Egypt’s Financial Regulatory Authority (FRA) has issued new regulations establishing licensing, technical, and cybersecurity standards for the websites of all companies and individuals operating in the country’s insurance sector.
The new rules, outlined in Resolution No. (62) of 2025, mandate that private insurance funds with assets of EGP 10 million or more must establish an official website. The FRA will be the sole authority to issue licences for these websites, in accordance with the Unified Insurance Law No. 155 of 2024.
Smaller funds and individuals working in the insurance sector will be permitted to create websites, provided they adhere to the same set of regulations.
The measures are part of a broader framework outlined in the Unified Insurance Law. Article (3) of the law defines the insurance sector as comprising insurers, reinsurers, and related professions and activities. It also authorises the FRA’s Board of Directors to licence other insurance services based on market demand, subject to established standards and capital requirements.
Technical and Content Mandates
Under the resolution, chaired by FRA Chairperson Mohamed Farid, all insurance sector websites must meet specific technical standards. These include having a responsive design for accessibility across mobile phones, tablets, and computers, as well as compatibility with all major internet browsers.
Websites must also be user-friendly, provide easy access to information, and comply with the Web Content Accessibility Guidelines (WCAG) for users with disabilities. Arabic must be the primary language, with other languages optional. Search Engine Optimisation (SEO) best practices must be implemented.
Entities are required to publish essential information, including a company profile, their FRA-issued licence number, detailed descriptions of services, and clear contact information. The sites must also feature financial reports, periodic disclosures, and a dedicated Frequently Asked Questions (FAQ) section.
The resolution requires all website content to be updated regularly to ensure accuracy, completeness, and compliance with technical controls.
Cybersecurity and Data Protection
The regulations place a strong emphasis on information security, mandating a range of technical safeguards to protect user data. These include:
- The use of modern encryption protocols (SSL/TLS).
- The implementation of advanced security systems such as network firewalls, Web Application Firewalls (WAF), and Intrusion Detection/Prevention Systems (IDS/IPS).
- The use of anti-virus and anti-malware software (EPP/EDR).
Entities must adhere to international standards, particularly ISO 27001 and NIST, and conduct annual penetration tests and regular software updates. Any security breach or cyberattack must be reported to the FRA immediately.
Furthermore, all affected entities must comply with the Anti-Cyber and Information Technology Crimes Law No. 175 of 2018 and the Personal Data Protection Law No. 151 of 2020. This includes creating clear privacy policies, obtaining written consent from users before sharing their data with third parties, and providing a mechanism for users to request the modification or deletion of their data.
The rules also require regular data backups for disaster recovery and the retention of system application logs for a minimum of five years.
Outsourcing and Compliance
The resolution permits the outsourcing of website design and development to data hosting providers that are officially registered with the FRA. However, the licensed entity must retain qualified technical staff to evaluate the quality and security of the outsourced work. An outsourcing plan approved by the board of directors is also required.
The FRA said the measures are designed to regulate the creation of websites for private insurance funds and other entities in the sector. The authority stated the initiative is part of its strategy to modernise the industry’s digital infrastructure, enhance digital transformation, and ensure compliance with governance, transparency, and data protection standards.
All affected entities have a three-month grace period from the resolution’s effective date to regularise their status. The FRA has committed to processing complete licence applications within 15 days of submission.
