Cybersecurity · Morocco

Cybersecurity regulation in Morocco (2026)

Comprehensive lawLaw No. 05-20 on Cybersecurity (2020), implemented by Decree 2-21-406 (2021), enforced by the General Directorate of Information Systems Security (DGSSI) under the Ministry of National DefenceCountry index 74 · B+

Morocco shaded by its cybersecurity status

Morocco enacted a comprehensive cybersecurity law (Law 05-20) in 2020 that establishes mandatory organisational and technical security obligations for public administrations, local authorities, public institutions, and private critical-infrastructure operators managing sensitive information systems. The DGSSI is the designated national cybersecurity authority responsible for oversight, incident management, and issuing binding security directives. The framework has been progressively strengthened through a 2023 incident-management framework, a 2024 cloud-services decree (No. 2-24-921), and a National Cybersecurity Strategy extending to 2030.

Key points

Law No. 05-20 (2020)

Morocco's primary cybersecurity statute establishes a risk-based framework requiring covered entities — state administrations, local authorities, public institutions, and critical-infrastructure operators — to implement security measures, conduct risk assessments, and maintain incident-response protocols. It also creates a classification system for sensitive information systems and government data.

source 1 ↗

DGSSI as National Authority

Decree 2-21-406 (2021), issued under Law 05-20, formally designates the DGSSI as the national cybersecurity authority. DGSSI issues binding directives, conducts audits, coordinates incident response, and certifies security products and services.

source 1 ↗source 2 ↗

National Directive on Information System Security (NDISS)

Originally issued in 2014 and subsequently updated, the NDISS sets baseline technical and organisational security standards for all in-scope entities. Covered entities have six months from each published revision to produce a compliance schedule. The updated directive incorporates lessons from audits, incident management, and evolving threat intelligence.

source 1 ↗

Incident Reporting Obligations

In January 2023 the DGSSI published a formal cybersecurity incident-management framework prescribing a six-phase response cycle and specific reporting rules for covered entities. Breach notification to DGSSI is mandatory for public entities and critical-infrastructure operators under Law 05-20; mandatory notification to affected individuals is under legislative development.

source 1 ↗source 2 ↗

Cloud Security Decree (2-24-921, Nov 2024)

Adopted by the Council of Ministers in November 2024 and published in Morocco's Official Bulletin, Decree 2-24-921 requires entities and critical-infrastructure operators that outsource sensitive information systems to cloud providers to use DGSSI-qualified providers. Level 2 qualification mandates that providers be Moroccan legal entities with all operational and administrative systems physically on Moroccan territory.

source 1 ↗source 2 ↗

National Cybersecurity Strategy to 2030

Morocco's national strategy, anchored in the Digital Morocco 2030 programme, prioritises governance strengthening, legal and institutional capacity, critical-infrastructure protection, and workforce development. The DGSSI recorded 879 cyberattacks in its latest annual report, including 109 critical incidents affecting finance, telecoms, and public administration, underscoring ongoing implementation priorities.

source 1 ↗source 2 ↗

Morocco - other topics

Crypto & Digital Assets Artificial Intelligence Data & Privacy Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →