What is AI regulation in Egypt?
AI regulation: countries and regions
AI regulation in Egypt is currently a layered mix of national strategy, council-led governance guidance, and existing digital laws, rather than a single omnibus AI act. The core architecture is the National AI Strategy, overseen by the National Council for Artificial Intelligence, and the Personal Data Protection Law with its executive regulations. In practice, organisations using AI in Egypt should focus on data protection, sector rules, responsible AI guidance, and close monitoring of any future dedicated AI law or decree.
What this means
Egypt does not regulate AI in the same way as jurisdictions that already have a single cross-sector AI statute. Instead, it uses a broader governance model. That model combines national policy, public sector coordination, responsible AI guidance, and existing rules on personal data, cybercrime, telecoms, consumer protection and sector supervision.
The most important hard law for many AI deployments is Egypt's Personal Data Protection Law. If an AI system handles personal data, especially sensitive data such as health, biometric, financial, religious, political or children's data, that law becomes central. It affects collection, use, retention, security, transfers, incident reporting and internal governance.
This matters because Egypt is not a small edge case. It is a large Arabic language market, a major ICT and offshoring base, and an important policy actor in both Africa and the Arab region. Businesses using AI in Egypt need to treat it as a real governance jurisdiction, not just a market-entry afterthought.
Why it matters
For operators, founders, buyers and advisers, Egypt matters for two reasons at once. First, it is economically significant. Large consumer, public sector and enterprise deployments can scale there, especially in government services, finance, healthcare, customer support, Arabic language tools and digital infrastructure. Second, its regulatory model is becoming more structured, even though it has not yet settled into one standalone AI act.
That means the practical question is not "Is there an Egypt AI Act yet?" but "What duties already attach to my AI use in Egypt?" For many organisations, the immediate exposure comes from personal data handling, cross-border data use, public sector procurement, sector-specific supervision, and the need to show basic governance discipline such as role allocation, human oversight, documented testing, clear notices and incident response.
Egypt is also trying to shape regional practice. Its strategies and guidance repeatedly frame the country as a bridge between African, Arab and wider international AI discussions. If your organisation sells into Egypt, builds there, or uses Egypt as a service base for regional work, the country's approach to AI governance can affect product design, data architecture, contracts and assurance expectations.
How it works
Layered model, not one AI act
Egypt's current AI regime is best understood as a layered model. At the top sit the National AI Strategy and the institutions that steer it. Around that sits a growing body of responsible AI guidance. Beneath that are the existing binding laws that already bite on AI use, especially personal data protection, cybercrime, telecoms, consumer protection, e-signature and sector-specific rules. The result is a governance stack, not a single code.
Official materials reviewed up to 6 June 2026 still point to a dedicated AI law as a future or developing step, rather than a clearly enacted, consolidated national AI statute already in force. So the safest reading is that Egypt's AI governance is real and increasingly detailed, but still partly transitional.
The National Council and the strategy set direction
The National Council for Artificial Intelligence is the main national steering body. The first strategy, published in 2021, explained that the council had been approved in 2019 to formalise and govern implementation of Egypt's AI strategy. That first strategy focused on four pillars: AI for government, AI for development, capacity building and international activities, supported by governance, data, ecosystem and infrastructure as core enablers.
The second edition of the strategy, covering 2025 to 2030, is more ambitious and more structured. It moves to six pillars: governance, technology, data, ICT and AI infrastructure, ecosystem, and talents. It explicitly frames Egypt's vision as inclusive AI for Digital Egypt, with a national foundational model, stronger regional leadership in Africa and the Arab region, and an AI industry built on governance, technology, data, infrastructure, ecosystem and talent.
In other words, the strategy is not just a research or innovation statement. It is the state's organising document for where AI should go, which sectors matter, which institutions matter, and what kind of governance Egypt wants alongside industrial growth.
Data protection law supplies the hardest immediate duties
For most private and public deployments, the Personal Data Protection Law is the most operationally important legal instrument. It applies to personal data processed electronically, in whole or in part, in relation to natural persons. It gives data subjects rights such as access, withdrawal of prior consent, correction or updating, limiting processing, receiving breach notice, and objecting where processing conflicts with fundamental rights and freedoms.
The law also places direct duties on controllers and processors. These include keeping data accurate, limiting retention, maintaining records, securing data, and cooperating with the regulator. Juristic persons acting as controllers or processors must appoint a Data Protection Officer. Personal data breaches must be notified to the authority within 72 hours, and data subjects must also be notified within the legal timetable.
Sensitive personal data gets stricter treatment. That category includes health, biometric, genetic, financial, religious, political and criminal record data, and children's data is treated as sensitive. Unlawful handling of such data is treated seriously under the law. Cross-border transfer is also controlled. Personal data cannot simply be moved abroad for training, hosting or inference because an overseas vendor is convenient. Egypt's law requires a permit or licence route and a sufficient level of protection.
