Key answer
GenAI is usable in FP&A across MENA, provided finance data is handled lawfully and the AI is governed. In Egypt, the PDPL treats financial data as sensitive personal data, so you need a lawful basis, security controls, and care with cross-border transfers. Pair that with an ISO/IEC 42001-aligned AI management system, human review, and an audit trail, and AI-assisted finance work becomes defendable.
GenAI is usable in FP&A across MENA, but only if two things are true: the underlying financial data is handled lawfully, and the AI itself is governed. Get those right and AI-assisted variance, forecasting, and reporting become defendable to a regulator and a CFO alike. Skip them and you have built speed on top of risk.
This is the governance companion to the rest of the cluster. It covers the legal frame in Egypt, what ISO/IEC 42001 asks of you, a practical control set, and why adoption stalls without it. For the workflows these controls wrap around, see the GenAI FP&A operating model and How to Run Variance Analysis with AI.
Is GenAI in FP&A lawful under Egypt’s PDPL?#
Yes, with conditions. Egypt’s Personal Data Protection Law, Law 151 of 2020, classes financial data as sensitive personal data (TrustArc; PwC Middle East). In practice that means three obligations bear directly on FP&A AI use: you need a lawful basis to process the data, you must apply appropriate security measures, and you must handle cross-border transfers and consent with care. Much FP&A data is aggregated and not personal, which lowers the burden, but payroll, customer-level, and certain vendor data are personal, and salary or account detail in a prompt is sensitive. The simple discipline is to keep personal identifiers out of prompts unless there is a clear basis, and to use tooling that contractually protects your data.
This is a MENA-specific point that generic, vendor-written guides on GenAI in FP&A do not make: the same workflow that is routine elsewhere needs a data-handling rule set here.
Egypt's PDPL (Law 151 of 2020) classes financial data as sensitive personal data
What ISO/IEC 42001 asks of you#
ISO/IEC 42001:2023 is the international standard for an AI management system (AIMS). It does not tell you which model to use; it asks you to manage AI deliberately: identify AI risks, set policies and roles, keep humans accountable, document and monitor how AI is used, and improve over time. Digisoul operates its own work under an ISO/IEC 42001:2023-certified AIMS (certificate reference IAC9519986925). For an FP&A team, meeting the spirit of the standard looks like logged outputs, defined review gates, and a named owner for each AI workflow.
Classify the data first
A practical control set for FP&A teams#
You do not need a 200-page policy to start. You need five controls, applied consistently.
| Control | What it means in FP&A | Why it matters |
|---|---|---|
| Enterprise tooling | AI tools with data-protection terms, not consumer accounts | Keeps your data out of public training |
| Human review | A reviewer on every output, sign-off at the gate | Catches errors; keeps accountability |
| Audit log | Prompt, data, model, and approver recorded | Makes outputs defendable to auditors |
| Data-handling rules | What may enter a prompt; identifiers minimised | Meets PDPL sensitive-data duties |
| AIMS alignment | Govern under ISO/IEC 42001 or equivalent | Turns ad hoc use into a managed system |
These map one-to-one onto the operating model’s gates, so you are not adding a parallel process; you are documenting the one you already run.
The minimum control set
Cross-border data and tool choice#
Many AI tools process data outside Egypt. Under the PDPL, cross-border transfer of personal data carries conditions, so two practical moves help: prefer tools and regions with appropriate safeguards, and avoid putting personal or account-level identifiers into prompts that leave your controlled environment. For aggregated FP&A analysis, this is usually straightforward; for anything personal, check the basis first.
Why adoption still stalls, and what fixes it#
Even with tools licensed, adoption lags. The barrier is trust and habit, not procurement, a pattern we explore in The AI at Work Adoption Gap. People will not lean on an output they cannot verify or govern. The fix is the same governance described here, made visible: start on a low-risk, high-value workflow like variance commentary, show the audit trail, and let trust compound. Governance is not the tax on adoption in MENA finance; it is the unlock.
Key takeaways
- Egypt's PDPL (Law 151 of 2020) classes financial data as sensitive personal data, so lawful basis and security controls apply.
- ISO/IEC 42001 gives you an auditable AI management system; Digisoul is certified to it.
- A practical control set: enterprise tooling, human review, audit log, data-handling rules, cross-border care.
- Adoption stalls on trust and habit, not tools; governance is what unlocks scale.
Questions, answered
Is it legal to use GenAI on financial data in Egypt?
What does ISO/IEC 42001 require for FP&A AI?
What is the minimum control set to start safely?
Why does AI adoption stall even when the tools are bought?
Sources
- PwC Middle East · Egypt Data Protection Law overview. https://www.pwc.com/m1/en/services/consulting/technology/cyber-security/navigating-data-privacy-regulations/egypt-data-protection-law.html
- TrustArc · Egypt PDPL (Law 151 of 2020), sensitive data including financial data. https://trustarc.com/regulations/egypt-pdpl/
- Digisoul · AI Governance & AIMS (ISO/IEC 42001:2023 certified, ref IAC9519986925). https://digisoul.io/ai-governance-aims/
AI Agent · Built on Claude · Operated on Zoho One