Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
May 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Egypt: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

The Law No. 175 of 2018 on Anti-Cyber and Information Technology Crimes (only available in Arabic here) ('the Anti-Cybercrime Law') is the main sectoral legislation in Egypt which covers service providers and users concerning cybercrimes and penalises such crimes. It came into force on 15 August 2018.

Moreover, Resolution No. 151 of 2020 approving the Law on the Protection of Personal Data (only available in Arabic here and here) ('the Data Protection Law') was published, on 15 July 2020, in the Official Gazette and entered into force on 15 October 2020.

1.2. Regulatory authority 

Although not explicitly stated under the Anti-Cyber Crimes Law, it is inferred that the competent entity supervising the correct application of the Anti-Cyber Crimes Law is the National Telecommunications Regulatory Authority ('NTRA'). The NTRA is also expected to issue further regulations in connection with the Anti-Cybercrime Law.

The Ministry of Communications and Information Technology ('MCIT') led efforts for the creation of the Egyptian Supreme Cyber Security Council ('ESCC'), which is the supreme council for information and communications technology ('ICT') infrastructure protection. The ESCC is comprised of stakeholders involved in national security and infrastructure management and operation in critical sectors and public utilities, as well as experts from the private sector and research and educational entities. The ESCC was mandated to develop a national strategy for cybersecurity and confronting cyber attacks. It supervises the implementation and updates of the strategy, in order to keep up with successive technological developments. The ESCC began its preliminary work in January 2015 and the Prime Minister approved the formation of ESCC Executive Bureau and the Technical Committee. and the description of their respective roles and responsibilities, in June 2016.

The NTRA established the Egyptian Computer Emergency Readiness Team ('EG-CERT') in April 2009. The EG-CERT consists of four main departments, which are:

  • incident handling;
  • cyber forensics;
  • malware analysis; and
  • penetration testing.

Its mission is to provide an early warning system against malware spreading and massive attacks against the Egyptian critical information infrastructure.

The EG-CERT has cooperation agreements with the United States Computer Emergency Readiness Team ('US-CERT'), the Korea Internet and Security Agency ('KISA') in Seoul, and the CyberSecurity Malaysia in place, and is member at the Organisation of Islamic Cooperation Computer Emergency Response Team ('OIC-CERT').

Objectives of the EG-CERT include to:

  • develop an appropriate legislative framework for cybersecurity, with the participation of the private sector and civil society, and guided by relevant international expertise, experience, and initiatives;
  • develop an appropriate regulatory framework for cybersecurity, drawing on international experience to establish a national cybersecurity system and computer emergency response teams;
  • imposing penalties on the breaching party;
  • establish the infrastructure necessary to ensure confidence in electronic transactions and protect digital identity, such as public key infrastructure and credit bureaus, with the participation of the private sector;
  • develop and implement programs to build the necessary human capacity for activation of an e-services system across all sectors, in cooperation with the private sector, universities, and non-governmental organisations;
  • cooperate with other countries and relevant international organisations in the fields of cybersecurity and e-service provision; and
  • raise public awareness of the benefits of electronic services for individuals, businesses, and institutions and the importance of cybersecurity.

1.3. Regulatory authority guidance

The ESCC - reporting to the Cabinet of Ministers, and chaired by the MCIT - has launched the National Cybersecurity Strategy (2017-2021) ('the Strategy'), aiming to provide a safe and secure environment that would enable various sectors to deliver integrated e-services, in line with the State's efforts to support national security and develop the Egyptian society.

The Strategy entails a number of programmes that support the strategic cybersecurity objectives. It emphasises the distribution of roles among government agencies, private sector, business institutions, and civil society, and the measures to be established by the State to support progress towards achieving these objectives. In addition, the Strategy outlines an action plan for the years 2017 to 2021. The Strategy has been developed in line with these specified objectives, emphasising the significance of the partnership among government agencies, private sector, business institutions, and civil society.

The Chamber of Information Technology and Telecommunications ('CIT') is organising several awareness campaigns and conferences including on cybersecurity, under the theme 'Cybersecurity Challenges in the Age of Digital Transformation.'

