
NCA ECC Cloud Compliance in Saudi Arabia: Complete Guide for 2026
June 20, 2026
VMware End of General Support in MENA: The Real Cost of Staying vs. Migrating to HCI
July 5, 2026Egypt’s Personal Data Protection Law (Law 151/2020) has been on the books for several years, but the clock is now running in earnest. With the Executive Regulations issued in November 2025 and full enforcement scheduled for October 31, 2026, Egyptian organisations — and any entity that processes Egyptian citizens’ data — have a finite window to get their cloud arrangements in order.
The stakes are real. Non-compliance can result in penalties of up to EGP 20 million or 2% of global annual turnover, whichever is higher, alongside reputational damage and potential criminal liability for data controllers. For CIOs, CISOs, and compliance officers, the cloud infrastructure layer is one of the most consequential decisions you will make before the deadline.
This is not a list of cloud providers. It is a list of questions — ten of them — that your procurement, legal, and IT teams should put to any cloud provider you are evaluating or currently using. The answers will tell you whether your provider is ready to support your PDPL obligations, or whether you have a serious gap to close before October 2026.
The 10 Questions
Where, physically, is our data stored — and can you prove it?
The PDPL and its Executive Regulations impose data residency obligations on certain categories of personal data, requiring that it remain within Egyptian jurisdiction. Ask your provider to specify the exact data centre locations used for primary storage, backups, and disaster recovery replicas. Contractual assertions are not enough — request independent audit reports or ISO 27001 certification scoped to the relevant facilities.
Do you have a PDPL-compliant Data Processing Agreement ready to execute?
Any cloud provider acting as a data processor on your behalf must operate under a written Data Processing Agreement (DPA) that reflects the specific requirements of Law 151/2020 and the 2025 Executive Regulations. Ask to see their standard DPA and verify that it covers purpose limitation, sub-processor disclosure, return or deletion of data on termination, and your right to audit. A generic GDPR-aligned DPA is not a substitute.
What is your breach notification SLA, and does it meet the 72-hour requirement?
The PDPL requires data controllers to notify the Personal Data Protection Centre within 72 hours of becoming aware of a personal data breach. Your cloud provider must commit contractually to notifying you within a timeframe that allows you to meet this obligation — realistically, this means provider-to-customer notification within 24 hours or less. Ask for the specific contractual commitment and the escalation process, not a generic statement about “prompt” notification.
Have you appointed a Data Protection Officer, and who is our point of contact?
The PDPL requires organisations that process personal data at scale to appoint a Data Protection Officer (DPO). Your cloud provider, as a data processor, should have a DPO in place. Ask for the DPO’s name, contact details, and jurisdiction of operation. A DPO based entirely outside Egypt and unfamiliar with Law 151/2020 is a warning sign for complex compliance engagements.
How do you support data subject rights requests — access, correction, deletion, and portability?
Egyptian data subjects have enforceable rights under the PDPL, including the right to access their data, correct inaccuracies, withdraw consent, and request deletion. As the data controller, you are responsible for fulfilling these requests. Ask your provider what tooling, APIs, or processes they offer to help you locate, export, correct, or purge specific individuals’ data within a defined timeframe. A provider with no answer to this question creates direct legal exposure for you.
What is your sub-processor disclosure policy, and do any sub-processors store data outside Egypt?
Cloud providers rarely operate in isolation — they rely on sub-processors for services ranging from database engines to monitoring tools. Each sub-processor that touches personal data extends your compliance perimeter. Ask for a current list of sub-processors, the categories of data they access, and their geographic locations. Cross-border transfers under the PDPL require either an adequacy determination or appropriate contractual safeguards; you need to know exactly where data flows before you can assess the risk.
How do you handle consent management and lawful basis documentation?
The PDPL requires that personal data is processed only on a valid lawful basis, with consent being one of the most common. While your organisation is responsible for obtaining and recording consent, your cloud provider’s infrastructure must be capable of supporting audit trails, timestamped records, and consent withdrawal workflows. Ask whether the platform supports these capabilities natively or whether you are expected to build and maintain them independently.
What certifications and third-party audits cover your Egyptian operations specifically?
Global certifications such as ISO 27001, SOC 2 Type II, and CSA STAR are meaningful, but only if the scope of certification explicitly covers the infrastructure and data centres where your data resides. Ask for the certificate scope statement and the most recent audit report. A certification that covers only a provider’s European or US infrastructure provides no assurance for data held in Cairo or processed through Egyptian nodes.
What is your data deletion and return process at contract termination?
The PDPL requires that personal data is not retained beyond the period necessary for the purpose of processing. When a cloud contract ends — whether planned or abruptly — you need a documented, verifiable process for retrieving your data and confirming its deletion from all provider systems, including backups. Ask for the specific SLA on data return, the format in which data will be provided, and written confirmation of deletion with a certificate of destruction.
Can you support a regulatory inspection or audit by the Personal Data Protection Centre?
The Personal Data Protection Centre has the authority to conduct inspections and request documentation from data controllers. If regulators come knocking, you will need your cloud provider’s cooperation to produce logs, access records, processing histories, and technical configuration evidence. Ask your provider whether they have a defined process for supporting regulatory inquiries, what their typical response time is, and whether cooperation is guaranteed under the contract — not just offered as a courtesy.
What to Do with the Answers
Run these questions through a formal vendor assessment matrix and score each response against the specific requirements of Law 151/2020 and the 2025 Executive Regulations. Where a provider cannot give a clear, documented answer, treat that as a compliance gap — not a minor omission. Every unanswered question is a potential regulatory finding after October 31, 2026.
If your current provider cannot satisfactorily answer several of these questions, you may need to consider migrating to infrastructure that was designed with Egyptian data sovereignty requirements in mind from the outset. MomentumX operates a sovereign cloud platform from its Cairo data centre, purpose-built for organisations that need in-country data residency and documented PDPL compliance posture. Our team is available to walk through these ten questions with you directly.
Next Step
Ready to compare your cloud options in detail? Read our complete guide: Egypt Cloud Providers 2026 — Buyer’s Guide.
Ready to move to sovereign cloud?
MomentumX provides sovereign cloud infrastructure across Egypt, KSA, and UAE with full SAMA, NCA, and PDPL compliance. Your data stays in your country.
Enterprise Private CloudHyperAI
GPU Compute for AIHyper Private Cloud
Managed Private Cloud









