Egypt has been heavily investing in digitizing its economy and accompanying infrastructure since 2016 with the launch of Egypt Vision 2030. Since then, projects have included digitizing government services and citizen interactions, promoting digital payments via applications like the Central Bank’s Instapay, offering training and upskilling courses, and promoting innovation via incubator programs and regulatory sandboxes.

Government data shows that between 2022 and 2024, the number of internet users in Egypt increased by 6.3 million, bringing the total to more than 82 million. According to data aggregator Statista, that means almost all Egyptian citizens aged 10 or above have internet access. 

That proliferation is accelerating cybersecurity risks. A report by Positive Technologies, a security firm, found more than 100 listings on the “dark web” offering stolen personal information of Egyptian citizens.

The report also showed data breaches primarily targeted individuals (40%), followed by e-commerce (22%), and the service and transportation sectors (10% each).

To combat illicit activities, the National Telecommunications Regulatory Authority (NTRA) announced a new framework to give multi-tier certifications to cybersecurity professionals and companies.

“Regulating cybersecurity firms and professionals operating in Egypt offering their services to local companies and government bodies has become critical,” Walid Zakaria, NTRA deputy chairman for Cybersecurity affairs, told Amcham Egypt members in July. “This new regulation will not only govern the market, but also should stimulate innovation and ensure competitiveness.”

Not a bad start

Realizing the importance of cybersecurity, the government in 2023 founded the Supreme Cybersecurity Council (SCC) and launched the National Cybersecurity Strategy (NCS) 2023-2027. 

Its vision is to “ensure Egypt’s cyberspace is secure and resilient, and promote economic prosperity.” To achieve that, the strategy will “lead government efforts to understand and manage cyberspace risks,” the NCS document said.

It outlined seven program categories, which comprise the local cybersecurity framework. They are building a comprehensive regulatory framework; enhancing participation of the private sector and society; building capable and resilient cyber defenses; strengthening international cooperation; changing society’s perception and culture toward cybersecurity; and promoting R&D, innovation and growth.

The government’s commitment has been reflected in global cybersecurity rankings. In September 2024, the International Telecommunication Union classified Egypt as one of 48 “Tier 1” countries out of 193 member states. Within Tier, Egypt was in the top 12 countries.  

For fiscal year 2025/2026, the Ministry of Planning, Economic Development and International Cooperation announced that EGP 13 billion ($268 million) would be directed to the ICT sector to enhance cybersecurity capabilities, along with boosting digital infrastructure, localization of tech equipment manufacturing and integration of artificial intelligence. The ministry hasn’t offered a breakdown of that money.

The other mention of cybersecurity in the 2025-2026 plan involves developing “cybersecurity solutions for critical national infrastructure.”

Regulating cybersecurity

In July, the NTRA announced implementation of a framework that regulates individuals and companies offering cybersecurity services. The regulation is based on the 2014 cybercrime law, the 2003 telecom regulation law, and decisions from the SCC. The framework defines terms and conditions for a multi-tier certification system, which determines the eligibility of its holders to work on specific projects. It also specifies team structures and qualifications of its members based on service recipients, as well as the services they are getting.

“This regulatory framework aims to guarantee real governance and maturity in Egypt’s cybersecurity market,” Mohamed El Sobky, cybersecurity risk management, compliance, and accreditation executive director at the NTRA, told AmCham Egypt members in July. “The crux of this regulation is upskilling the individual experts working in this sector to ensure they meet international standards.” 

To achieve its targets, the new legislation requires that agencies responsible for managing “critical infrastructure” and “all government agencies, bodies and ministries” only contract certified cybersecurity providers. From the provider’s side, getting certified per the new cybersecurity legislation framework will require investment in upskilling staff. “The basic premise of the regulation is that we are encouraging companies to invest in their human resources,” El Sobky said. “That [upskilling] will create competition. It will also ensure that cybersecurity service providers are mature and capable of service delivery up to unified national standards. Ultimately, that should attract more investment in this crucial part of the information sector.” He also noted that having a certification framework would ensure that service providers protect the recipient’s data, especially relating to critical infrastructure.

Tiered-system 

The new certification system has two levels. Tier 1 certificates enable cybersecurity service providers, whether companies or individuals, to work with government agencies, public enterprises, telecom providers, critical infrastructure, and the private sector. Tier 2 certification only allows holders to do business with private sector companies or organizations with no ties to the government or its critical infrastructure.

