Prime Minister's Decision No. 1699 of 2020

Prime Minister's Decision No. 1699 of 2020 dated 27/08/2020. The provisions of the accompanying Executive Regulation regarding the aforementioned Information Technology Crimes Prevention Law shall take effect.

Article 1 (Issuance) The provisions of the accompanying Executive Regulation regarding the aforementioned Information Technology Crimes Prevention Law shall take effect.

Article 1 In applying the provisions of this Regulation, the following words and phrases shall have the meanings indicated alongside each:

The Authority: The National Telecom Regulatory Authority.

Encryption: A computational technical system that uses specific keys to process and convert electronically readable data and information, such that extracting this data and information is prevented except through the use of a decryption key or keys.

Encryption Key: Numbers, symbols, or letters of a specified length used in encryption and decryption processes. The same key is used for both encryption and decryption, known as symmetric encryption, and the key must be kept confidential. A pair of keys related by a mathematical relationship is used, where one is used for encryption and the other for decryption, known as asymmetric encryption, and one key must be kept confidential while the other is announced under specified conditions and standards.

Critical Information Infrastructure: A set of fundamental information systems, networks, or assets whose disclosure of details, disruption, or alteration of their operation in an unlawful manner, unauthorized access to them, or illegal access to the data and information they store or process, or committing any other unlawful act against them, would affect the availability of state services and essential facilities, or cause significant economic or social losses at the national level. Critical information infrastructure specifically includes those used in electricity, natural gas and petroleum, telecommunications, financial institutions and banks, various industries, transportation and civil aviation, education and scientific research, radio and television broadcasting, drinking water and wastewater treatment plants and water resources, health, government services, relief and emergency services, and other information and communication facilities that may affect national security, the national economy, or public interest, and those deemed equivalent.

Industrial Control System: A computer or group of interconnected computers, connected to controlled equipment and their mutual digital or analog communication tools, or others, including sensors and actuators to operate and logically control this equipment according to the relevant industry or tasks required in one location, distributed in close locations, or geographically distributed with connection to the internet or other similar or dissimilar systems, or standalone without connection to others, with or without accumulated control levels.

Vulnerabilities: A defect or flaw in an operating system, applications, information networks or processes, information security policies, or in the information technology or telecommunications environment that can be exploited in hacking, attacking, damaging, espionage, or any unlawful act.

Article 2 (Publication) This Decision shall be published in the Official Gazette and shall take effect from the day following its publication.

Issued at the Prime Minister's Office on 8 Muharram 1442 AH (corresponding to 27 August 2020 AD). Prime Minister Dr. Mostafa Madbouly

Article 2 In implementation of clauses (2 and 3) of the first paragraph of Article (2) of the Law, providers of information technology services shall commit to taking the following technical and organizational measures:

1. Encrypting data and information to maintain their confidentiality and prevent unauthorized access using a standard symmetric or asymmetric encryption system that does not provide less security than AES-128 (Advanced Encryption Standard) with a key length of not less than 128 bits, with responsibility for maintaining the confidentiality and security of the encryption key.
2. Installing and using systems, programs, and equipment to combat malware and malicious attacks, and ensuring their validity and updating them.
3. Using secure protocols, such as the Secure Hypertext Transfer Protocol (HTTPS).
4. Establishing permissions for networks, files, and databases and designating responsible parties to ensure logical access protection to information and technical assets to prevent unauthorized access.
5. Preparing a list of devices and equipment, including their unique and serial numbers and models, as well as a statement of the systems, programs, applications, and databases used and their specifications.
6. Applying best practices and controls when selecting password specifications according to Annex No. (1) attached to the Executive Regulation.
7. Documenting installation and operation procedures for systems.
8. Ensuring the execution, operation, and maintenance of systems, and obligating contracting parties to sign agreements specifying the service level with the entity and the liability limits of each party.
9. Conducting periodic updates for systems, programs, and applications, and completing necessary tests before applying updates.
10. Conducting an annual test to detect breaches or security risks.
11. Using firewall equipment, devices, systems, and software (Firewalls-UTM-NGFW) to protect networks and systems.

Article 3 Providers of information technology and telecommunications services that own, manage, or operate critical information infrastructure, subject to the provisions of this Law, in implementation of clauses (2 and 3) of the first paragraph of Article (2) of the Law, shall commit to taking the following technical and organizational measures:

1. Preparing an information security policy and obtaining approval from the senior management of the critical information infrastructure, and ensuring its annual review to guarantee the continued suitability, adequacy, and effectiveness of that policy. This policy must include requirements of competent regulatory and supervisory authorities for critical information infrastructure, legal requirements, and human resource requirements.
2. Ensuring compliance with the technical or organizational obligations stipulated in this Law, its regulations, and related executive decisions.
3. Encrypting data and information to maintain confidentiality and prevent unauthorized access using a standard symmetric or asymmetric encryption system that does not provide less security than AES-256 (Advanced Encryption Standard) with a key length of not less than 256 bits, generated using a secure random system. Using a standard encryption key management system to maintain confidentiality, lifecycle, and usage levels in various applications.
4. Using electronic certificates issued by recognized electronic signature certificate issuing authorities in the Arab Republic of Egypt, under the controls of the Electronic Signature Law and its executive regulation, for all users of information systems related to critical information infrastructure.
5. Preventing unauthorized or unapproved physical access to the premises, devices, and equipment of critical information infrastructure systems.
6. Using strong and effective authentication controls through two or more authentication factor categories based on risk levels, ensuring accountability and non-repudiation.
7. Documenting installation and operation procedures for critical information infrastructure systems and making them available to authorized users when needed, and obligating suppliers to provide the entity with complete documentation of operational procedures.
8. Ensuring the execution, operation, and maintenance of critical information infrastructure systems, and obligating contracting parties to sign agreements specifying the service level with the entity.
9. Installing and using systems, programs, and equipment to combat, protect against, and detect malware and malicious attacks, and ensuring their validity and updating them.
10. Conducting periodic updates for systems, programs, and applications. Taking into account controls for updating industrial control systems not directly connected to the internet, and completing necessary tests before applying updates.
11. Conducting an annual scan of industrial control systems to detect vulnerabilities and flaws, and taking necessary measures to address them.
12. Conducting an annual test to detect breaches or security risks, and installing intrusion prevention and detection devices.
13. Taking appropriate measures to address technical flaws in devices, systems, programs, and applications upon becoming aware of them.
14. Conducting monthly data and information backups, storing and keeping them encrypted at a separate location.
15. Using firewall equipment, devices, systems, and software (Firewalls-UTM-NGFW) to protect networks and systems.
16. Using secure protocols, such as the Secure Hypertext Transfer Protocol (HTTPS).
17. Preparing a list of devices and equipment, including their unique and serial numbers and models, as well as a statement of the systems, programs, applications, and databases used and their specifications.
18. Clearly defining the responsibilities of senior management, information technology managers, and information security managers, along with their authorities, powers, duties, and obligations, ensuring consistency with human resources and employee affairs departments regarding organizational structures, job descriptions, training activities, and other related processes.
19. Notifying the National Center for Computer and Network Emergency Preparedness at the Authority of any incidents or breaches immediately upon awareness.
20. Developing a business continuity plan and proposed alternatives in case of any risks or crises related to service provision or interruption, and the ability to restore service and operations in case of disasters, and testing the plan periodically.

Article 4 The Authority shall establish two registers for expert registration. The first shall record technical and engineering personnel working at the Authority, and the second shall record experts from technical and engineering personnel not working at the Authority. Registration in the first register for Authority employees shall be based on the following rules, conditions, and procedures:

1. Holding a scientific, technical, or engineering qualification appropriate to the field of expertise.
2. Having worked at the Authority for at least one year.
3. Passing the technical examinations conducted by the Authority for applicants.

Article 5 Experts from technical and engineering personnel not working at the Authority shall be registered in the second expert register according to the following rules and conditions:

1. Being an Egyptian national with full civil capacity. Non-Egyptians may be registered provided they undertake in writing to be subject to Egyptian laws.
2. Having a good reputation and clean record.
3. Not having been previously convicted by a final judgment of a crime involving moral turpitude.
4. Possessing a resume demonstrating appropriate practical experience.
5. Obtaining approval from relevant national security authorities for registration. Failure to meet any of the aforementioned conditions shall result in removal from the register by a decision of the Authority.

Article 6 Experts shall, in accordance with Articles (1) and (10) of the Law, execute the technical and engineering tasks assigned to them by investigative or competent judicial authorities, or by authorities concerned with combating information technology crimes regarding crimes subject to this Law.

Article 7 The Authority shall maintain the confidentiality of data contained in expert registers and shall not disclose them except pursuant to a judicial order.

