Cybersecurity · Egypt
Cybersecurity regulation in Egypt (2026)
Egypt shaded by its cybersecurity status
Egypt regulates cybersecurity through a patchwork of sector- and topic-specific instruments rather than one NIS2-style comprehensive law. The 2018 cybercrime law imposes data-retention and critical-information-infrastructure duties and underpins EG-CERT, while the 2020 data protection law (operative via 2025 executive regulations) adds breach-notification rules and the central bank governs the financial sector. The Egyptian Supreme Cybersecurity Council's National Cybersecurity Strategy 2023-2027 explicitly aims to build a more comprehensive regulatory framework, indicating one does not yet exist.
Key points
Law No. 175 of 2018 (Anti-Cyber and Information Technology Crimes) criminalizes hacking and obliges telecom providers to retain user data for 180 days; operators of critical information infrastructure must adopt security measures and report incidents, with NTRA and EG-CERT as competent bodies.
Under the Personal Data Protection Law No. 151 of 2020 and its Executive Regulations (issued 1 Nov 2025), controllers must notify the Personal Data Protection Centre within 72 hours of a breach (immediately if national security is involved) and inform affected individuals within three working days.
The NTRA Regulatory Framework for Providing Cybersecurity Services entered into force on 7 August 2025, setting licensing/registration requirements for entities providing or using cybersecurity services and obliging providers and beneficiaries to report cybersecurity incidents to the relevant authorities.
The Central Bank of Egypt issued the country's first Financial Cybersecurity Framework for banks and runs the sector CERT (EG-FinCIRT) for incident response, embedding mandatory controls and reporting into CBE circulars for the banking/financial sector.
The Egyptian Supreme Cybersecurity Council (ESCC), within the Cabinet, leads national coordination and issued the National Cybersecurity Strategy 2023-2027, one of whose programs is to build a comprehensive regulatory framework — signalling that comprehensive legislation is still an aspiration rather than in force.
EG-CERT, operating under the NTRA, provides incident response, defense and analysis against cyberattacks and coordinates with government, financial entities and other critical information infrastructure sectors.
Timeline - major decisions & events
Five years after the PDPL was passed, Egypt issued its Executive Regulations via MCIT Decision No. 81 of 2025 (published in Official Gazette Issue 244), finally operationalizing breach-notification, data-controller registration, cross-border transfer rules and security obligations, with a one-year grace period before full enforcement (~October 2026).
Baker McKenzie ↗The Egyptian Supreme Cybersecurity Council launched the second national strategy, aimed at countering rising cyber threats, building cybersecurity human capital, and developing a domestic cybersecurity industry contributing to GDP.
EG-CERT ↗The CBE published Egypt's first comprehensive cybersecurity regulatory framework (EGY-FIN CSF v1.0) for the banking and financial sector, setting mandatory controls and maturity benchmarks for all CBE-licensed entities.
Central Bank of Egypt ↗Egypt's first comprehensive data-protection statute introduced consent requirements, data-subject rights, 72-hour breach notification, mandatory DPOs, and created the Personal Data Protection Center; it entered into force in October 2020.
Ministry of Communications and Information Technology ↗Egypt's principal cybercrime statute criminalized hacking and unauthorized access, imposed 180-day data-retention duties on telecom operators and obligations on service providers, and empowered authorities to block websites threatening national security.
WIPO Lex ↗The Supreme Cybersecurity Council launched Egypt's inaugural national cybersecurity strategy to secure communications and information infrastructure and provide a trusted environment for digital government services.
ITU ↗Prime Ministerial Decree No. 2259 of 2014 created the ESCC, chaired by the MCIT minister with cross-ministry and security-agency membership, mandated to develop and oversee the national cybersecurity strategy.
Egyptian Supreme Cybersecurity Council ↗The National Telecommunications Regulatory Authority founded the Egyptian Computer Emergency Readiness Team to provide 24/7 incident response, forensics, malware analysis and protection of critical information infrastructure.
EG-CERT ↗Egypt's foundational telecom law established the NTRA and, via Article 64, imposed strict controls requiring written approval to use encryption equipment and obliging networks to enable lawful access by security agencies — an early pillar of the cybersecurity/surveillance framework.
NTRA ↗Egypt - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →