HOME/All Jurisdictions/MA

MA — Country Profile

Morocco

39TOTAL
29OFFICIAL SOURCES
7TOPIC AREAS
Law / Act11
Executive Order11
Policy / Guidance1
National Strategy2
International Agreement1
Other13
25 FEB 2026 · International Agreement

CNPD and CNDP signed Memorandum of Understanding in the field of personal data protection, covering AI

La Présidente de la CNPD du Portugal (Comissão Nacional de Protecção de Dados) Mme Paula Meira Lourenço et le Président de la CNDP Maroc (Commission nationale de contrôle de la protection des données à caractère personnel) M. Omar Seghrouchni ont signé, le 25 février 2026 au siège de la CNPD à Lisbonne, un MoU (Mémorandum d’entente) dans le domaine de la protection des données à caractère personnel.

Data Privacy & Protection ·Deepfakescndp.ma ↗
23 JUL 2025 · Other

Guide on Data Classification

On 23 July 2025, the General Directorate of Information Systems Security (DGSSI) adopted the Guide on Data Classification, developed under Law No. 05-20 on cybersecurity and its implementing decree 2.21.406. The Guide is addressed to entities and infrastructures of vital importance and establishes a structured methodology for classifying data as an information asset, with sensitivity levels determined according to risks across confidentiality, integrity and availability dimensions. It sets ou...

✓ OfficialNational Strategydgssi.gov.ma ↗
11 FEB 2025 · Law / Act

Paris Charter on AI signed

To achieve the potential benefits and preventing and mitigating the risks of emerging technologies for people and the planet, AI development, deployment and governance must be in the public interest. Public interest manifests differently for different communities, countries, and contexts, it requires opportunities for public participation, and it must serve equity and equality. We acknowledge that the mission and vision of artificial intelligence in the public interest builds on and is strengthened by existing definitions and academic research, public sector approaches, and civil society effor

✓ OfficialData Privacy & Protection ·Generative AIelysee.fr ↗
04 FEB 2025 · Executive Order

Decree defining the responsibilities and organization of the communications sector

On 2 April 2025, the Government Council adopted a draft decree defining the responsibilities and organization of the communications sector. The decree expands the Department of Communication mandate to include promoting the video game industry's growth and developing mechanisms to verify fake news. The department will include three new directorates focused on video games and information systems, media modernisation, and media actor relations, alongside an existing Directorate for Human and Fi...

Content Moderationmjcc.gov.ma ↗
31 DEC 2024 · Law / Act

Artificial intelligence authority governance in Law Regulating the Use of Articial Intelligence (No. 396)

On 31 December 2024, the Law Regulating the Use of Artificial Intelligence (No. 396) was introduced in the House of Representatives. The Law would establish basic definitions for artificial intelligence and automated system, and create a four-tier classificatory system covering low-risk, limited risk, high-risk, and unacceptable risk systems. The Law would further determine developer and implementer responsibilities and general ethical principles. The Law proposes establishing a National Comm...

National Strategychambredesrepresentants.ma ↗
31 DEC 2024 · Law / Act

Cybersecurity regulation in Law Regulating the Use of Artificial Intelligence (No. 396)

On 31 December 2024, the Law Regulating the Use of Artificial Intelligence (No. 396) was introduced in the House of Representatives, emphasising cybersecurity protocols. The Law would establish basic definitions for artificial intelligence and automated system, and create a four-tier classificatory system covering low-risk, limited risk, high-risk, and unacceptable risk systems. The Law would further determine developer and implementer responsibilities and general ethical principles. The law ...

National Strategychambredesrepresentants.ma ↗
31 DEC 2024 · Law / Act

Prohibition of goods and services in Law Regulating the Use of Artificial Intelligence (No. 396)

On 31 December 2024, the Law Regulating the Use of Artificial Intelligence (No. 396) was introduced in the House of Representatives. The Law would establish basic definitions for artificial intelligence and automated system, and create a four-tier classificatory system covering low-risk, limited risk, high-risk, and unacceptable risk systems. The Law would further determine developer and implementer responsibilities and general ethical principles. Under the proposed classificatory system, sys...

National Strategychambredesrepresentants.ma ↗
31 DEC 2024 · Law / Act

Fair marketing and advertising practices in Law Regulating the Use of Artificial Intelligence (No. 396)

On 31 December 2024, the Law Regulating the Use of Artificial Intelligence (No. 396) was introduced in the House of Representatives. The Law would establish basic definitions for artificial intelligence and automated system, and create a four-tier classificatory system covering low-risk, limited risk, high-risk, and unacceptable risk systems. The Law would further determine developer and implementer responsibilities and general ethical principles. The Law would require implementers to inform ...

Consumer Protectionchambredesrepresentants.ma ↗
31 DEC 2024 · Law / Act

Testing requirements in Law Regulating the Use of Artificial Intelligence (No. 396)

On 31 December 2024, the Law Regulating the Use of Artificial Intelligence (No. 396) was introduced in the House of Representatives, detailing pre-market testing benchmarks. The Law would establish basic definitions for artificial intelligence and automated system, and create a four-tier classificatory system covering low-risk, limited risk, high-risk, and unacceptable risk systems. The Law would further determine developer and implementer responsibilities and general ethical principles. Reg...

National Strategychambredesrepresentants.ma ↗
20 NOV 2024 · Executive Order

Decree on Cloud Services Usage by Critical Entities

On 20 November 2024, the Decree on Cloud Services Usage by Critical Entities (Decree No. 2-24-921) was published in the official bulletin of Morocco. The Decree focuses on the use of cloud computing, storage, and database services by entities and critical infrastructures. The General Directorate of Information Systems Security (DGSSI) established a qualification framework for Cloud service providers. This Decree includes two levels of qualification. The first level applies to providers handli...

✓ OfficialNational Strategydgssi.gov.ma ↗
28 OCT 2024 · Other

Global data protection authorities issue statement on data scraping, covering AI

This Concluding Statement builds on the Joint statement on data scraping and the protection of privacy (the Initial Statement), published August 24, 2023, which highlighted the following key messages:

Data Privacy & Protection ·Generative AI ·Cybersecuritypriv.gc.ca ↗
02 MAY 2024 · Executive Order

National Telecommunications Regulatory Agency order on management of internet domain names

On 5 February 2024, the National Telecommunications Regulatory Agency implemented an order concerning the administrative, technical, and commercial management of internet domain names within Morocco. The directive requires any entity wishing to offer domain name services must maintain a secure Domain Name System (DNS) platform with at least two servers, one physically located in Morocco. It also defines the procedural framework governing the registration, renewal, and management of domain names.

✓ OfficialNational Strategyanrt.ma ↗
25 APR 2024 · Policy / Guidance

Morocco proposes establishment of National Agency for AI Governance

A parliamentary opposition group in the Moroccan House of Councilors (the upper chamber of Parliament) submitted yesterday a bill to regulate the use of artificial intelligence (AI) in the country. The bill, presented by the parliamentary group of the Moroccan Labor Union, aims to address the negative aspects and illegal uses of AI technology.

Cybersecuritymoroccoworldnews.com ↗
17 APR 2024 · Law / Act

Law establishing the National Agency for Artificial Intelligence

On 17 April 2024, the Law establishing the National Agency for Artificial Intelligence was introduced to the House of Councillors. The Agency is tasked with governing artificial intelligence (AI) activities within the country. The Agency will serve as the national authority on AI, ensuring compliance with established policies, standards, and regulations. Additionally, it will support the development of AI competencies and stimulate growth and innovation in AI, aligning with Morocco's vision t...

National Strategychambredesconseillers.ma ↗
28 FEB 2024 · Other

DGSSI reference framework of requirements relating to qualification of information systems security audit providers (Version 2.0)

On 1 February 2024, the General Directorate of Information Systems Security (DGSSI) issued the Reference Framework of Requirements relating to the Qualification of Information Systems Security Audit Providers (Version 2.0). The framework establishes requirements for entities involved in critical information infrastructures (CIIs) and specifies that providers must demonstrate capabilities in organisational and physical security, penetration testing, configuration audits, architecture reviews, ...

