الهيئة العامة للرقابة المالية

• The new resolution strengthens market confidence, maintains stability, simultaneously elevating safety levels in non-banking financial activities.
• This requirement adheres to the standards stipulated in resolution No. 139 of 2023 for upgrading technology, infrastructure, information systems and security measures.
• Companies are required to obtain and annually renew a cyber insurance policy from an insurance provider licensed to operate within Egypt.
• Regular penetration testing and annual reporting must be submitted to the Authority to evaluate system readiness and ensure vulnerabilities are addressed.
• Compliance with these requirements is an essential condition for the continuation of the operating license.
• Companies have a six-month grace period to regularize their technological infrastructure, with the exception of insurance firms. For all other regulatory requirements, the grace period is extended to a full year.

In line with its commitment to develop the non-banking financial sector and ensure secure, sustainable digital operations, FRA Board of Directors has issued resolution No. 227 of 2025.

This new resolution requires all entities engaged in non-banking financial activities to upgrade their technological infrastructure and enhance cybersecurity capabilities.

The new requirements and controls are designed to fortify cybersecurity system and boost the efficiency of technology within licensed firms.

The move aligns FRA with best international practices in IT governance and cyber risk management, safeguarding customer data and electronic systems amid rapid digital transformation. Ultimately, this enhances market confidence, protects stability and increases corporate readiness against potential cyber threats.

FRA mandates that specified non-banking financial entities must immediately upgrade their technological equipment, infrastructure and information systems. These protective actions must strictly conform to FRA Board resolution No. 139 of 2023 standards to safeguard confidential information and systems.

Companies shall prepare a comprehensive manual for information security policies and procedures which requires Board of Directors approval and immediate submission to the Authority upon endorsement. Additionally, companies are required to establish clear, defined frameworks for IT Governance, IT Risk Management and Cybersecurity. These frameworks likewise mandate Board approval and must be submitted to the Authority immediately following that approval.

In the context of enhancing financial protection, the new resolution stipulates that companies must obtain a cyber insurance policy from an insurance company licensed to operate in Egypt, which must be renewed annually. This is particularly important for companies that conduct their business through digital platforms or electronic applications.

Pursuant to the new rule, the addressed companies are obligated to conduct periodic penetration test and prepare annual information security reports. This ensures the assessment of system readiness, the timely detection of potential vulnerabilities and their resolution. The Authority also mandated that companies shall submit these reports to it and that the contract concluded with the entity performing the test must include an explicit commitment to notify the Authority of the test results.

Also, it affirmed that compliance with the requirements and controls contained therein is considered a fundamental condition for the continuation of the operating license, thereby ensuring the integration of cybersecurity practices within the corporate governance framework. The resolution grants companies (with the exception of insurance companies) a structured grace period to achieve full compliance with the new regulations: they are given six months from the resolution’s effective date to align their technological infrastructure, and a full year (twelve months) to meet all other regulatory requirements stipulated in Article One of the resolution.

FRA emphasizes that its new resolution is a strategic move to bolster the Non-Banking Financial Activities (NBFA) sector. The resolution is specifically designed to enhance security and resilience by significantly increasing companies’ readiness against potential cyber threats which is vital for preserving business continuity and maintaining client trust. Moreover, this initiative aligns with FRA’s broader mission to establish a secure and stable digital financial environment in Egypt, ensuring the sector keeps pace with international technological developments and integrates both innovation and good governance principles.

The Authority reiterates its commitment to actively develop the necessary supervisory and regulatory frameworks. These frameworks are essential for supporting digital transformation and guaranteeing the highest degrees of protection and security across the entire non-banking financial activities.