Cyber Security Services in Morocco

Morocco has built one of Africa’s most sophisticated cybersecurity and data protection regulatory frameworks, driven by the country’s strategic position as a gateway between Europe, the GCC, and Sub-Saharan Africa, and its deep economic integration with EU markets. Morocco’s data protection framework is anchored by Law 09-08 on the Protection of Individuals with regard to the Processing of Personal Data — enacted in 2009 and enforced by the CNDP (Commission Nationale de contrôle de la Protection des Données à caractère Personnel) — supplemented by Law 05-20 on Cybersecurity (enacted 2020) which establishes mandatory security requirements for vital infrastructure operators. Bank Al-Maghrib (BAM), Morocco’s central bank, imposes comprehensive cybersecurity governance requirements on the banking sector. The DGSSI (Direction Générale de la Sécurité des Systèmes d’Information) — Morocco’s national cybersecurity authority under the Administration of National Defence — coordinates national cybersecurity strategy and manages the national CERT (maCERT). ANRT (Agence Nationale de Réglementation des Télécommunications) regulates cybersecurity for telecommunications operators. For organisations operating in Morocco — Moroccan entities, French and EU multinationals with Morocco operations, GCC businesses expanding into North Africa, and organisations processing Moroccan personal data — the regulatory environment combines French-influenced civil law with Arab world regulatory principles, creating a compliance context that benefits from advisors experienced in both European and MENA regulatory environments. eShield IT Services delivers cybersecurity and data protection compliance services for organisations with Moroccan operations.

Morocco’s Cybersecurity Regulatory Framework

Law 09-08 on Personal Data Protection — CNDP

Morocco’s Law 09-08 on the Protection of Individuals with regard to the Processing of Personal Data (Loi n° 09-08 relative à la protection des personnes physiques à l’égard des traitements des données à caractère personnel), implemented by Decree 2-09-165, is the foundational data protection statute enforced by the CNDP. The law establishes a French-influenced data protection framework requiring: prior authorisation from the CNDP for sensitive processing activities (health data, data revealing racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership) and cross-border transfers; declaration to the CNDP for standard processing activities; lawful basis documentation (consent, contract, legal obligation, vital interests, public task, legitimate interests); data subject rights (access, rectification, erasure, opposition); privacy notices in French and/or Arabic depending on the audience; data security obligations requiring controllers to implement appropriate technical and organisational measures; and prohibition on transfers of personal data to countries lacking equivalent protection unless CNDP authorisation is obtained. Morocco’s CNDP operates an authorisation-based model more similar to pre-GDPR French law than to the modern accountability-based approach — requiring prior engagement with the CNDP for many processing activities and transfers rather than relying on internal self-assessment. Morocco is in the process of updating Law 09-08 to align with GDPR-level standards as part of its Association Agreement modernisation with the European Union — organisations should design compliance programmes that accommodate this upcoming legislative reform.

Law 05-20 on Cybersecurity — DGSSI and maCERT

Morocco’s Law 05-20 on Cybersecurity (Loi n° 05-20 relative à la cybersécurité), enacted in 2020, establishes mandatory cybersecurity requirements for vital infrastructure operators (Opérateurs d’Infrastructure d’Importance Vitale — OIIV) across designated critical sectors: finance, energy, transport, water, health, and telecommunications. OIIVs are required to: implement a cybersecurity governance system meeting DGSSI-specified standards; conduct regular cybersecurity audits by DGSSI-qualified auditors; report significant cybersecurity incidents to maCERT within prescribed timeframes; participate in national cybersecurity exercises; and notify the DGSSI before implementing significant changes to information systems. maCERT (Morocco Computer Emergency Response Team) serves as the national CERT, coordinating incident response and issuing threat advisories. For non-OIIV organisations, Law 05-20 creates a recommended cybersecurity framework aligned with international standards and establishes cybersecurity service provider qualification requirements.

Bank Al-Maghrib (BAM) Cybersecurity Requirements

Bank Al-Maghrib supervises cybersecurity for Morocco’s banking sector — commercial banks, offshore banks, microfinance associations, and payment institutions — through its supervisory framework and specifically through Circular 5/W/2021 on the Management of Risks Related to Information Systems and Cybersecurity. BAM’s circular requires regulated institutions to: establish Board-level information system risk governance; designate a CISO at a senior level with direct Board access; conduct annual information system risk assessments reviewed by the Board; implement a documented information security policy framework; conduct regular penetration testing and vulnerability assessments; implement access control including privileged access management and multi-factor authentication; maintain an incident response plan tested against realistic scenarios; report significant cyber incidents to BAM within 24 hours; manage third-party and outsourcing cybersecurity risk; and implement business continuity arrangements covering cyber-specific scenarios. BAM examinations assess both documentary evidence and operating effectiveness — gap assessments structured around Circular 5/W/2021 criteria are strongly recommended before supervisory visits.