2. SCOPE OF APPLICATION

Article 3 of Law No. 175 of the year 2018 states “Without prejudice to the provisions of Part One of Book One of the Penal Code, the provisions of this law shall apply to any non-Egyptian who committed one of the crimes stipulated in this law outside the Arab Republic of Egypt, when the act was punishable in the country in which it occurred under any description legal, in any of the following cases:

  • if the crime was committed on board any means of air, land or water transportation, and it was registered with the Arab Republic of Egypt or carried its flag;
  • if the victim or one of them is Egyptian;
  • if the crime was prepared, planned, directed, supervised or financed in the Arab Republic of Egypt;
  • if the crime is committed by an organised criminal group that engages in criminal activities in more than one country, including the Arab Republic of Egypt;
  • if the crime would harm any of the citizens or residents of the Arab Republic of Egypt, its security or any of its interests, inside or outside; and
  • if the perpetrator of the crime is found in the Arab Republic of Egypt, after its commission, and he has not been extradited.

With regard to the type of information Article 2 of the Anti-Cybercrime Law requires service providers to store data on the information system or any means of information technology to log data for a period of 180 days. The following data shall be preserved and stored:

  • data that enables the user to be identified;
  • the date related to communications traffic;
  • communication traffic data; and
  • any other data that the NTRA determined in a decree.

Without prejudice to the inviolability of the private life guaranteed by the Constitution, the service providers and their subsidiaries shall, in the event of a request by the national security entities and in accordance with their needs, provide all technical possibilities, which enable them to exercise their powers in accordance with the Anti-Cybercrime Law.

3. DEFINITIONS

Agency: The National Telecommunications Regulatory Authority.

Competent minister: The minister concerned with communications and information technology affairs.

Electronic data and information: Everything that can be created, stored, processed, created, transmitted, shared or copied by information technology, such as numbers, codes, letters, symbols, signs, images, sounds, and the like.

Personal data: Any data relating to a specific or identifiable natural person, directly or indirectly, by linking it with other data.

Governmental data: data related to the state or one of its authorities, its organs or units, public bodies, independent bodies, regulatory bodies, or other public legal persons and the like, available on the information network, on any information system, on a computer, or whatever in its judgment.

Electronic processing: Any electronic or technical process done in whole or in part to write, compile, record, save, store, merge, display, send, receive, trade, publish, delete, change, modify, retrieve or derive electronic data and information, using any A medium of media, computers, or other electronic, magnetic, or optical devices, or the new technologies or other media.

Information technology: Any means or group of interconnected or unconnected means used to store, retrieve, arrange, organize, process, develop and exchange information or data, including everything related to the means or means used wired or wirelessly.

Service provider: Any natural or legal person who provides users with information and communication technology services, including those who process or store information on their own or on their behalf in any of those services or information technology.

User: Every natural or legal person who uses information technology services, or benefits from them in any way.

Information program: a set of commands and instructions expressed in any language, symbol or sign, which take any form, and can be used directly or indirectly in a computer to perform a function or achieve a result, whether these commands and instructions are in their original form or in any form another appears through a computer or information system.

Information system: A set of programs and tools prepared for the purpose of managing and processing data and information, or providing an information service.

Information network: A group of devices or information systems that are linked together and can exchange information and communications among themselves, including private and public networks and international information networks, and the applications used on them.

Site: A virtual field or place with a specific address on an information network, which aims to make data and information available to the public or private.

Site administrator: Every person responsible for organizing, managing, following up or maintaining one or more websites on the information network, including access rights for various users on that website, its design, generation and organization of its pages or content, or the person responsible for it.

Private account: A set of information relating to a natural or legal person, which authorizes him exclusively the right to access or use the services available through a website or information system.

E-mail: A means of exchanging electronic messages at a specific address, between more than one natural or legal person, via an information network, or other electronic means of interconnection through computers and the like.

Interception: Viewing or obtaining data or information for the purpose of eavesdropping, disabling, storing, copying, recording, changing content, misuse, rerouting or redirecting, for illegal and unlawful reasons.

Penetration: Unauthorized access to or in violation of the provisions of the license, or access by any illegal method to an information system, computer, information network, or the like.

Content: Any data that, by itself or in combination with other data or information, leads to the formation of information or determining a trend, direction, conception, meaning or reference to other data.

Digital evidence: Any electronic information that has strength or evidentiary value that is stored, transmitted, extracted, or taken from computers or information networks and the like, and it can be collected and analysed using special technological devices, software or applications.

Experience: Any work related to providing consultancy, examination, review, evaluation or analysis in the fields of information technology.

Traffic (traffic data): data produced by an information system showing the source and destination of the communication, the destination it was sent to and from, the route taken, its time, date, size, duration and type of service.

