Cloud Compliance Center

Egypt

Select a Topic
Quick Links
Start Comparison

EGYPT

This content was last reviewed around November 2023.

Cloud Neutral

1. Are financial institutions legally permitted to use cloud services?

Whether financial institutions are allowed to use cloud services must be considered on a case-by-case basis and may also depend on the identity of their regulator. In the case of banking institutions regulated by the Central Bank of Egypt, Egyptian Banking Law is generally silent on the use of cloud services, although provision is made for low-risk banking information other than customer data. On the other hand, the Financial Regulatory Authority which regulates stock brokerage companies, the stock exchange and the Misr for Central Clearing, Depository and Registry, expressly allows the use of cloud network services in relation to data shared between such entities.

While the National Telecom Regulatory Authority authorizes and regulates data centers and cloud service providers under the Personal Data Protection Law No. 151 of 2020 (DPL), this legislation does not generally extend directly to financial institutions.

2. Are there any rules which apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Subject to exceptions, Egyptian law is silent on the storage of data by financial institutions that use cloud service providers. However, entities regulated by the Central Bank of Egypt (CBE) are subject to strict confidentiality requirements whereby all information related to customers, their accounts, their deposits, and their safety deposit boxes held by the CBE-regulated entities must be kept strictly confidential and may only be shared with the consent of the customer. 

Any outsourcing provider to financial institutions, including those providing services in respect of customer data, must be registered with the CBE and will be bound by the same confidentiality requirements as the outsourcing financial institution, or CBE-regulated entity, in question. As part of its due diligence process prior to registration, the CBE may require the outsourcing provider to supply such documentation as it deems necessary. Generally speaking, the CBE does not register companies located outside of Egypt.

The CBE has issued specific rules that must be observed when a bank or CBE-regulated entity outsources services to third party providers. According to the CBE Supervisory Regulations, internal policies adopted by banks on the solicitation and use of external service providers (ESP) for outsourcing must include the following minimum requirements:

  • A written contract between the ESP and the bank.
  • Confidentiality obligations on the ESP for information related to the bank and its clients.
  • Appropriate criteria to ensure the ESP's ability to perform its duties to the required standard according to its contractual obligations.
  • Observance of corporate governance rules on conflicts of interest.

As for entities regulated by the Financial Regulatory Authority (FRA), Decree No. 1005 of 2013 allows for the use of cloud networks through service providers in relation to data shared between stock brokerage companies, the stock exchange and the Misr for Central Clearing, Depository and Registry (MCDR).

There are further requirements in respect of the National Telecom Regulatory Authority for cloud storage outsourcing discussed at Q&A 3.

3. Are there any specific contractual requirements for cloud outsourcing?

While Egyptian law is silent on the use of cloud by financial institutions and other Central Bank of Egypt (CBE)-regulated entities, the CBE has stipulated specific contractual requirements which must be satisfied in agreements between CBE-regulated entities and outsourcing providers. When entering into a service level agreement (SLA) with an external service provider (ESP) the bank or CBE-regulated entity must ensure that:

  • Service quality is in line with pre-determined criteria and that the ESP has business contingency plans.
  • The ESP is responsible for protecting confidential information in relation to the bank and its clients/customers.
  • The bank, or CBE-regulated entity, can unilaterally terminate the SLA if necessary (i.e., due to breach of any of the duties or rights of each of the parties to the SLA) and that no financial commitments are incurred by the bank, or CBE-regulated entity, as a result of the termination, while ensuring continuity of services to the customers.
  • The ESP will not vary the agreed services unless the bank, or CBE-regulated entity, provides its prior approval.
  • The ESP will abide by the procedures set by the bank, or CBE-regulated entity, in relation to the supervision of services, including providing periodic reports on its performance levels to the board of directors of the bank, or CBE-regulated entity.
  • The ESP will disclose to the bank, or CBE-regulated entity, all relevant information in relation to the services in accordance with provisions around disclosure and transparency of information.
  • The ESP will provide any information requested by the monitoring and supervision unit at the CBE in relation to the services provided by them.
  • The Egyptian Data Protection Law no. 151 of 2020 stipulates the inclusion of various provisions in the contract in relation to data (please refer to Q&A 7).
    Under the National Telecom Regulatory Authority (NTRA) licensing framework, cloud service providers using data centers in Egypt are required inter alia to:
  • Maintain the confidentiality and privacy of customers' data.
  • Disclose how cloud computing services integrate with customer data as well as customer data storage locations inside and outside the Arab Republic of Egypt; 
  • Take steps to prevent and reduce the impact of accidents affecting any equipment and data stored /processed by taking the following into consideration:
    • Security of the systems and facilities of the data centers of the licensee.
    • Procedures for dealing with emergencies and accidents.
    • Implementation of monitoring, auditing and testing mechanisms.
  • Align with international standards, such as:
    • ISO 27017 for Cloud Services Security Standards.
    • ISO 27018 for privacy standards for cloud services.
    • ISO 27701 for Information Privacy Management.
  • Allow customers to assess cyber security measures through penetration and vulnerability tests.
    With regard to service providers using data centers outside of Egypt, currently this is not regulated under the NTRA Regulations although this may change in the future.
4. When does cloud outsourcing fall within the scope of the rules?

This must be considered on a case-by-case basis and depends on the whether the financial institution is regulated by the Central Bank of Egypt or the Financial Regulatory Authority. 

