On May 13, 2026, Prime Minister Mostafa Madbouly oversaw the signing of two agreements to operate a digital visa-on-arrival system at Cairo International Airport. The implementing partner is CyShield, an Egyptian cybersecurity firm; the National Bank of Egypt and Banque Misr provide the payment rails, with the Central Bank of Egypt's payment-systems arm coordinating. Paper visa stickers give way to a QR-coded electronic visa that travelers obtain through self-service kiosks, an online portal, or a mobile app, paying fees electronically before a passport officer scans the code at the booth. The system goes live across all Cairo terminals in August 2026, with a phased rollout to Egypt's other airports to follow (Egyptian Streets).
The case for it is strong
Start with the strongest version of the government's argument, because it is a good one. Tourism is one of Egypt's largest hard-currency earners, and the arrivals hall is its first impression. Paper stickers are slow, easy to counterfeit, and a bottleneck at peak season. A QR credential that can be issued up to 48 hours before landing cuts queues, reduces fraud, and creates an auditable record of who entered and what they paid. Digitizing a manual border process is exactly the kind of pro-efficiency modernization a pro-innovation publication should welcome. We do.
The concern is not the visa. It is the architecture it quietly joins.
A credential, not just a ticket
This is the first time the Egyptian state will issue a digital credential at national scale to non-citizens, and it does so by collecting travelers' personal data electronically into a state-operated platform run with a private contractor. That matters because the visa does not stand alone. It arrives alongside two other 2025–2026 launches that share the same direction of travel.
The first is Haweya, a digital-identity platform backed by the Central Bank of Egypt that combines face and fingerprint biometrics with digital signatures for remote onboarding. Haweya already enables account opening across 37 banks and extends to SIM registration and government services (Biometric Update; haweya.eg). The second is MOIEG-PASS, the Interior Ministry's first unified biometric authentication app, which requires users to scan their national ID card and complete facial recognition to reach online services (Biometric Update; App Store).
Separately, each is defensible. Together they amount to a near-complete biometric identity layer over banking, telecoms, and government — and the visa system extends the perimeter of that layer to every foreign visitor.
The governance is behind the build
The right question for any identity infrastructure is not whether it is convenient but who holds the data, for how long, and under whose oversight. Here Egypt's safeguards lag its ambitions.
Egypt does have a data-protection statute — Personal Data Protection Law No. 151 of 2020 — and in late 2025 the ICT minister finally issued its Executive Regulations via Decree No. 816 of 2025, formally activating the Personal Data Protection Center as supervisor (Baker McKenzie). On paper, processing biometric data requires explicit written consent and a license. That is real progress, and credit is due.
But the enforcement body is not independent. As Access Now documented, the Personal Data Protection Center sits under the ICT minister, and its board must include representatives of the Ministries of Defence and Interior and the General Intelligence Service — while those same security bodies, plus the Presidency, are exempt from the law's requirements (Access Now). A regulator that reports to a minister and seats the security services on its board is not a check on the state; it is an arm of it. Access Now also flags licensing fees of up to EGP 2 million, warning the framework may be built to control and monetize data as much as to protect it. This is the same state that in February 2025 advanced criminal-procedure provisions authorizing surveillance of phones and social-media accounts.
Proportionate, not paranoid
None of this is an argument against digital borders. It is an argument that the sequence is backwards. Egypt is shipping the collection infrastructure before the independent oversight that would make collection safe — the Center's licensing portal was not even operational when the regulations took effect, with a compliance runway running into late 2026.
Four fixes would make the visa system genuinely best-in-class rather than merely modern:
- Data minimization and purpose limitation. A border credential needs identity and entry data — not a permanent biometric profile linkable to Haweya and MOIEG-PASS. Keep the rails separate by design.
- Defined retention and deletion. Foreign travelers should know how long Egypt holds their data and have a route to deletion. They currently have neither.
- Contractor accountability. CyShield operates the platform; its access, audit obligations, and breach liability should be public, not buried in a state contract.
- A regulator with teeth. Until the Personal Data Protection Center is independent of the ICT ministry and the security services, every dataset it nominally supervises is one decree away from repurposing.
The digital visa will likely work, and tourists will likely prefer it. That is precisely why it is the wrong moment to wave through the governance gaps. Convenience is the easy part of digital identity. Accountability is the part Egypt has not yet built.