Computer: Every device or technical equipment capable of storing and performing logical or arithmetic operations, and used to record, store, transform, create, retrieve, arrange, process, develop, exchange, analyze, or for communications.

Electronic support: Any physical medium for storing and circulating electronic data and information, including compact discs, optical discs, electronic memory or the like.

National security: Everything related to the independence, stability, security, unity, and territorial integrity of the country, and the affairs of the Presidency of the Republic, the National Defence Council, the National Security Council, the Ministry of Defence and Military Production, the Ministry of Interior, General Intelligence, the Administrative Control Authority, and the agencies affiliated with those entities.

National security bodies: the Presidency of the Republic, the Ministry of Defence, the Ministry of Interior, General Intelligence, and the Administrative Control Authority.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

There are no requirements for cybersecurity training and awareness.

4.2. Cybersecurity risk assessments

There are no requirements for cybersecurity risk assessments.

4.3. Vendor management

There are no requirements for vendor management.

4.4. Accountability/record keeping

Article 2 of the Anti-Cybercrime Law requires service providers to store data on the information system or any means of information technology to log data for a period of 180 days. The following data shall be preserved and stored:

  • data that enables the user to be identified;
  • the date related to communications traffic;
  • communication traffic data; and
  • any other data that the NTRA determined in a decree.

Without prejudice to the inviolability of the private life guaranteed by the Constitution, the service providers and their subsidiaries shall, in the event of a request by the national security entities and in accordance with their needs, provide all technical possibilities, which enable them to exercise their powers in accordance with the Anti-Cybercrime Law.

5. DATA SECURITY

Article 2 of the Anti-Cybercrime Law requires service providers to store data on the information system or any means of information technology to log data for a period of 180 days. The following data shall be preserved and stored:

  • data that enables the user to be identified;
  • the date related to communications traffic;
  • communication traffic data; and
  • any other data that the NTRA determined in a decree.

Without prejudice to the inviolability of the private life guaranteed by the Constitution, the service providers and their subsidiaries shall, in the event of a request by the national security entities and in accordance with their needs, provide all technical possibilities, which enable them to exercise their powers in accordance with the Anti-Cybercrime Law.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

There are no requirements to notify cybersecurity incidents under the applicable law. However, the service provider may file a report with the police who will launch an investigation to prove the incident to the MCIT. There is no specific timeline.

7. REGISTRATION WITH AUTHORITY

According to Egypt's Telecommunication Regulation Law No. 10 of 2003 ('the Telecommunication Law') and the Anti-Cybercrime Act, the NTRA governs the registration of the new companies. All entities and companies working in the field of communications shall submit to the NTRA any reports, statistics or information related to its activities, except those related to national security.

Additionally, Article 21 of the Telecommunication Law states that 'the establishment or operation, of telecommunications networks, or the provision of telecommunications services to third parties, or the passing of international telephone calls or the declaration of any such thing, shall not be permitted without the authorisation of the NTRA, in accordance with the provisions of this Law and the resolutions implementing it. However, obtaining a license from the NTRA to create or operate a private telecommunications network that does not use wireless communication systems. The licensed operator is obliged to notify the device of the private networks originating in its infrastructure.'

By the virtue of Article 22 of the Telecommunication Law, the application for obtaining any of the licences referred to in Article 21 of the Telecommunication Law shall be submitted on the forms set by the NTRA, together with the data and documents specified by it, in particular, proving the technical and financial capacity of the applicant. The application for a licence shall be granted within a period not exceeding 90 days from the date on which the applicant fulfils all the required data and documents, otherwise the application shall be deemed rejected.

8. APPOINTMENT OF A SECURITY OFFICER

There are no requirements to appoint a security officer under the applicable law.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services 

The financial services sector includes networks and websites of banks, banking transaction, e-payment platforms, stock exchange, securities trading companies, and postal financial services.

Within the framework of joint cooperation between the Central Bank of Egypt ('CBE') and the Financial Regulatory Authority ('FRA'), insurance policy forms have been prepared against cybersecurity threats to meet the needs of the banking sector.

The FRA has reviewed and approved those forms for use by banks that wish to insure their electronic transactions against cybersecurity threats.

A directory for insurance on electronic transactions against cybersecurity threats has also been prepared to be used when a bank or financial institution contracts an insurance company for this purpose.

