Cybersecurity - Egypt

Law No. 175 of 2018 (Anti-Cyber and Information Technology Crimes) criminalizes hacking and obliges telecom providers to retain user data for 180 days; operators of critical information infrastructure must adopt security measures and report incidents, with NTRA and EG-CERT as competent bodies.

Under the Personal Data Protection Law No. 151 of 2020 and its Executive Regulations (issued 1 Nov 2025), controllers must notify the Personal Data Protection Centre within 72 hours of a breach (immediately if national security is involved) and inform affected individuals within three working days.

The NTRA Regulatory Framework for Providing Cybersecurity Services entered into force on 7 August 2025, setting licensing/registration requirements for entities providing or using cybersecurity services and obliging providers and beneficiaries to report cybersecurity incidents to the relevant authorities.

The Central Bank of Egypt issued the country's first Financial Cybersecurity Framework for banks and runs the sector CERT (EG-FinCIRT) for incident response, embedding mandatory controls and reporting into CBE circulars for the banking/financial sector.

The Egyptian Supreme Cybersecurity Council (ESCC), within the Cabinet, leads national coordination and issued the National Cybersecurity Strategy 2023-2027, one of whose programs is to build a comprehensive regulatory framework — signalling that comprehensive legislation is still an aspiration rather than in force.

EG-CERT, operating under the NTRA, provides incident response, defense and analysis against cyberattacks and coordinates with government, financial entities and other critical information infrastructure sectors.