Egypt Financial Regulatory Authority mandates cybersecurity standards and cyber risk insurance for non-banking financial services firms

The Egypt Financial Regulatory Authority has issued Board Decision No. 227 of 2025 requiring companies and other entities licensed to conduct non-banking financial activities, and entities specified by the Authority, to upgrade their technology infrastructure and strengthen cybersecurity controls. Meeting these requirements is set as a condition for maintaining an operating licence. The decision ties required technology, information systems, and protection measures to the standards set out in the Authority’s Board Decision No. 139 of 2023. It also requires a board-approved information security policies and procedures manual to be submitted to the Authority, alongside board-approved frameworks for information technology governance, IT risk management, and cybersecurity. Firms must obtain a cybersecurity risk insurance policy from an insurer licensed in Egypt and renew it annually, with particular focus on firms operating via digital platforms or electronic applications. In addition, addressed firms must conduct periodic penetration testing and submit annual information security reports to the Authority, and the contract with the testing provider must include an explicit commitment to inform the Authority of test results. For firms other than insurance companies, the decision provides a remediation period of six months from the decision’s effective date to align technology infrastructure, and one year to align with the remaining regulatory requirements set out in Article 1.