Article 8 Any person wishing to register in the second expert register must submit a written application to the Executive President of the Authority, specifying the specialization they wish to work in as an expert, and attach copies of certificates and documents supporting the application. The Authority may request additional information from the applicant within thirty days from the date of submission before ruling on the application. Failure to respond to the request within sixty days from the date of submission shall be considered a rejection. In case the Authority rejects the application, the applicant has the right to appeal according to legally prescribed procedures.

Article 9 Digital evidence possessing value and probative force for material evidence in criminal proof shall be admissible if the following conditions and controls are met:

1. The process of collecting, obtaining, extracting, or deriving the digital evidence in question must be conducted using technologies that ensure no alteration, update, erasure, or distortion of text, data, or information, or any alteration, update, or damage to devices, equipment, data, information, information systems, software, or electronic supports, etc. This specifically includes Write Blocker technology, Digital Hash Images, and similar technologies.
2. The digital evidence must be relevant to the incident and within the scope of the subject matter required to be proven or disproven, according to the scope of the order of the competent investigative authority or court.
3. The digital evidence must be collected, extracted, preserved, and seized by judicial police officers authorized to handle this type of evidence, or by experts or specialists appointed by investigative or trial authorities. The police report or technical report must specify the type and specifications of the software, tools, devices, and equipment used, with documentation of the Hash code and algorithm generated from extracting identical copies of the original digital evidence in the police report or technical inspection report, ensuring the original remains preserved without tampering.
4. If inspecting a copy of the digital evidence is impossible and preserving the inspected devices for any reason is not feasible, the original shall be inspected, and all of this shall be documented in the police report or inspection and analysis report.
5. Digital evidence must be documented in a procedures report by a specialist before inspection and analysis processes, as well as documenting the location of seizure, storage, handling, and its specifications.

Article 10 Digital evidence shall be characterized and documented by printing copies of stored files or photographing them by any visual or digital means, and certifying them by the persons responsible for collecting, extracting, obtaining, or analyzing the digital evidence, with the following data recorded on each:

1. Date and time of printing and photographing.
2. Name and signature of the person who performed the printing and photographing.
3. Name or type of operating system and its version number.
4. Name of the program, version type, or commands used to prepare copies.
5. Data and information regarding the content of the seized evidence.
6. Data of the devices, equipment, software, and tools used.

Article 11 Every person responsible for managing a website, account, email, or information system, whether natural or legal, in accordance with Article (29) of the Law, shall commit to taking the necessary technical security measures according to the obligations stipulated in Article (2) of this Regulation for managers of information technology service providers' websites. Managers of websites for information technology and telecommunications service providers that own, manage, or operate critical information infrastructure shall also commit to the obligations stipulated in Article (3) of this Regulation. The legal representative and actual management official of service providers shall commit to proving that they have provided the capabilities enabling website managers to take the necessary security measures to perform their duties. In all cases, the legal representative, actual management official, and website manager at any service provider shall commit to making their encryption keys available to the competent court or competent investigative authorities in case of an investigation into any complaints, reports, or lawsuits upon formal request by those authorities.

Article 12 The Authority's approval of the victim's reconciliation declaration in accordance with Article 42 of the Law, for crimes stipulated in Articles (14, 17, 18, 23), requires the fulfillment and submission of the following:

1. A certificate issued by the competent Public Prosecution or Court, depending on circumstances, recording and describing the crime subject to reconciliation.
2. A certified copy of the report or document proving the reconciliation between the accused and the victim or their private agent or public heir before the competent Public Prosecution or Court, containing the victim's declaration of reconciliation.
3. A certificate issued by the competent Public Prosecution confirming that no final judgment has been issued in the criminal case.
4. A request addressed to the Executive President of the Authority to approve the report or document containing the victim's reconciliation declaration, submitted by the accused, their agent, or their public heir.

Article 13 Reconciliation by the accused in accordance with Article (42) of the Law, for crimes stipulated in Articles (29, 35) of the Law, shall be conducted through the Authority by fulfilling and submitting the following:

• A certificate issued by the competent Public Prosecution or Court, depending on circumstances, recording and describing the crime subject to reconciliation.
• A certificate issued by the competent Public Prosecution confirming that no final judgment has been issued regarding the crime subject to the reconciliation request.
• The accused wishing to reconcile or their agent must submit, before the criminal lawsuit is filed, a receipt proving payment of an amount equal to double the maximum prescribed fine for the crime.
• The accused wishing to reconcile or their agent must submit, after the criminal lawsuit is filed, a receipt proving payment of two-thirds of the maximum prescribed fine for the crime or the value of the minimum prescribed fine, whichever is greater, before a final judgment is issued on the subject matter.