While Egyptian law is silent on the use of cloud by financial institutions and other Central Bank of Egypt (CBE)-regulated entities, the CBE has stipulated specific contractual requirements which must be satisfied in agreements between CBE-regulated entities and outsourcing providers. When entering into a service level agreement (SLA) with an external service provider (ESP) the bank or CBE-regulated entity must ensure that:

• Service quality is in line with pre-determined criteria and that the ESP has business contingency plans.
• The ESP is responsible for protecting confidential information in relation to the bank and its clients/customers.
• The bank, or CBE-regulated entity, can unilaterally terminate the SLA if necessary (i.e., due to breach of any of the duties or rights of each of the parties to the SLA) and that no financial commitments are incurred by the bank, or CBE-regulated entity, as a result of the termination, while ensuring continuity of services to the customers.
• The ESP will not vary the agreed services unless the bank, or CBE-regulated entity, provides its prior approval.
• The ESP will abide by the procedures set by the bank, or CBE-regulated entity, in relation to the supervision of services, including providing periodic reports on its performance levels to the board of directors of the bank, or CBE-regulated entity.
• The ESP will disclose to the bank, or CBE-regulated entity, all relevant information in relation to the services in accordance with provisions around disclosure and transparency of information.
• The ESP will provide any information requested by the monitoring and supervision unit at the CBE in relation to the services provided by them.
• The Egyptian Data Protection Law no. 151 of 2020 stipulates the inclusion of various provisions in the contract in relation to data (please refer to Q&A 7).

Under the National Telecom Regulatory Authority (NTRA) licensing framework, cloud service providers using data centers in Egypt are required inter alia to:

• Maintain the confidentiality and privacy of customers' data.
• Disclose how cloud computing services integrate with customer data as well as customer data storage locations inside and outside the Arab Republic of Egypt.
• Take steps to prevent and reduce the impact of accidents affecting any equipment and data stored /processed by taking the following into consideration:
  • Security of the systems and facilities of the data centers of the licensee.
  • Procedures for dealing with emergencies and accidents.
  • Implementation of monitoring, auditing and testing mechanisms.
• Align with international standards, such as:
  • ISO 27017 for Cloud Services Security Standards.
  • ISO 27018 for privacy standards for cloud services.
  • ISO 27701 for Information Privacy Management.
• Allow customers to assess cyber security measures through penetration and vulnerability tests.
  With regard to service providers using data centers outside of Egypt, currently this is not regulated under the NTRA Regulations although this may change in the future.