The official Personal Data Protection Center now confirms that Egypt's Personal Data Protection Law and Executive Regulations No. 816 of 2025 are the current framework governing collection, processing, storage, use and transfer of personal data. That matters because the regulations make the law more usable in practice, especially for licensing, operational controls and compliance mechanics.
Responsible AI guidance is becoming more operational
Egypt's AI governance is no longer only strategic. It has become increasingly procedural. The Egyptian Charter for Responsible AI, adopted in 2023, sets broad expectations around human-centredness, fairness, explainability, safety, accountability and public interest. It is best read as a governance baseline rather than a substitute for statute.
The 2026 governance materials go further. The Guide to Egypt's National AI Governance Framework presents a national framework as a suite of instruments rather than a single law. It describes institutional roles, a phased implementation path and a risk-tiered approach. Official guidance also points to the Egyptian Center for Responsible AI as the technical and executive arm supporting implementation. The framework materials discuss compliance tools, audit and sandbox mechanisms, and additional future guidance.
The 2026 National Guidelines for Trustworthy and Responsible AI push this further into operational practice. They are written to apply across public and private sectors, covering providers, developers, users and community actors. They introduce organisational and system readiness ideas, expect role clarity, risk management, human oversight, data governance and lifecycle discipline, and are designed so organisations are ready if an AI law or decree is later enacted.
Generative AI is also now addressed directly. Egypt's 2026 generative AI guidance focuses on risks such as misinformation, deepfakes, hallucinations, privacy exposure, intellectual property concerns and accountability gaps. For teams using large language models or synthetic media, that is a sign that Egypt's governance architecture is now extending beyond generic AI language into more concrete model and content concerns.
Enforcement is not only about AI policy bodies
Egypt's AI governance should not be read as if the National Council is the only body that matters. Enforcement and practical supervision remain distributed. Data issues sit with the Personal Data Protection Center. Telecom and digital communications issues can implicate the telecom regulator. Cyber incidents and misuse bring in cybercrime law and, in some contexts, national security institutions. Consumer-facing conduct can also trigger consumer protection rules. Finance, health and other regulated sectors can bring their own supervisory expectations.
That is why "AI regulation in Egypt" is broader than any one statute or committee. A model may be technically impressive, but if it relies on weak consent, uncontrolled cross-border transfers, opaque procurement, weak documentation or poor human oversight, the regulatory problem may arise through adjacent law rather than through an AI-specific prohibition.
What this means operationally
In practice, organisations should treat Egypt as a jurisdiction where AI governance already exists in meaningful form. The immediate compliance baseline is to know what systems you are using, what data they touch, whether the data is sensitive, where it is stored, who acts as controller or processor, what notices and permissions are needed, who holds oversight responsibility, and which sector rules may apply.
The next layer is assurance. Even before a dedicated AI act is finalised, Egypt's strategy and guidance point in a clear direction: stronger governance evidence, more structured procurement discipline, clearer risk classification, better documentation, deeper attention to Arabic language and local context, and closer alignment between national ambitions and international standards.
Examples
A customer support platform uses speech analytics or a large language model to handle Egyptian customer chats and calls. Even if the business sees this as a simple productivity improvement, it is likely processing personal data and possibly sensitive data if customers disclose financial or health information. That means the organisation should first map whether it is a controller or processor, put notices and lawful processing grounds in place, define retention rules, and plan for breach reporting and any cross-border transfer approvals if the model or hosting sits outside Egypt.
A hospital, insurer or health-tech operator wants to use a triage or diagnostic model. In Egypt, that is not just an "AI project". It is also a sensitive personal data project, and therefore sits in a stricter category under the data protection law. The safer workflow is to minimise the data used, document human review, avoid treating the model as the final autonomous decision-maker in a high-stakes setting, and ensure the governance file can explain why the system was used, what data it relied on, and how harm is being reduced.
A ministry or public authority procures a generative AI assistant for public service delivery. Egypt's charter and 2026 governance materials point towards a more formal approach than a quick pilot with no controls. The authority should expect to classify the use case by risk, check transparency and disclosure duties, document testing and validation, define human oversight, and keep enough evidence to justify procurement and public accountability if the tool affects citizens directly.
Common misunderstandings
One common misunderstanding is that Egypt already has a single AI Act in force. The safer reading is different. Egypt has a substantial AI governance architecture, but official materials reviewed up to 6 June 2026 still point to a future AI law or decree rather than a clearly settled omnibus act already operating as the sole source of AI rules.
Another misunderstanding is that the National AI Strategy is only about innovation policy. In fact, governance is one of its core pillars, and both the first and second strategies connect industrial ambition with ethics, law, data governance, institutional coordination and public sector implementation.
