الهيئة العامة للرقابة المالية

• Private insurance funds with assets of EGP 10 million or more must now establish a website licensed by FRA.
• Other private insurance funds and individuals in the sector can also establish websites, provided they meet the same regulatory standards.
• The regulations establish mandatory technical criteria for designing websites for both natural persons and legal entities in the insurance sector.
• Concerned entities must implement specific information security requirements to protect user data.
• FRA must be immediately notified of any website violations or cyberattacks.
• Companies can outsource the design and hosting of their websites to data hosting companies registered with FRA.
• These regulations reinforce FRA’s efforts in digital transformation and its commitment to governance, transparency and data protection.
• A three-month grace period from the resolution’s effective date is extended to entities subject to this regulation.
• Applications for website licenses will be reviewed and decided upon within 15 days of submitting all required documents.

FRA Board of Directors, chaired by Dr. Mohamed Farid, has issued Resolution No. 62 of 2025. This resolution establishes the regulations for licensing websites for all individuals and entities operating in the insurance sector, in line with the Unified Insurance Law, Law No. 155 of 2024.

Specifically, the resolution mandates the creation of official websites for private insurance funds holding assets of EGP 10 million or more, and for all legal entities (companies and bodies) as defined in Article 3 of the Unified Insurance Law. This requirement aligns with the law’s provisions, particularly Article 200. FRA holds the exclusive right to license these websites. Notably, the resolution also permits smaller funds (below the EGP 10 million threshold) and natural persons in the sector to establish websites, provided they adhere to the same regulatory standards.

Article 3 of the Unified Insurance Law defines the insurance sector’s structure, encompassing insurance and reinsurance entities, related professions and activities, as well as federations, assisting bodies and representative offices. FRA’s Board of Directors holds the authority to license additional insurance activities or services based on market demand. These new ventures must adhere to FRA-established standards and rules, and their issued and paid-up capital must meet or exceed the amount required for specialized medical insurance companies.

Beyond licensing, the resolution outlines key technical standards for website design. Websites must feature a responsive design to ensure seamless access across all devices, including mobile phones, tablets and computers. They are also required to be compatible with various internet browsers, offer ease of use and information accessibility and strictly comply with Web Content Accessibility Guidelines (WCAG).

The resolution further mandates that websites primarily feature Arabic content, with the option to offer other language versions. Companies must provide effective and responsive technical support channels—like phone, email, or live chat—to promptly address any technical issues and quickly respond to inquiries. Additionally, Search Engine Optimization (SEO) rules must be applied to these websites.

The regulations also oblige entities to publish essential information. This includes a brief overview of the service provider, their FRA-issued license number and detailed information on insurance services and their requirements. Websites must also clearly display contact methods, mechanisms for handling complaints and inquiries and periodic financial reports and disclosures. Finally, a dedicated FAQ section with clear answers is required to help users easily understand the services offered.

The resolution emphasizes the crucial need for regular and continuous updates to website data and content. This ensures accuracy, comprehensiveness, good performance and ongoing compliance with the stated technical standards. The resolution also mandates that entities implement specific information security requirements. These include using modern encryption protocols (SSL/TLS) to safeguard user data and ensure secure connections between the website and its users.

Additionally, companies must deploy advanced protection systems. This includes firewalls for network and information security, Web Application Firewalls (WAF), Intrusion Detection/Prevention Systems (IDS/IPS), and antivirus/anti-malware software (EPP/EDR) to protect the website from cyberattacks. Compliance with international standards, particularly ISO 27001 and NIST, is also required. Furthermore, entities must conduct annual penetration tests, regularly update software, establish clear privacy policies, provide a mechanism for users to delete or modify their data upon request and immediately notify FRA of any security breaches or high-impact risks.

The resolution emphasizes the crucial need to regularly update software and security systems to prevent vulnerabilities. It also mandates periodic data backups to ensure recovery in case of any breach or failure and requires maintaining system application logs for at least five years.

Additionally, it obliges entities to comply with Law No. 175 of 2018 on Combating Information Technology Crimes and the Personal Data Protection Law, Law No. 151 of 2020. They must also develop and continuously update a clear privacy policy for users, providing clear notifications of this on the website and informing users of any updates or changes to the website’s policies or services offered.

The resolution mandates strict adherence to the principle of not sharing user data with third parties without their explicit written consent. It also requires companies to provide a clear mechanism for users to modify or delete their data upon request. Furthermore, websites must undergo periodic security and protection tests, be continuously monitored for performance, and the FRA must be immediately notified of any violations or cyberattacks.

On the other hand, companies can outsource the design and creation of their websites to data hosting providers officially registered with FRA. This is contingent on the licensed entity possessing the technical expertise to assess the quality and safety of the outsourced work. Crucially, the company must also guarantee full compliance with all technical and legislative controls and submit an outsourcing plan approved by its Board of Directors.

Companies are now required to promptly notify the Authority upon finalizing any outsourcing agreements or implementing any significant modifications to them. The resolution also details the specific documents needed for license applications, alongside the applicable examination and study fees, which vary based on the applicant’s type.

This initiative’s primary goal is to regulate licensing of websites for both private insurance funds and other entities within insurance sector. It’s a key part of FRA’s broader commitment to accelerate digital transformation and uphold robust governance, transparency and data protection standards. This strategic move aims to develop insurance sector’s digital infrastructure, ultimately safeguarding stakeholder rights by cultivating a secure and transparent online ecosystem.

To facilitate compliance, entities addressed by the resolution have a grace period of up to three months from its effective date. The Authority, for its part, commits to review and decide on all licensing applications within 15 days of receiving necessary documents.