The law defines the obligations of those controlling data and information and establishes rules to ensure they secure their information space as well as the data, systems, programs and networks contained therein.
It also establishes a system to manage the operation of information resources, and means of securing information operation sites and accessing information and networks. Additionally, the law aims to combat crime related to information systems and networks in order to help maintain national security, preserve the rights of legitimate users of computers and information networks, and protect the public interest.
The draft law includes definitions of various terms contained therein, including both tools of operation and forms of criminal activity, such as piracy, hacking, malware and infiltration.
The law establishes the National Authority for Information Security, whose authorities and powers include establishing an information security strategy, promoting a culture of information security, and registration and licensing of information security service providers.
It also defines obligations on the controller of information, and develops a system to manage the operation of IT resources, and how to secure sites and access information and networks.
The law stiffens penalties for those committing information crimes, with imprisonment for not less than six months and/or a fine of between LE 20,000 and LE 50,000.
It also doubles the minimum and maximum penalties in certain situations, such as for crimes committed with intent to damage the public interest, or the creation, duplication or possession with the aim of distribution, publication or sale of materials violating public decency, particularly if they involve children. It also provides for imprisonment and fining in case of re-offense.
In preparing and formulating the draft law, the Laws and Regulations Committee relied on various reference materials. These included: International Telecommunication Union (ITU) recommendations regarding cybersecurity; relevant Indian law; the Legislation Management Draft Law of the Ministry of Justice; the Decision Support Center Draft Law; the Convention on Cybercrime (Budapest Agreement) of the Council of Europe; and “Cybercrime,” by information security expert Ahmed El-Sobky.
The three main axes of the Cybersecurity Draft Law relate to:
§ Protecting cyberspace and its contents from any external violation
§ Agencies’ obligations towards protecting their information space, and the data and information included therein, particularly personal information
§ Creating a national authority responsible for monitoring all cybersecurity activities and issuing licenses to operate within this domain
A comprehensive law was drafted containing over 70 articles. It represents the biggest response possible to the requirements of civil society, taking into consideration the national security dimension, and corresponding with the most recent legislation of its kind in the world.