Cairo, 5 September 2020
In February 2019, Moharram & Partners for Public Affairs and Strategic Communications (M&P) held the first private public dialogue on the Cybercrimes Executive Regulations of the Law no. 175 for the year 2018 on Combating Cybercrimes. Hosted by the Ministry of Communications and Information Technology (MCIT)/Information Technology Industry Development Agency (ITIDA), the workshop was attended by 35 + participants representing top Global/Regional ICT firms.
On August 27th 2020, HE the Egyptian Prime Minister Mostafa Madbouly issued the executive regulations' no. 1699/2020 (the “ER”) to the cybercrimes law no. 175/2018 (the “Law”). This comes in force after significant delay from the timeline determined under the Law.
General vs Critical Information Technology Services
Based on our initial review of the ER, we find the provisions of the regulations precise and brief. The ER introduces a differentiation between general information technology services and critical information technology services and stipulate two different sets of requirements to comply with the Law (Articles 2 and 3 of ER). The requirements stipulated for general information technology services provide the basic minimum standards that must be followed by any information technology service provider. These obligations include minimum security levels in the used systems.
With regard to critical information technology services, we note that the definition is broad and could capture a wide range of businesses whereby the ER provides the definition of Critical Information Infrastructure as: a set of systems, networks or basic information assets whereby the disclosure of their details leads to their break-down, the unlawful disruption of their operational method, unauthorized access, unlawful data and information that are saved or processed by such systems, any other unlawful act that affects the availability of the State’s services and its main utilities or causes national material economic or social losses. Critical Information Infrastructure specifically entails what is used for electric power, natural gas and petrol, telecommunications, financial entities and banks, different industries, transportation and civil aviation, education and scientific research, radio and television broadcasting, drinking water and sewage stations and water resources, health, governmental services and emergency services or other information and telecommunications utilities that may affect national security or national economy or public interest and the like”.
The obligations are more strict for service providers that are addressed under this category. The most challenging and expensive requirement in our view is the necessity of using certified e-signature certificates for all users of the system. The liability of service providers is mainly to satisfy the security requirements under Articles 2 and 3 of the ER.
Liability of Intermediary Service Providers
Concerning the liability of intermediary technology service providers in relation to content (Article 7 of the Law), the proper reading of the text concludes that regulators have limited it to responding and complying with investigation authorities requests validated by a competent court order for removing or blocking violating content as well as cooperating with courts/investigation authorities by providing encryption keys to assist with investigating and prosecuting cybercrimes under the Law (Article 11 of ER). Such decisions are communicated to the service providers through the National Telecommunication Regulatory Authority (NTRA).
How Does the Law Impact You?
If you use information technology systems for the provision of services to your users/customers, you shall identify the category of your business (general or critical information technology services). Your relevant team shall (i) review the technical requirements stipulated under the ER; (ii) prepare a gap analysis against your existing systems; and (iii) put in place an action plan for ensuring compliance with such requirements.