ANRT and Telecommunications Cybersecurity

The ANRT (Agence Nationale de Réglementation des Télécommunications) regulates Morocco’s telecommunications sector — Maroc Telecom, Orange Maroc, and Inwi — with network security, lawful interception, and infrastructure protection requirements. Telecom operators in Morocco process very large volumes of personal data subject to Law 09-08 requirements and are also subject to Law 05-20 OIIV requirements as critical infrastructure operators. The combination of ANRT requirements, Law 09-08 compliance, and Law 05-20 OIIV obligations creates a multi-layered compliance environment for telecommunications sector clients.

Cybersecurity Services for Morocco

CNDP Law 09-08 Compliance Programme

eShield IT’s Morocco Law 09-08 compliance programme covers: CNDP declaration and authorisation management for applicable processing activities; data mapping and processing activity inventory in French and Arabic; privacy notice review and update for Moroccan audiences in French and/or Arabic; lawful basis documentation; cross-border transfer authorisation management — a critical and frequently overlooked obligation for Moroccan organisations using cloud services or sharing data internationally; data subject rights procedures; and security safeguards implementation. For organisations monitoring the upcoming Law 09-08 reform, our programme is designed for smooth transition to the enhanced GDPR-aligned framework without fundamental programme rebuild.

BAM Circular 5/W/2021 Alignment

BAM-regulated institutions benefit from eShield IT’s gap assessment structured around Circular 5/W/2021 examination criteria. Our assessment delivers a prioritised gap register covering all Circular requirements — Board governance, CISO appointment, annual risk assessment, penetration testing programme, incident response plan, vendor risk management — with remediation guidance and examination readiness roadmap. Annual penetration testing mandated by BAM is delivered with BAM-structured bilingual (French/English) reporting. For institutions with imminent BAM examinations, our pre-examination readiness service identifies documentation and operational gaps before the supervisory visit.

ISO 27001 / DGSSI Alignment

ISO 27001 certification satisfies BAM cybersecurity governance requirements, aligns with Law 09-08 security obligations, and maps closely to the DGSSI cybersecurity framework for Law 05-20 OIIVs. eShield IT delivers ISO 27001 implementation for Moroccan organisations, with documentation programmes available in French (standard for Moroccan business) and Arabic. For organisations designated as Law 05-20 OIIVs, our implementation programme incorporates DGSSI-specific requirements into the ISMS scope and control design, providing both ISO 27001 certification and Law 05-20 compliance through a single integrated programme.

Penetration Testing for Morocco

BAM-regulated institutions require regular penetration testing under Circular 5/W/2021. eShield IT delivers web application, network infrastructure, API, and mobile application VAPT for Moroccan organisations. Our test reports are produced in French and English, with CVSS-scored findings and remediation guidance structured for BAM examination submission. For Law 05-20 OIIV organisations requiring DGSSI-qualified auditors, we coordinate with DGSSI-qualified partners for the audit components requiring specific qualification. Free retest within 90 days for critical and high findings.

Managed SOC for Morocco

eShield IT’s Managed SOC for Moroccan clients provides 24/7 monitoring with North Africa and MENA threat intelligence: state-sponsored activity targeting Moroccan critical infrastructure; financial cybercrime groups targeting Moroccan banks and fintech platforms; ransomware actors targeting Moroccan manufacturing and logistics (Morocco’s industrial sector is a growing target); and phishing campaigns targeting French-language corporate email environments. Our SOC delivers maCERT compatible incident reporting, BAM 24-hour notification management, and Law 09-08 breach management. Monthly reporting in French and English satisfies BAM Circular 5/W/2021 documentation requirements.

Key Morocco Industry Sectors

Banking and Financial Services (BAM / ACAPS)

Morocco’s banking sector — anchored by Attijariwafa Bank, Banque Centrale Populaire, BMCE Bank of Africa, and Société Générale Maroc — is one of Africa’s most internationally connected, with subsidiaries operating across Sub-Saharan Africa. This pan-Africa banking footprint creates combined BAM (Morocco), and subsidiary-country central bank compliance obligations. eShield IT’s Morocco financial services practice supports BAM Circular 5/W/2021 compliance for the domestic Morocco operations and integrated pan-Africa programmes for banks with Sub-Saharan subsidiaries.

Technology and Offshoring Sector (Casablanca Finance City)

Morocco’s offshoring and technology sector — anchored by Casablanca Finance City (CFC), Rabat Technopolis, and major European multinational shared service centres — processes large volumes of European personal data under GDPR and Moroccan personal data under Law 09-08 simultaneously. The EU-Morocco Association Agreement creates a legal context where many Moroccan processors for European data controllers are expected to demonstrate GDPR-equivalent compliance. eShield IT delivers integrated GDPR and Law 09-08 compliance programmes for Moroccan offshoring sector clients.