5. Does the outsourcing need to be notified to the regulator?

No notification is required provided the outsourcer is registered with the Central Bank of Egypt. However, if using data centers in Egypt, a cloud service provider may need to disclose this to the National Telecom Regulatory Authority.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

Generally, in accordance with Article 231 of the Banking Law No. 194 of 2020, a breach of banking information secrecy is punishable by a term of imprisonment for a period of not less than one year and a fine of not less than EGP 200,000 and not exceeding EGP 500,000. The fine is multiplied by the number of relevant parties affected. These sanctions apply to Central Bank of Egypt regulated entities and outsourcing service providers in cases of breach of confidentiality. Criminal sanctions apply both to employees and corporate entities. Additional civil and/or regulatory sanctions may also apply. 

7. Are there any data privacy and/or data security laws that would apply?

The Personal Data Protection Law No. 151 of 2020 (the DPL) sets out obligations on the data controller and the data processor (i.e., the cloud service provider) that will need to be reflected in the Cloud Services contract. The DPL however is not yet in force pending the making of implementing regulations. Please also note, that the DPL does not apply to entities supervised and regulated by the Central Bank of Egypt (CBE) provided the CBE's own rules are followed. Data privacy and data security regulations applicable to CBE-regulated entities are provided under Banking Law No. 194 of 2020 and relevant CBE regulations issued to date. 

Under the DPL, the contract with the cloud service provider should include provisions reflecting the following:

  • An undertaking from the cloud service provider to maintain the secrecy and confidentiality of all personal data and information received in relation to customers or data subjects in the context of the services provided to the financial institution.
  • An undertaking from the cloud service provider to appoint a representative in Egypt (if based outside the jurisdiction).
  • Confirmation from the cloud service provider of its ability to comply with the provisions of the DPL and to allow the Data Commissioner to inspect to ensure compliance.
  • An undertaking from the cloud service provider to correct any errors in data when notified.
  • An undertaking by the cloud service provider to prepare a special data register which records the different types of "processing" carried out on behalf of the data controller, their contact details and those of the person in charge of protecting the data, the timeframe needed for processing, the process for deleting the data it holds and an explanation of the technical procedures available regarding maintaining the secrecy of the data.
8. Are there any restrictions under local data protection laws which would impact the overseas hosting of data?

Generally speaking, under the Data Protection Law No. 151 of 2020 (the DPL), which does not apply to Central Bank of Egypt (CBE)-regulated entities, both the data controller and data processor can transfer personal data to another controller/processor in safe harbor countries affording the same level of protections (i.e., cross border transfer of personal data), provided a permit is obtained from the Data Commissioner, and (i) both controllers/processors agree on the nature of the services and the purpose of the personal data, or (ii) both controllers/processors have a legitimate interest in the personal data.

The cross-border transfer of personal data may be made to a country that does not afford the same level of protection if (i) the express consent of the data subject is obtained, and (ii) if it is only for limited purposes including seeking medical assistance, conducting legal proceedings, performing an agreement, fulfilling legal obligations or to transfer funds.

With respect to CBE-regulated entities, any outsourcing company hosting the data of customers of such entities must be registered with the CBE. To the best of our knowledge, the CBE does not accept the registration of outsourcing companies located outside of Egypt. 

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

Where the outsourcer provides services to a Central Bank of Egypt (CBE)-regulated entity, it must be registered with the CBE.

For non-CBE-regulated entities, if the cloud service provider provides services using (licensed) data centers located in Egypt, it will need to register with the National Telecom Regulatory Authority (NTRA). In order to host low-risk banking information other than customer data, the cloud service provider must obtain an accreditation certificate from the NTRA, based on the type of customers using the service (e.g., Tier 2 accreditation for regulated private sector customers and Tier 3 accreditation for public sector customers). In addition, the cloud service provider may require a permit/license from the Personal Data Protection Center (which is yet to be established), to control, hold or process personal data.

10. Are express consents from customers or other data subjects required before moving data to the cloud?

Yes, if agreements do not include such consent or permit the disclosure of customer data to cloud service providers, the express written consent of each customer and data subject should be obtained. Customers may cancel consent at any time; such a withdrawal of consent will not impact activities taken while the consent was in place but will prevent financial institutions from using cloud service providers for subsequent processing activities in relation to that customer.

11. Are there any local laws which require a cloud service provider to be able to access the data it hosts?

No, however, in practice such obligations may be imposed contractually.
Under the Cybercrime Law no. 175 of 2018, cloud service providers are required to save and store a data register for 180 consecutive days, which should include the content of the IT system, if under the control of the service provider. Telecom service providers are also required to provide technical support for national security agencies to exercise their powers in accordance with the law.

12. Are there any local laws which would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Generally, in judicial proceedings the Public Prosecutor and/or a court may order a person to share data that is relevant/required in any proceedings whether civil or criminal. The Egyptian Criminal Procedures Law allows an investigating judge to issue a warrant to access electronic mail and to monitor/intercept phone calls where this will assist an investigation.

Under Article 6 of the Cybercrime Law no. 175 of 2018, cloud service providers are required at request of national security agencies, to provide all technical support to permit these agencies to exercise their legal power. A failure to comply with these requests is punishable by a term of imprisonment of not less than three months and a fine of not less than EGP 20,000 and not more than EGP1 million (see article 32 of the Cyber Crime Law).

The Data Protection Law No. 151 of 2020 (the DPL) allows national security agencies and governmental authorities, for national security purposes, to request the Data Commissioner, to require personal data controllers and processors to modify, delete, hide, or to abstain from circulating or disseminating personal data for a specified period. While there are no penalties under the DPL for non-compliance with this requirement, data controllers and processors are required to comply with the Data Commissioner's notification within the specified period therein. Any non-compliance may be considered as obstruction of justice punishable by a term of imprisonment. Please note that entities subject to the supervision and control of the Central Bank of Egypt are not subject to the DPL.


Quick Links
{{ $store.state.loadingScreen.message }} ...