✓ OfficialNational Strategydgssi.gov.ma ↗
07 DEC 2023 · Executive Order

National Directive on Information System Security (Version No. 2/2023)

On 12 July 2023, the National Directive on Information System Security (NDISS) (Version No. 2/2023) enters into force. The NDISS establishes mandatory security measures for operators of critical information infrastructure (CII). It requires the implementation of technical and organisational measures to manage risks, secure information systems, and report cyber incidents. CII operators are obligated to conduct regular risk assessments and comply with standards set by the national cybersecurity...

✓ OfficialNational Strategydgssi.gov.ma ↗
17 JAN 2023 · Other

DGSSI Cybersecurity Incident Management Framework (Version 1.1)

On 17 January 2023, the General Directorate of Information Systems Security (DGSSI) issued the Cybersecurity Incident Management Framework (Version 1.1) aligned with ISO 27035. The framework defines a six-phase approach, encompassing planning and preparation, detection and triage, analysis and containment, eradication, recovery, and post-incident review. It identifies common attack vectors and categorises prevalent cybersecurity incidents, specifying mandatory reporting requirements to the Mo...

✓ OfficialNational Strategydgssi.gov.ma ↗
02 JAN 2023 · Other

CNDP guidance for data controllers on access control using biometric information

On 1 February 2023, the National Commission for the Protection of Personal Data (CNDP) issued guidance for data controllers on access control using biometric information. The guidance under Law No. 09-08 on data protection and privacy outlines requirements for the use of biometric data in access control systems by public and private entities. The guidance specifies that authorisation from the CNDP is necessary, data should be limited to extracted characteristics stored on portable media, and ...

✓ OfficialNational Strategycndp.ma ↗
02 JAN 2023 · Other

CNDP guidance for data controllers on best practices for protecting personal information in the digital space

On 1 February 2023, the National Commission for the Protection of Personal Data (CNDP) issued guidance for data controllers on best practices for protecting personal information in the digital space. The guidance provides recommendations, including the use of updated antivirus software, secure Wi-Fi configurations, and the periodic changing of passwords. It emphasises secure data management practices such as deleting access credentials of former employees, encrypting sensitive data stored on ...

✓ OfficialNational Strategycndp.ma ↗
02 JAN 2023 · Other

CNDP guidance for data controllers on camera surveillance in the workplace

On 1 February 2023, the National Commission for the Protection of Personal Data (CNDP) issued a guidance for data controllers on camera surveillance in the workplace. The guidance outlines requirements for data controllers, including the obligation to notify the CNDP of surveillance system installations and ensure compliance with Law No. 09-08 on personal data protection. Cameras may only be installed in locations necessary to protect property and people, excluding areas where privacy might b...

✓ OfficialNational Strategycndp.ma ↗
02 JAN 2023 · Other

CNDP guidance for data controllers on direct promotion of goods and services using SMS, email, or any other means of communication that uses the same technology

On 1 February 2023, the National Commission for the Protection of Personal Data (CNDP) issued guidance for data controllers on the direct promotion of goods and services using SMS, email, or any other means of communication that uses the same technology. The guidance specifies that direct marketing messages, including SMS and emails, require prior consent unless the data are directly collected from the recipient through a prior sale of similar goods or services. Advertisers must ensure compli...

✓ OfficialNational Strategycndp.ma ↗
08 SEP 2022 · Law / Act

Cybersecurity regulation in Prime Ministerial Decree No. 2.21.406 implementing Law No. 05.20 on cybersecurity

On 9 August 2022, Prime Ministerial Decree No. 2.21.406, implementing Law No. 05.20 on cybersecurity, enters into force. Critical agencies and infrastructure were required to classify their information systems and inform the General Directorate of Information Systems Security (DGSSI) of systems of a sensitive nature. The decree categorises information systems based on their sensitivity, ranging from limited to very serious impact levels. Providers must implement tailored organisational and te...

✓ OfficialNational Strategydgssi.gov.ma ↗
01 JAN 2022 · Other

DGSSI Application Security Verification Framework (2022)

On 1 January 2022, the General Directorate of Information Systems Security (DGSSI) issued the Application Security Verification Framework (2022), outlining requirements for application security across public institutions and private entities. The framework is structured around 14 audit topics and 286 controls, classified into basic, standard, and advanced security levels. It incorporates recognised standards, including NIST, OWASP, and PCI-DSS, to ensure consistent practices in secure softwar...

✓ OfficialNational Strategydgssi.gov.ma ↗
11 AUG 2021 · Other

DGSSI Guide for Certification of Sensitive Information Systems for Critical Infrastructure (Version 1.0)

On 8 November 2021, the General Directorate of Information Systems Security (DGSSI) issued the Guide for the Certification of Sensitive Information Systems (SIS) for Critical Infrastructure. The guide delineates a structured four-phase approach encompassing planning, risk management, approval decisions, and ongoing monitoring. It specifies requirements for identifying and evaluating risks, implementing mitigation measures, and conducting mandatory security audits. Stakeholders, including info...

✓ OfficialNational Strategydgssi.gov.ma ↗
30 APR 2021 · Other

CNDP Deliberation No. D-110-2021 providing an opinion on the directive setting minimum rules for cloud outsourcing by credit institutions

On 30 April 2021, the National Commission for the Protection of Personal Data (CNDP) issued Deliberation No. D-110-2021 providing an opinion on the draft directive setting minimum rules for cloud outsourcing by credit institutions. The opinion advises notification to the CNDP of all outsourced personal data processing, including cross-border data transfers, and adherence to Law No. 09-08 on personal data protection. It recommends that contracts with cloud providers include provisions ensuring...

✓ OfficialNational Strategycndp.ma ↗
09 FEB 2021 · Executive Order

DGSSI Sensitive Information System Declaration Form (Version 1.0)

On 2 September 2021, the General Directorate of Information Systems Security (DGSSI) issued the Sensitive Information System Declaration Form (Version 1.0). This form outlines the requirements for entities responsible for critical infrastructure to declare and classify their sensitive information systems (SIS) in accordance with Moroccan Law 05-20 and Decree no. 2-21-406. The form mandates the provision of detailed information regarding the technical components, security measures, and operati...

✓ OfficialNational Strategydgssi.gov.ma ↗
02 JAN 2021 · Executive Order

Order establishing Central Bank Digital Currency Committee

On 1 February 2021, the Central Bank adopted an order establishing the Digital Currency Committee. The committee is responsible for reviewing matters related to the Central Bank’s Digital Currency (CBDC) and other digital assets, providing strategic guidance on these issues. It identifies the benefits and risks of these assets for the national economy, assesses their impact on monetary policy, financial stability, and consumer protection, and contributes to the legal framework surrounding the...

✓ OfficialNational Strategybkam.ma ↗
01 JAN 2021 · Other

DGSSI Assessment of Software Development Lifecycle Security Maturity (2021)

On 1 January 2021, the General Directorate of Information Systems Security (DGSSI) issued the Assessment of Software Development Lifecycle Security Maturity (2021), establishing a framework to enhance security in software development processes. The assessment integrates the Software Assurance Maturity Model (SAMM 2.0), providing guidance across five critical domains: governance, design, implementation, verification, and operations. It emphasises secure coding practices, risk management strate...

✓ OfficialNational Strategydgssi.gov.ma ↗
30 DEC 2020 · Executive Order

CNDP Deliberation No. D-195-EUS/2020 relating to the definition of the use of facial recognition technologies

On 30 December 2020, the National Commission for the Protection of Personal Data (CNDP) issued Deliberation No. D-195-EUS/2020 relating to the definition of the use of facial recognition technologies. The Deliberation specifies that while the use of such technologies is permitted, it requires prior authorisation by the CNDP, particularly for personal data processing. It recommends the adoption of a nationally trusted third-party system for authentication to avoid multiple biometric databases ...

✓ OfficialNational Strategycndp.ma ↗
14 DEC 2020 · Executive Order

CNDP Deliberation No. D-188-2020 on Data Protection Impact Analysis

On 14 December 2020, the National Commission for the Protection of Personal Data (CNDP) issued Deliberation No. D-188-2020 dated 14/12/2020 governing the Data Protection Impact Analysis (DPIA). The Deliberation outlines requirements for evaluating risks associated with personal data processing, particularly for operations involving sensitive or large-scale data processing, as mandated by Law No. 09-08 on data protection. Data controllers are required to document processing activities, assess ...

✓ OfficialNational Strategycndp.ma ↗
07 AUG 2020 · Executive Order

CNDP Deliberation No. D-120-2020 relating to the architecture of identifiers

On 8 July 2020, the National Commission for the Protection of Personal Data (CNDP) issued deliberation No. D-120-2020 relating to the architecture of identifiers. The deliberation emphasises compliance with Morocco's constitutional privacy protections (Article 24), international commitments under Convention 108, and national legislation (Law No. 09-08). It recommends a secure architecture separating usage and authentication data and the adoption of sector-specific identifiers tailored to acti...

✓ OfficialNational Strategycndp.ma ↗
29 JUL 2020 · Executive Order

CNDP Deliberation No. D-126-EUS/2020 relating to the definition of the use of facial recognition technologies by social welfare institutions for proof of life of beneficiaries

On 29 July 2020, the National Commission for the Protection of Personal Data (CNDP) issued Deliberation No. D-126-EUS/2020 relating to the definition of the use of facial recognition technologies by social welfare institutions for proof of life of beneficiaries. The Deliberation emphasises the need for a unified national trusted third-party system for authentication, recommending against the creation of independent biometric databases by service providers, whether in the private or public sec...

✓ OfficialNational Strategycndp.ma ↗
25 JUL 2020 · Law / Act

Data localisation requirement in Law No. 05.20 on cybersecurity

On 25 July 2020, the King of Morocco endorsed the text for Law No. 05.20 on cybersecurity. The law includes a data localisation requirement, as stipulated in Article 11, which mandates that sensitive data must be stored exclusively within the national territory.

✓ OfficialNational Strategydgssi.gov.ma ↗
23 APR 2020 · Executive Order

National Commission for the Protection of Personal Data deliberation No. D-108-EUS/2020 on use of facial recognition technologies

On 23 April 2020, the National Commission for the Protection of Personal Data (CNDP) issued Deliberation No. D-108-EUS/2020 on the definition of the use of facial recognition technologies in the context of the remote account system by banks and payment institutions. The CNDP confirmed its reservations regarding the creation of separate biometric databases by service providers and recommended the adoption of a nationally trusted third-party system for authentication to centralise and secure bi...

✓ OfficialNational Strategycndp.ma ↗
03 JAN 2020 · Other

General Guidance Note for Digital Development in Morocco by 2025

On 1 March 2020, the Government published the General Guidance Note for Digital Development in Morocco by 2025. It is structured around three strategic axes and four supporting pillars. The strategic axes comprise digital administration transformation targeting 85% user satisfaction, development of a digital ecosystem aiming to establish 2,500 startups and position Morocco as an African digital hub and social inclusion focused on training 50,000 young people in digital skills. These are under...

✓ OfficialNational Strategyadd.gov.ma ↗
National Strategy

Casablanca-Settat Data and AI Excellence Center

AI law in Morocco: The Casablanca-Settat Data and AI Excellence Center, established in 2025, aims to boost Morocco's digital transformation and AI innovation under the 'Digital Morocco 2030' strategy....

✓ OfficialNational Strategymcinet.gov.ma ↗
National Strategy

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data

AI law in Morocco: Morocco's comprehensive data protection legislation enacted in 2009, establishing protections for personal data processing and creating the CNDP (National Commission for the Control of Personal Data Protection) as the supervisory authority. The law applies to AI systems that process personal data....

✓ OfficialNational Strategydgssi.gov.ma ↗
Law / Act

Bill for the Establishment of the National Agency for AI Governance

AI law in Morocco: A bill submitted to Morocco's House of Councilors in April 2024 by the Moroccan Labor Union parliamentary group proposing the establishment of a National Agency for Artificial Intelligence to oversee AI governance, develop national strategies, and ensure compliance with ethical standards....

✓ OfficialNational Strategymmsp.gov.ma ↗
Law / Act

Digital X.0 Framework Law

AI law in Morocco: Morocco's landmark framework legislation under review that will govern data, artificial intelligence, and digital services across public and private sectors. The law serves as the legal backbone of the Maroc Digital 2030 strategy, positioning AI as a pillar of national modernization....

✓ OfficialNational Strategymmsp.gov.ma ↗