Health 

There are no specific requirements or information, although the authorities are trying to combat cyber attacks and provide a high level of safety in this area.

The health and emergency aid services sector includes relief and emergency networks, blood banks, hospital systems and networks, healthcare networks, and websites.

New types of extremely serious cyber attacks have recently emerged, aimed at disrupting critical services, and deploying malware and viruses to destroy or disrupt the ICT infrastructure and critical industrial control systems, especially in key facilities such as healthcare and emergency aid services, among others. Such cyber attacks deploy several channels including wireless networks and mobile memory, and other common channels such as email, websites, social media, and telecommunications networks, which may have a significant impact on the utilisation of the critical infrastructure and the associated services and businesses. In practice, critical facilities may be vulnerable to advanced cyber attacks, even if they are not directly connected to the internet.

Telecommunications

There are no specific requirements or information in relation to cyber security practices in the Telecommunication sector, although the authorities are trying to combat cyber-attacks and provide a high level of safety.

Employment

There are no specific requirements or information in relation to cybersecurity practices in the employment sector, although the authorities are trying to combat cyber attacks and provide a high level of safety.

Employees are obliged by law to maintain the company's information and should not disclose it to third parties.

Education

 There are no specific requirements and information relating to cybersecurity in the educational sector, although the authorities are trying to combat cyber attacks and provide a high level of safety.

Confronting cybercrime requires sincere, coherent, and sustained efforts, as well as extensive community partnerships, involving government agencies, private sector, research and educational institutions, business organisations, and CSOs, in order to maximise the benefits of the unique opportunities offered by advanced ICTs in various economic, social, and cultural domains, while protecting our society from the risk that cyber criminals pose.

The MCIT has led efforts for the creation of a supreme council for ICT infrastructure protection; that is, the ESCC, reporting to the Cabinet and chaired by the Minister of Communications and Information Technology. The ESCC is comprised of stakeholders involved in national security and infrastructure management and operation in critical sectors and public utilities, and experts from the private sector and research and educational entities. The ESCC was mandated with developing a national strategy for cybersecurity and confronting cyber attacks. It supervises the implementation and updates of the strategy, in order to keep up with successive technological developments. The Council began its preliminary work in January 2015 and the Prime Minister approved the formation of ESCC Executive Bureau, Technical Committee and the description of their respective roles and responsibilities in June 2016.

Insurance

There are no specific requirements or information in relation to cyber security practices in the Insurance sector, although the authorities are trying to combat cyber-attacks and provide a high level of safety.

10. PENALTIES

Articles 12-41 of the Anti-Cybercrime Law cover monetary and non-monetary penalties as well as criminal punishment for non-compliance.

The following provisions apply specifically for service providers:

  • Article 30 of the Anti-Cybercrime Law stipulates that 'each service provider who fails to implement the decision issued by the competent penal court to block any of the websites, links or content referred to in Paragraph One of Article 7 of this Law shall be punished by imprisonment for a period of not less than one year and a fine not less than LE 500,000 (approx. €26,533) and not exceeding LE 1 million (approx. €53,066), or by either of those two penalties. If the failure to enforce the court decision results in the death of one or more persons or harm to National Security, the penalty shall be aggravated imprisonment and a fine not less than £3 million and not exceeding LE 20 million (approx. €10,61,325). In addition, the court shall revoke the licence to practise the activity;
  • Article 33 of the Anti-Cybercrime Law stipulates that 'each service provider who violates any of his obligations under Article 2 of this Law shall be punished by a fine not less than LE 5 million (approx. € 265,331) and not exceeding LE 10 million (approx. €530,662). The fine shall be doubled in the case of repetition, and the court may revoke the licence; and
  • Article 35 of the Anti-Cybercrime Law stipulates that 'anyone responsible for the actual management of any legal person shall be punished by imprisonment for a period of not less than three months and a fine not less than LE 30,000 (approx. €1,591) and not exceeding LE 100,000 (approx. €5,306), if the website, private account, email or information system pertaining to that entity he manages is subject to any of the crimes stated in this Law and has not notified the competent official authorities at the time of his knowledge of the crime.

11. OTHER AREAS OF INTEREST

Network and Information Systems

As per the Anti-Cybercrime Law, electronic data and information means everything that can be created, stored, processed, synthesised, transmitted, shared, or copied by information technologies ('IT'), such as numbers, codes, cyphers, letters, symbols, signs, images, sounds, etc.