Frequently Asked Questions: Cybersecurity & Compliance in Morocco

Does Morocco Law 09-08 require CNDP authorisation for cloud services?

Yes, if cloud services involve cross-border transfer of personal data to non-equivalent countries. Under Law 09-08, transfers of personal data to countries without adequate data protection — including most non-EU countries and non-GCC countries — require prior CNDP authorisation. This applies to cloud services hosted in the US, UAE (outside GCC recognised adequacy), India, and most non-European regions. Many Moroccan organisations use AWS, Azure, and Google Cloud without the required CNDP authorisation for cross-border transfers — creating an enforcement exposure. eShield IT’s Law 09-08 programme includes a cross-border transfer audit and CNDP authorisation management service.

Is Morocco GDPR-adequate?

The European Commission has not issued a formal adequacy decision for Morocco, though Morocco has been on the EU’s candidate list for assessment. The EU-Morocco Association Agreement creates a framework for deeper regulatory alignment. For European multinationals transferring personal data to their Moroccan operations, GDPR standard contractual clauses (SCCs) are currently required. For Moroccan offshoring companies receiving European personal data, implementing GDPR-aligned privacy programmes and signing SCCs with EU clients is the standard compliance approach. The anticipated reform of Law 09-08 to GDPR-level standards may support an EU adequacy determination in the medium term.

Can eShield IT deliver services to Moroccan clients remotely?

Yes. eShield IT delivers all Law 09-08 compliance, BAM framework alignment, ISO 27001 implementation, penetration testing, and Managed SOC services to Moroccan clients remotely, with French-language documentation capability. For on-site requirements, we coordinate local delivery through our Morocco-based certified partner network in Casablanca and Rabat.

Common Cybersecurity Gaps in Moroccan Organisations

• Missing CNDP cross-border transfer authorisation: Cloud services, SaaS platforms, and international data sharing without CNDP authorisation is the most common and most immediately actionable Law 09-08 compliance gap. This is the first gap addressed in every Law 09-08 assessment.
• French-language privacy notices absent or outdated: Many Moroccan organisations serve French-speaking customers with English-only or outdated privacy notices that do not reflect actual processing activities.
• BAM CISO not at senior level: BAM Circular 5/W/2021 requires the CISO to be at senior management level with direct Board access. In smaller institutions, the CISO function is often performed at a junior IT level without the governance structure required by the Circular.
• Law 05-20 OIIV status unassessed: Many organisations operating in designated CII sectors are not aware that they qualify as Law 05-20 OIIVs and have not assessed their Law 05-20 compliance obligations — creating exposure to enforcement by the DGSSI.
• Ransomware protection inadequate in industrial sector: Moroccan manufacturing and industrial organisations — the Tangier automotive cluster, phosphate processing — face growing ransomware risk without mature OT/IT security architectures.

Why Partner with eShield IT for Morocco Cybersecurity

eShield IT brings GCC and MENA regulatory depth that directly applies to Moroccan requirements — our consultants hold CISM, CISSP, CIPP/E, ISO 27001 Lead Auditor, and OSCP qualifications with Arabic-world compliance documentation experience spanning UAE PDPL, GCC banking cybersecurity, and North Africa regulatory engagement. Our French-language documentation capability and MENA-wide delivery network make us a natural partner for Moroccan organisations seeking compliant, cost-effective cybersecurity programmes. Contact our team for a no-obligation initial consultation.

Morocco Cybersecurity Programme Costs: What to Budget

Indicative programme costs: SMEs (10–100 employees): Law 09-08 compliance programme MAD 180,000–420,000; ISO 27001 gap assessment MAD 150,000–320,000; penetration testing from MAD 160,000 (web application) to MAD 550,000 (comprehensive VAPT). BAM-regulated institutions: Law 09-08 + BAM combined programme MAD 380,000–950,000; ISO 27001 implementation MAD 650,000–1.6M; managed SOC from MAD 140,000/month. For EU-Morocco integrated GDPR + Law 09-08 programmes, contact eShield IT for combined pricing. All costs are indicative; contact us for a scoped proposal.

Next Steps: Starting Your Morocco Cybersecurity Programme

A readiness assessment identifying your Law 09-08, BAM Circular 5/W/2021, and ISO 27001 gaps — with a proportionate remediation roadmap — is the most effective starting point. eShield IT’s Morocco readiness assessments are delivered in 2–3 weeks with French and English output. Contact our team to arrange a no-obligation initial consultation.