Q1. What is the current legal landscape for Data Protection & Cybersecurity in Egypt your practice area?

Egypt’s data protection and cybersecurity framework has recently entered a decisive enforcement phase.

The core legislation is Personal Data Protection Law No. 151 of 2020 (“PDPL”), now fully operational following the issuance of the Executive Regulation by pursuant to Ministerial Decision No. 81 of 2025 (“PDPL ER”) on 1 November 2025. Highlighting that a one-year grace period (until 31 October 2026) is currently in place, after which full enforcement and penalties will apply.

The PDPL ER transform the regime from high-level principles into enforceable compliance obligations, including rules on processing, storage, cross-border transfers, and electronic marketing.

PDPL governs the collection, processing, and transfer of personal data. It requires explicit consent, mandates a 72-hour breach notification to the Personal Data Protection Centre (“PDPC”), regulates cross-border transfers, and imposes a mandatory licensing regime. Violations carry fines of up to EGP 5,000,000 and imprisonment for sensitive data breaches.

Combating Cyber and Information Technology Crimes Law No. 175 of 2018 (“Cyber Crime Law”) criminalises unauthorised access, data interference, electronic fraud, and privacy violations. Service providers must retain system logs for 180 days and cooperate with national security authorities. Noncompliance can result in fines of up to EGP 20,000,000 and licence revocation.

The PDPL explicitly excludes personal data held by the Central Bank of Egypt and entities under its supervision (except money transfer and exchange companies), leaving banking data subject to sectorspecific Central Bank of Egypt’s oversight. As such, the Banking Law No. 194 of 2020 (“Banking Law”) imposes strict confidentiality obligations on all customer data held by banks, with criminal penalties for breach.

Together, these laws create one of the most comprehensive data protection and cybersecurity frameworks in the region.

Q2. What three essential pieces of advice would you give to clients?

• Immediate Compliance Assessment:

Conduct thorough audits and gap analysis all personal data processing activities and implement a structured compliance framework to remediate gaps. This includes adopting internal policies and procedures, ensuring the appointment and registration of a Data Protection Officer (“DPO”) in accordance with PDPL requirements along with obtaining the necessary licenses and/or permits which fall under the framework of the PDPC. Operating without the requisite licence exposes businesses to significant administrative and criminal penalties, DPO appointment and registration with the PDPC is mandatory and should not be delayed after the lapse of the grace period.

• Prioritization of Data Mapping and Cross-Border Compliance:

It is imperative to maintain a comprehensive understanding of the personal data held, its processing flows, and the legality of any transfers. This is particularly critical in light of PDPL’s stringent crossborder data transfer restrictions and the licensing requirements mandated under the PDPL and the PDPL ER. Transfers of personal data abroad require adequate protection standards in the receiving country and a PDPC licence. Cloud providers, group entities, and offshore processors must all be assessed and, where necessary, be compliant with the PDPL and the PDPL ER.

• Build incident response and breach notification capability

Controllers and processors must report breaches to the PDPC within 72 hours, describing the nature of the breach, approximate number of affected records, potential impact, and corrective measures taken.  The data subject must be notified within three business days of reporting, via the communication method agreed at the time consent was obtained (e.g. SMS, email, phone call).   Failure to comply with notification obligations under the PDPL carries fines from EGP 300,000 to EGP 3,000,000. In application of this context, making a tested incident response plan is essential.

Q3. What are the greatest threats and opportunities in the next 12 months?

Threats:

The PDPC is established as a public economic authority with broad enforcement, inspection, and regulatory powers, including the authority to set standards, issue licences, conduct inspections, receive complaints, and issue binding decisions.  With the PDPL ER now published (dated 1 November 2025), the licensing regime is operational.  Businesses that have not begun the compliance process face a real risk of administrative sanctions (including suspension or revocation of licences) and criminal penalties that can reach EGP 5,000,000 in fines with imprisonment in serious cases.   Cyber threats against critical information infrastructure, which spans banking, energy, telecoms, transport, health, and government, remain a concern, as the Cyber Crime Law regulations impose strict requirements on operators of such infrastructure to maintain security policies, conduct annual penetration tests, and report incidents immediately.

Opportunities:

The PDPL positions Egypt as a regional leader in data protection, creating a meaningful competitive advantage for compliant businesses.  The mandatory DPO appointment requirement and the PDPC’s DPO registry, with its tiered approach based on data volume and nature, create sustained demand for qualified professionals and advisory services.  The detailed licensing regime, which differentiates fees by volume of data records handled, from exemption for small operators (up to 100,000 records) through to scaled fees for larger processors, incentivises early compliance and creates opportunities for firms providing compliance consulting.  Additionally, the regulations now specifically address AI and emerging technologies, requiring processors to handle personal data in accordance with recognised principles when used for AI training, opening a new advisory field.

Q4. How do you ensure high client satisfaction levels are maintained?

We combine deep local expertise in Egypt’s regulatory framework with our regional reach of the largest law firm in the Middle East and North Africa, enabling us to provide practical and proactive guidance on personal data protection. Our approach goes beyond interpreting the PDPL and related regulations; we support clients in designing and implementing the processes and systems required for full compliance.

In a practice area where timelines are critical and regulatory exposure is significant, clients benefit from direct access to senior practitioners who deliver timely, actionable advice, anticipate enforcement trends, and respond swiftly to incident reporting, breach notifications, and regulatory inquiries. We also provide tailored solutions aligned with sector-specific requirements, including fintech, telecommunications, and healthcare.

Q5. What technological advancements are reshaping your practice area?

Artificial intelligence and emerging technologies increasingly engage PDPL obligations, requiring processors to comply with recognized principles and ensure no harm to data subjects. AI deployments must embed privacy-by-design, respecting purpose limitation, data minimisation, and the data subject’s right to object where fundamental rights are implicated. Cloud computing raises compliance challenges under Egypt’s cross-border transfer regime, as transfers abroad require a PDPC licence and adequate protection in the destination country, with detailed disclosure of storage locations, security measures, and transfer pathways. The growth of fintech and digital banking extends PDPL and banking secrecy obligations to digital platforms, necessitating integration of compliance requirements into technology architecture from inception. Finally, the use of facial recognition and visual surveillance technologies in public spaces is subject to PDPC licensing. Further to note, where data is processed using AI and emerging technologies, the processor must ensure compliance with locally, regionally, and internationally recognised principles, guaranteeing that such technologies do not cause harm to the data subject.