El Sobky noted companies attaining Tier 1 or Tier 2 have the option to be certified as “service providers” to third parties or “non-service providers” to enhance their position in the market, with customers. If they choose to be service providers under either Tier, they must individually certify each staff member working on the project. Individuals can only certify themselves (Tier 1 or Tier 2), but they cannot offer the service unless they work for a certified company.” El Sobky said.

Another certification difference is “permanent” and “temporary” variants for service providers only. “The permanent certification is renewed every three years and is given to the companies that meet all Tier 1 or Tier 2 criteria,” El Sobky said. “This process takes a month, and service providers must pay all fees up front.”

The “temporary” certificates target cybersecurity service providers who already have contracts with government bodies, which are obligated to use certified firms. “It is a document that proves to the government that their cybersecurity service provider is working toward compliance,” El Sobky explained. It is valid for one year. “The temporary certificate is essential, as without it the government must annul the contract immediately per the law, harming both the receiver and provider of the service.”  Another feature of the “temporary” certificate is that the company that holds it must also pay for “temporary” certificates of the technical staff working on the government project.  

Companies and individuals with permanent certificates are registered in an NTRA-managed national database of all those who received either a Tier 1 or Tier 2, service provider or non-service provider certificate. Those with temporary certifications don’t appear.

“The reason for this separation is that any government-related entity must contract a company from this database in any new post-regulation contract,” El Sobky explained.  “Accordingly, all they will see are providers with permanent certifications.”

Project eligibility

El Sobky stressed that despite holding permanent certifications, companies and their technical staff cannot work on just any project, whether government-related or in the private sector. Cybersecurity service providers working on critical infrastructure or government-related projects must assign a team of five or more dedicated experts. One of them must hold an advanced certification and two for intermediate-level certifications, while the rest can be certified at any level in Tier 1.

Restrictions also apply to Tier 2 certified service providers, who can only work with companies not related to the government. Their teams must comprise at least three accredited professionals, one of whom must be intermediate-level certified. The rest can be entry-level certified. Once the project is implemented, El Sobky noted that the service provider must have a Security Operations Center that is operational 24/7. “If they serve government clients, there must be at least seven certified professionals working in the center at any time. For private companies, their center must have at least five,” he said. There is no minimum certification requirement for those working in those centers.

Finally, the cybersecurity regulatory framework also limits consultancy and training activities. If the certificate holder provides consulting services, they can be certified at any level in the non-service provider certificate program. “The reason is that consultants only design security systems and aren’t involved beyond that stage,” El Sobky said. He stressed that trainers are required to have an advanced certification in either service or non-service provider programs. “The logic is simple here. You can’t have someone with an intermediate certification teach advanced cybersecurity.” El Sobky stressed, “For the time being, the restrictions are on the team size,” El Sobky said. “We will eventually add limitations on the size and nature of the operation of the cybersecurity receiver. What we have announced are the bare minimum requirements.”

In the long term, he sees the regulatory framework might transform into a government agency with internationally recognized certification programs. “It will be transformational for Egypt’s digital economy and framework to have a 100% national body giving locally developed certifications, recognized throughout the world.” 

Cybersecurity vision

For Zakaria of the NTRA, the vision for Egypt’s cybersecurity framework is to enable “free, fair competition, giving equal opportunities for service providers who are continually offering standout and innovative solutions, operating with transparency and integrity.” The second target is to increase confidence regarding the quality and effectiveness of cybersecurity services offered by local providers. “The new regulatory framework is the cornerstone for establishing the required trust,” Zakaria said.

Third, he believes a highly regulated cybersecurity market meeting international standards would attract FDI. “That target is particularly vital to create sustainable growth in that critical sector, which directly impacts Egypt’s digital transformation strategy.” Zakaria also aims to integrate Egypt into the global cybersecurity framework via partnerships and implementing international standards to ensure local providers can compete regionally and beyond. Lastly, “the vision is to build resilient protections around Egypt’s digital economy, allowing it to function uninterrupted and without fear of cyberattacks crippling it,” said Zakaria. “That will ultimately happen when investments in human capital from the government and private sector align and complement each other to build generations of skilled, internationally recognized cybersecurity professionals.”