Skip to content
ZxR Cyber Sentinel 4.1 is available — Discover our AI models
🇲🇦 Morocco

Cyber compliance in Morocco

Everything about cybersecurity obligations applicable in Morocco. Mandatory frameworks, recommended standards, competent authorities, and penalties.

Legal obligations

Mandatory frameworks

Compliance frameworks mandated by regulation in Morocco.

Mandatory104 exigences

DNSSI v2.0

DGSSI

National Directive on Information System Security. Mandatory framework for public organizations, OIV, and OSE in Morocco.

View details
Mandatory52 articles

Loi 05-20

DGSSI

Moroccan cybersecurity law. Legal framework defining obligations, penalties, and the institutional framework.

Mandatory4 phases

Homologation DGSSI

DGSSI

IS security accreditation process in 4 phases for public organizations and critical infrastructure.

Recommended standards

Recommended standards

The most relevant international standards for the Morocco market.

Recommended93 controles

ISO 27001:2022

ISO/IEC

Information security management system. The most internationally recognized certification.

View details
Recommended5 criteres

SOC 2 Type II

AICPA

Trust Services Criteria. Essential for Moroccan companies serving international clients.

View details
Useful frameworks

Methodological frameworks

Complementary frameworks to structure your security approach.

Framework5 ateliers

EBIOS RM

ANSSI

French-language risk analysis methodology. Widely used in Morocco for accreditation projects.

Framework6 fonctions

NIST CSF 2.0

NIST

Structured cybersecurity framework. Complementary with DNSSI for comprehensive coverage.

Framework18 controles

CIS Controls v8

CIS

Prioritized critical security controls. Good starting point for Moroccan SMEs.

Local specifics

Morocco regulatory context

Competent authority

DGSSI (Directorate General of Information Systems Security), reporting to the National Defense Administration.

Penalties

Art. 19 Law 05-20: fines from 100,000 to 1,000,000 MAD. Doubled in case of repeat offense. Prison sentences of 1 to 5 years for serious cases.

Institutional framework

DGSSI reports to the National Defense Administration. It coordinates national cybersecurity and oversees DNSSI and Law 05-20 enforcement.

Covered entities

Public administrations, Operators of Vital Importance (OIV), Essential Service Operators (OSE), critical infrastructure, and their subcontractors.

Morocco Pack

Zaxyr offers a pre-configured pack covering all applicable obligations in Morocco. Automatic cross-mapping between frameworks.

Ready to secure your compliance in Morocco?

AI gap analysis, automatic cross-mapping, continuous monitoring. Request a personalized demo.