Egypt: Executive Regulations of the Personal Data Protection Law (Decision No. 816 of 2025) including cybersecurity regulation entered into force

On 2 November 2025, the Executive Regulations of the Personal Data Protection Law issued by Law No. 151 of 2020 entered into force on the day following their publication in the Official Gazette, as issued by Minister of Communications and Information Technology Decision No. 816 of 2025. The Executive Regulations require data controllers and personal data processors to notify the Personal Data Protection Center (PDPC) through the governmental electronic portal within 72 hours from the time of becoming aware of a breach or violation. The notification must include the time of awareness and reporting, a description of the nature and timing of the breach or violation, an estimate of the number of affected data records, the potential effects and expected damage, urgent and corrective measures taken, details of the personal data protection official, and any additional documents or information requested by the PDPC. Where the breach or violation relates to national security considerations, the notification must additionally address the national security interest and the volume of affected data and estimated damage. The Executive Regulations also require the controller and processor to notify the person concerned with the data within three days from notifying the PDPC, using the agreed communication means.