Boards of companies that operate at national scale payment platforms, dominant mobile networks, carrier-neutral data centres need to ask a different set of questions than they currently do. The standard governance framework asks about uptime, cyber risk, and compliance. When you become nationally critical, the questions become sharper.
a private system becomes nationally critical when its failure stops being a company incident and starts being a country incident.
You know you are there when an outage affects multiple sectors simultaneously. When regulators convene industry players in emergency mode. When business continuity is no longer an internal SLA conversation, but a public-interest question.
Examples of private-sector operators that often meet this criteria
This is not a claim that any specific firm has been formally designated as critical infrastructure. It is a practical observation: in many African markets, the private operators below often meet the criteria because of scale, substitutability, cross-sector dependency, and the speed at which disruption becomes a public-interest issue.
1. Subsea cable systems, landing operators, and international capacity providers (private)
Why they often qualify: multi-country spillover, limited short-term substitutes, long repair timelines. (internetsociety.org)
2. Real-time payment platforms operated by private, industry-owned operators
Why they often qualify: when real-time bank transfers become mainstream, they become part of the economy’s “always-on” expectation.
Kenya example: PesaLink states it is operated by Integrated Payment Services Limited (IPSL), a subsidiary of the Kenya Bankers Association, providing 24/7 365 real-time payments for the banking industry. (pesalink.co.ke)
3. Dominant mobile network operators and mobile money platforms (private)
Why they often qualify: network effects + everyday commerce dependence; disruptions immediately affect households, merchants, and service delivery (which is why downtime starts to look like utility maintenance). (the-star.co.ke)
4. Large carrier-neutral data centres hosting essential workloads (private)
Why they often qualify: as regulated and public-interest workloads concentrate into a small number of facilities, continuity risk concentrates too—making resilience and disclosure expectations inevitable.
What event turns us from a national champion into a national risk overnight? If regulators asked for proof of our recovery capability tomorrow, could we provide it cleanly with test results, audit trails, and a dependency map? Do our supplier contracts contain the reporting and recovery responsibilities we would need to honour our obligations to the country? Have we tested recovery under realistic conditions, or only documented it?
The operators who are asking these questions proactively building what might be called an assurance pack, a national incident operating mode, and realistic exit readiness before they are forced to are the ones who will shape how regulation lands. The ones who wait will be regulated reactively, in the aftermath of the next incident, with less influence over the design of what follows.
DOWNLOAD THE PLAY BOOK FOR A PROACTIVE BOARD APPROACH INSTEAD OF A REACTIVE APPROACH
Continue reading