It is also wrong to assume that data protection only matters at the edge of AI deployment. In Egypt it sits near the centre. If your model is trained on, infers from, or is deployed on personal data, the Personal Data Protection Law can shape the design, storage, transfer, incident response and internal accountability around that system.
Some teams also assume that responsible AI guidance is purely for government. Egypt's 2026 guidelines are broader than that. They are framed for public and private actors, and for both providers and users of AI systems.
A final confusion is to treat AI governance as separate from sector law. In Egypt, a finance, telecom, health or consumer-facing use case may be shaped just as much by existing sector supervision as by any AI-specific instrument.
Risks and boundaries
The main boundary to keep in mind is that Egypt's AI governance is still developing. The direction of travel is clear, but some pieces are still transitional. The 2025 strategy speaks of an AI law in development, while the 2026 guidelines are framed so organisations are ready if an AI law or decree is later enacted. That means organisations should not overstate legal certainty where the state itself is still building the architecture.
It is also important not to misapply the data protection law. It is central for AI systems that handle personal data, but it is not a catch-all rule for every dataset, model weight or internal analytic process. Teams should distinguish personal data, sensitive personal data, anonymised data, and non-personal operational data rather than treating everything the same.
Another boundary concerns legal authority. The strategy, charter and national guidelines are highly important, but they do not all carry the same legal force as statute. Businesses should therefore separate hard legal duties from strategic or governance expectations, while still taking the latter seriously because they signal where procurement, sector supervision and future legislation are heading.
There is also a language caveat. Much of the legally authoritative material is in Arabic. English versions and working translations are useful for research and operational planning, but if a point is legally material, the Arabic text and any formal local guidance should control.
Finally, this article explains Egypt's framework at a practical level. It is not legal advice, and it does not replace project-specific review in areas such as healthcare, finance, telecoms, biometrics, children's data, government procurement or cross-border model hosting.
What to do next
Start with an AI inventory. List the systems your organisation builds, buys or uses in Egypt, what each one does, whether it is customer-facing or internal, what data it touches, where that data sits, and whether the use case falls into a regulated sector.
Then map legal roles. For each system, decide whether your entity is acting as controller, processor, provider, deployer, buyer or some combination. In Egypt that matters because the data protection duties sit on named roles, not on vague ownership ideas.
Treat personal data controls as immediate work, not future work. Review notices, lawful bases, sensitive data handling, retention, security, transfer paths, vendor terms and breach response. If your entity is a juristic person handling personal data, check whether the Data Protection Officer requirement is engaged and whether internal responsibility is actually workable in practice.
Use Egypt's responsible AI materials as your governance baseline even where they are not yet expressed as a full standalone AI statute. In practical terms, that means documenting purpose, testing, human oversight, data governance, explainability, and internal escalation for higher-risk uses.
If you buy AI from vendors, build procurement discipline. Ask where the model is hosted, what training and inference data is used, whether the tool can be switched off or constrained, how results are reviewed by humans, and what evidence the vendor can provide if a regulator, buyer or public authority asks how the system was governed.
Finally, keep watching the dedicated AI law and related decrees. Egypt's architecture is moving, and the organisations that do best will be the ones that treat the current framework as a live compliance environment while staying ready for a more explicit AI statute.
FAQs
Does Egypt already have a standalone AI law?
Not on the official materials reviewed up to 6 June 2026. Egypt has a strong policy and governance architecture for AI, but the official documents still point to a future AI law or decree rather than a single settled omnibus AI act already in force.
Who is the main AI policy body in Egypt?
The National Council for Artificial Intelligence is the central national steering body. Its role is to shape, approve and govern the national AI strategy and the wider AI governance agenda.
What is the most important binding law for many AI projects in Egypt?
Usually the Personal Data Protection Law, especially where the system handles personal data or sensitive personal data. It affects collection, use, retention, security, transfers, incident handling and internal accountability.
Are Egypt's responsible AI documents only for government projects?
No. The newer governance materials are written more broadly. They address public and private actors and cover both providers and users of AI systems.
Is generative AI specifically covered in Egypt?
Yes. Egypt issued national generative AI guidance in 2026. The focus includes transparency, misinformation, deepfakes, privacy, intellectual property and human responsibility.
Can personal data be moved outside Egypt for AI training or hosting?
Not automatically. Cross-border transfer is controlled under the data protection law, and organisations should check permit, protection and documentation requirements before using offshore hosting or model providers.
Do AI buyers need to care as much as AI developers?
Yes. In Egypt the user, deployer or procuring authority can carry serious governance responsibility, especially where the system affects individuals, uses personal data, or operates in a regulated sector.
What is the biggest practical mistake organisations make?
Treating Egypt as if AI governance is still optional until a dedicated AI act appears. In reality, the current strategy, data law, sector rules and national guidance already create a meaningful compliance environment.