that the national DPI Roadmap would not be designed by the Ministry of ICT alone, that it would be cooperated across ministries and agencies because DPI cuts across all sectors.
The draft regulations, made under the PFM Act and scoped entirely to “the e-Citizen System,” cannot give legal effect to a cross-government undertaking the Ministry of ICT has already publicly committed to.
The memorandum points out that Kenya now risks operating two parallel steering committees with overlapping mandates answering to different legal instruments, with no coordination mechanism between them.
The memorandum also raises the question of the convenience fee, which appears throughout the draft regulations and which KICTANet argues should be removed from the legal framework entirely.
READ: The Treasury Wants Public Input on eCitizen Fees It Has Already Been Collecting
In commercial usage, a convenience fee is what you pay for choosing an optional alternative to a free default, like paying by card when cash is available at no cost. That is not what this fee is.
Where government services have been migrated to e-Citizen as the primary or sole channel, the fee is the cost of accessing a constitutionally guaranteed service. Under Articles 43 and 46 of the Constitution, citizens have rights to government services.
Calling the charge for exercising those rights a “convenience fee” while a private consortium collects KES 1.45 billion of it annually is, at minimum, a characterization problem.
The Regulatory Impact Statement itself acknowledged the fee had previously been ungazetted and irregularly charged, which is partly a consequence of nobody being forced to legally define what it actually was.
KICTANet recommends renaming it a “digital service fee” and directing the revenue to a ring-fenced Digital Government Innovation and Implementation Fund with three defined purposes: building in-house government technical capacity, funding last-mile access infrastructure including Huduma Centers, and covering continuous platform security and innovation costs.
The in-house capacity issue is also a problem. For over a decade, the government has outsourced the building, operation, and maintenance of e-Citizen to a private consortium. The consortium bills technical personnel at daily rates of KES 27,000 to 53,000.
The government has built no independent capacity to build, test, deploy, or meaningfully audit comparable systems. As volumes grow, the cost paid to external operators grows with them, with no corresponding transfer of knowledge or capability back to the state.
The memorandum draws an analogy with how comparable countries have approached this. The UK’s Government Digital Service, Singapore’s GovTech, and Estonia’s RIA technical directorate all operate as in-house government engineering functions that give the state real technical fluency in its own systems.
Kenya has nothing equivalent.
The memorandum also raises what it calls the refund gap. Regulation 18 of the draft regulations allows citizens to apply for refunds where a service was not delivered, where they paid twice, or where they paid the wrong provider.
The refund is then processed by the relevant MDA (Ministry, Department, or Agency) “in accordance with the entity’s finance and accounting policy.”
There are 547 MDAs and 47 county entities. There is no statutory timeline for when a refund must be processed, no escalation pathway if an entity fails to act, no interest for delays, and no central ledger against which anyone can verify that a refund was actually paid.
The citizen who does not know how to navigate this across hundreds of different entities’ internal policies simply loses the money.
The proposed solution is a Universal Citizen Digital Wallet, reconciled in real time against the Treasury Single Account and IFMIS, where every payment is recorded and failed or duplicate transactions are automatically reversed without the citizen having to do anything.
The memorandum also addresses digital exclusion. The draft regulations describe a system that allows users to access services from various devices and interfaces, which implicitly assumes citizens have devices and interfaces.
Approximately 28 to 30 million Kenyans remain offline. Internet penetration in West Pokot is 9%, and in Turkana it is 12.7%.
Huduma Centers are the most significant physical access channel for people who cannot use e-Citizen unaided, and they have operated since 2014 without a single Act of Parliament giving them a statutory mandate, enforceable service standards, or a guaranteed budget line.
The draft regulations do not mention them at all.
Kenya ranks 109th globally in the UN E-Government Survey 2024 with an overall EGDI score of 0.6314. The interesting detail inside that number is what it breaks down into.
The Online Services Index, which measures service supply, is 0.7770, the highest in East Africa. The Human Capital Index, which measures literacy and digital skills, is 0.5271. The Telecommunications Infrastructure Index is 0.5901.
The binding constraint on digital government in Kenya is not that the government has failed to put services online. It has done that well.
The constraint is that a large portion of the population lacks the skills, devices, or connectivity to use those services, and the proposed regulations do essentially nothing about that.
The memorandum closes by noting that Kenya’s 5-year trajectory, if the right structural reforms are made, could plausibly bring the country’s EGDI score to 0.75 or above, placing it in the global top 50.
READ: Government Plans to Sell eCitizen and State Data to Generate Revenue in New Proposal
That is achievable, but it requires treating e-Citizen as the national infrastructure it already functions as, rather than as a payment collection mechanism that happens to host a lot of services.
The regulations as currently drafted do not do that, and a regulation made under the Public Finance Management Act probably cannot.
