Egypt’s FRA Introduces New Digital and Cybersecurity Regulations for Insurance Sector

Egypt’s Financial Regulatory Authority (FRA) has unveiled a new set of digital and cybersecurity regulations governing the establishment and operation of websites by all stakeholders in the country’s insurance sector, marking a significant step toward strengthening digital governance and enhancing sector-wide transparency.

Issued under Resolution No. 62 of 2025, the directive sets out licensing, technical, and cybersecurity standards for companies, individuals, and private insurance funds operating under the Unified Insurance Law No. 155 of 2024.

Under the new rules, private insurance funds with assets exceeding EGP 10 million are mandated to establish official websites. Smaller funds and individual practitioners may also create websites, provided they fully comply with the specified regulatory framework. The FRA retains exclusive authority to issue licenses for all websites in the insurance domain.

Digital Compliance Framework

The regulation, introduced under the leadership of FRA Chairperson Mohamed Farid, outlines a set of technical specifications designed to standardise the digital presence of insurance entities. These include:

• Responsive design ensuring accessibility across desktops, tablets, and smartphones.
• Browser compatibility with all major internet platforms.
• User-centric interfaces and compliance with Web Content Accessibility Guidelines (WCAG) to ensure inclusivity for users with disabilities.
• Arabic as the primary language, with the option of including additional languages.
• Implementation of Search Engine Optimisation (SEO) best practices.

All websites must prominently display:

• The organisation’s FRA-issued licence number
• A detailed company profile
• Descriptions of services offered
• Updated contact information
• Financial reports and regulatory disclosures
• A Frequently Asked Questions (FAQ) section.

Entities are also required to regularly update their website content to ensure ongoing accuracy and regulatory compliance.

Cybersecurity and Data Protection Mandates

The new framework places strong emphasis on information security, aligning with global standards such as ISO 27001and NIST. Required measures include:

• SSL/TLS encryption
• Advanced security infrastructure, including firewalls, Web Application Firewalls (WAF), and Intrusion Detection and Prevention Systems (IDS/IPS)
• Use of anti-virus and endpoint detection and response tools (EPP/EDR)
• Annual penetration testing and routine software updates

Entities must immediately report any cyber incidents to the FRA and comply with Law No. 175 of 2018 on Cybercrime and Law No. 151 of 2020 on Personal Data Protection. Requirements include:

• Publishing clear privacy policies
• Obtaining explicit user consent before sharing data with third parties
• Facilitating user data modification or deletion requests
• Maintaining regular backups and application logs for at least five years

Governance of Outsourced Services

The FRA permits outsourcing of website development and hosting to FRA-registered service providers, provided the licensed entity maintains in-house technical oversight. An outsourcing plan approved by the board of directors is mandatory, ensuring that risk, quality, and compliance are closely monitored.

Timelines and Enforcement

Entities have a three-month window from the resolution’s effective date to align with the new requirements. The FRA has pledged to process complete licence applications within 15 working days, expediting compliance and encouraging digital adoption across the sector.

The new measures are part of the FRA’s broader strategy to modernise Egypt’s insurance landscape, enhance cyber resilience, and drive digital transformation in alignment with governance and transparency priorities.