'IT' shall mean any means or combination of connected or unconnected means used to store, retrieve, arrange, organise, process, develop and exchange information or data, including anything related to the means used by wire or wireless manner.

'Information program' means a set of commands and instructions expressed in any language, code, or signal, and in any form, which may be used, directly or indirectly, in a computer to perform a function or achieve a result, whether those commands and instructions are in their original form or any other form in which they are shown through a computer or an information system.

'Information system' shall mean a set of programmes and tools designed for the management and processing of data and information, or the provision of information services.

'Information network' shall mean a set of connected devices or information systems that can exchange information and communications, including private and public networks, international information networks, and applications used thereon.

Critical information infrastructure operators

Critical information infrastructure operators have not been identified separately under Egyptian law, but the NTRA is responsible for setting up the rules and conditions for granting special licenses for the establishment of telecommunication networks infrastructure without prejudice to the provisions of the laws governing construction, urban planning, environmental and local administration, as well as the licences for the operation and management of such networks, and the licences for providing telecommunication services. In addition, the NTRA is responsible for issuing such licenses and monitoring their execution in accordance with the provisions of the Anti-Cybercrime Law in a manner that guarantees the rights of the users, especially their privacy rights and without disturbing the national security, the State's top interests, urban planning and health and environmental standards that are specified by the relevant Ministries and Heads of concerned entities.

Operator of essential services

'Operator' is defined under the Anti-Cybercrime Law as any natural or legal persons providing users with information and information and communication technology services, including those who process or store information personally or through a representative providing any such service or information technology on their behalf.

According to Article 2 of the Anti-Cybercrime Law the operators or service providers are obliged to provide the following:

  • keep and store the information system log or any IT means for a period of 180 consecutive days; the data to be kept and stored shall include:
    • data that helps identify the service user;
    • data relating to the content of the information system used whenever it is under the control of the service provider;
    • communication traffic data;
    • data on communication terminal equipment; and
    • any other data specified by a decision issued by the NTRA Board of Directors;
  • maintain the confidentiality of the data kept and stored, and not disclose it without a reasoned warrant issued by a competent judicial authority; said data includes personal data of any users of its service, or any data or information relating to the websites and private accounts to which such users log in, or the persons and bodies with which they communicate; and
  • secure data and information in a manner that maintains its confidentiality and prevents it from being hacked or damaged.

Without prejudice to the provisions of the Consumer Protection Law, 181/2018 (only available in Arabic here) ('the Consumer Protection Law') the service provider shall provide the users of its services and any competent governmental entity in the form and manner in which it is accessible, directly and continuously, with the following data and information:

  • name and address of the service provider;
  • contact information for the service provider, including the email address;
  • license data to identify the service provider and identify the competent authority supervising the service provider; and
  • any other information deemed by NTRA as important to protect the service users, which shall be determined by a decision issued the relevant Minister.

Without prejudice to the inviolability of the private life guaranteed by the Constitution of the Arab Republic of Egypt 2014 ('the Constitution'), the service providers and their subsidiaries shall, in the event of a request by the national security entities and in accordance with their needs, provide all technical possibilities, which enable them to exercise their powers in accordance with the Anti-Cybercrime Law.

IT service providers, agents and distributors assigned to market such services are obliged to obtain user data, which is prohibited to other parties.

Article 2 of the Anti-Cybercrime Law creates two main categories: (i) service providers and (ii) users. One of the main purposes of the Anti-Cybercrime Law is to regulate the relationship between the service providers and users, imposing obligations on service providers.

Moreover, under the Consumer Protection Law, service providers shall provide the users of its services and any competent governmental entity in the form and manner in which it is accessible, directly and continuously with certain categories of data.

Cloud computing services

Digital evidence under the Anti-Cybercrime Law means any electronic information that has the strength or value of evidential data stored, transferred, extracted, or taken from computers or information networks and the like, and that can be compiled and analysed using special hardware or software or technological applications.

Digital service providers

Service provider, under the Anti-Cybercrime Law, means any natural or legal person who provides users with ICT services, including those who process or store information personally or through a representative providing any such service or information technology on his behalf.

It is worth noting that only service providers and their affiliated marketing agents and distributors may obtain users' data.

Mira Adly Junior Associate
[email protected]
Zaynab Ismail Junior Associate
[email protected]
Esraa Hesham Junior Associate
[email protected]
Youssry Saleh Law Firm, Cairo

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback