Cyber compliance in Morocco
Everything about cybersecurity obligations applicable in Morocco. Mandatory frameworks, recommended standards, competent authorities, and penalties.
Mandatory frameworks
Compliance frameworks mandated by regulation in Morocco.
DNSSI v2.0
DGSSI
National Directive on Information System Security. Mandatory framework for public organizations, OIV, and OSE in Morocco.
View detailsLoi 05-20
DGSSI
Moroccan cybersecurity law. Legal framework defining obligations, penalties, and the institutional framework.
Homologation DGSSI
DGSSI
IS security accreditation process in 4 phases for public organizations and critical infrastructure.
Recommended standards
The most relevant international standards for the Morocco market.
ISO 27001:2022
ISO/IEC
Information security management system. The most internationally recognized certification.
View detailsSOC 2 Type II
AICPA
Trust Services Criteria. Essential for Moroccan companies serving international clients.
View detailsMethodological frameworks
Complementary frameworks to structure your security approach.
EBIOS RM
ANSSI
French-language risk analysis methodology. Widely used in Morocco for accreditation projects.
NIST CSF 2.0
NIST
Structured cybersecurity framework. Complementary with DNSSI for comprehensive coverage.
CIS Controls v8
CIS
Prioritized critical security controls. Good starting point for Moroccan SMEs.
Morocco regulatory context
Competent authority
DGSSI (Directorate General of Information Systems Security), reporting to the National Defense Administration.
Penalties
Art. 19 Law 05-20: fines from 100,000 to 1,000,000 MAD. Doubled in case of repeat offense. Prison sentences of 1 to 5 years for serious cases.
Institutional framework
DGSSI reports to the National Defense Administration. It coordinates national cybersecurity and oversees DNSSI and Law 05-20 enforcement.
Covered entities
Public administrations, Operators of Vital Importance (OIV), Essential Service Operators (OSE), critical infrastructure, and their subcontractors.