Enterprise cybersecurity is the full set of technical, organizational and governance controls that protect a company's information systems against attacks, outages and data leaks, while keeping the business running and the company compliant. In Morocco, it rests on two inseparable dimensions: a solid defensive baseline and a tested ability to respond when something goes wrong.
Quick answer: a serious cybersecurity posture rests on three pillars that cannot be separated. A technical baseline (identities, backups, monitoring), an incident-response capability that is prepared and rehearsed, and a dual-facing compliance answer to both the DGSSI (Law 05-20) and the CNDP (Law 09-08). Buying tools without that backbone protects no one.
Many Moroccan executives still picture security as an antivirus and firewall budget line. That framing is wrong. Attackers do not target your tools; they target your poorly governed processes, your never-tested backups, and your response plan that exists only on paper. This article lays out the baseline to build, the incident-response cycle to put in place, and the Moroccan regulatory grid that turns these good practices into legal obligations for certain companies. For the broader data picture, see our enterprise data, security and compliance guide.
What is the enterprise security baseline?
The baseline groups the foundational controls without which no other investment makes sense. Seven building blocks compose it. First, identity management with systematic multi-factor authentication (MFA) and least privilege (RBAC): most intrusions begin with a compromised credential. Second, continuous patch and vulnerability management, which closes known doors before they are exploited. Third, network segmentation, which stops one compromised workstation from contaminating the entire information system.
Then come backups following the 3-2-1 rule, centralized log monitoring through a SOC or SIEM, and continuous user-awareness and anti-phishing training. None of this is negotiable. A sophisticated SOC sitting on top of MFA-less identities and untested backups is a castle built on sand. The sequence matters: secure the baseline before spending on advanced detection tooling.
What is the 3-2-1 rule and why does it matter?
The 3-2-1 rule means keeping three copies of your data, on two different media types, with at least one copy stored offsite. It is a baseline ransomware-resilience recommendation, endorsed notably by the US CISA (Cybersecurity and Infrastructure Security Agency). Its value against modern ransomware is simple: if the attacker encrypts both your production and your online backups, the offsite copy (ideally immutable or fully disconnected) is your only safety net left.
Two caveats matter. First, the 3-2-1 rule is a best practice, not a legal requirement in Morocco. Second, and more important, a backup is worth nothing unless it restores. Too many Moroccan companies discover mid-crisis that their backups are corrupted, incomplete, or impossible to restore within an acceptable window. Regularly testing restores, rather than merely confirming the backup job "ran", is what separates real resilience from the illusion of safety. Tie each restore test to a target time, not a vague intention.
Which frameworks should structure your controls?
Buying tools at random leads to incoherent, expensive setups. Risk-based control frameworks give you the spine. Two dominate. ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS) and is certifiable by accredited bodies. Its 2022 revision added Annex A control 5.30, "ICT readiness for business continuity", which consolidates the former A.17 controls and aligns with ISO 22301.
The NIST Cybersecurity Framework 2.0 (released February 2024) is organized around six core Functions: Govern, Identify, Protect, Detect, Respond, Recover. The "Govern" function was added in version 2.0 (v1.1 had only five), and the scope was widened from critical infrastructure alone to all organizations. CSF 2.0 has 22 categories and 106 subcategories.
The key point for Morocco: neither ISO 27001 nor NIST CSF is mandatory here. They are voluntary frameworks, valuable for prioritizing controls by risk rather than buying tools at random. The legal obligation, for sensitive systems of vital-importance infrastructure, is DGSSI homologation, not ISO certification.
What does Law 05-20 require of Moroccan companies?
Law n° 05-20 on cybersecurity, promulgated by Dahir n° 1-20-69 on 25 July 2020, sets the legal framework and minimum security measures for the information systems of State administrations, territorial collectivities, public establishments and enterprises, other public-law legal persons, and private operators of vital-importance infrastructure (infrastructures d'importance vitale) that hold sensitive information systems.
Its key obligations are concrete. Every sensitive information system must obtain a security homologation (accreditation) before being put into operation (Article 19), a process by which the system owner formally acknowledges the residual risks and the measures deployed. The DGSSI publishes a dedicated "Guide d'homologation des systèmes d'information sensibles". The law also requires covered entities to develop an information-system security policy (PSSI) conforming to national directives (Article 4), to designate an RSSI (security officer) who liaises with the national authority (Article 6), to declare incidents affecting the security or operation of their systems (Article 8), and subjects sensitive systems to security audits (Article 20).
The implementing decree, n° 2-21-406, approved 28 June 2021, defines the protection measures and sets the qualification criteria for cybersecurity-audit and security-service providers. The updated Directive Nationale de la Sécurité des Systèmes d'Information (DNSSI), issued in January 2023, details the binding requirements for these entities.
Who is the DGSSI and how do you report an incident?
The DGSSI (Direction Générale de la Sécurité des Systèmes d'Information) is Morocco's national cybersecurity authority, created in 2011 and attached to the National Defence Administration. It sets standards, classifies systems, and oversees homologation and audits. It operates the national CERT, maCERT, which receives incident declarations at incident@macert.gov.ma.
The DGSSI has also published the National Cybersecurity Strategy 2030 (Stratégie Nationale de Cybersécurité 2030, unveiled in July 2024), structured around 4 pillars, 11 strategic objectives, 26 initiatives and 60 actions. Its pillars are national cybersecurity governance, security and resilience of the national cyberspace, capacity development and awareness, and international cooperation. The strategic message is clear: Morocco is actively tightening its governance, and compliance expectations are rising. Building the baseline now, proactively, costs far less than building it under the pressure of an audit or a live crisis.
Does every company need an RSSI and homologation?
No, and this is a nuance many Moroccan articles erase. The heavy obligations of Law 05-20 (designating an RSSI, writing a PSSI, obtaining homologation, undergoing audits by DGSSI-qualified providers) attach to administrations, public establishments, and operators of vital-importance infrastructure. They do not bind every SME.
Vital-importance-infrastructure designation is the dividing line. Designated firms in banking, energy, transport, health, telecoms and water carry the full weight of Law 05-20. Ordinary firms fall mainly under Law 09-08 on personal data and the CNDP. The table below helps you place yourself.
| Criterion | "Ordinary" company | Designated vital-importance infrastructure | |---|---|---| | Primary regulator | CNDP (Law 09-08) | DGSSI (Law 05-20) + CNDP | | RSSI required | No (recommended) | Yes (Article 6) | | Formal PSSI | Good practice | Mandatory (Article 4) | | Sensitive-system homologation | No | Yes, before go-live (Article 19) | | Security audits | Voluntary | Mandatory, qualified providers (Article 20) | | Incident declaration | Assess (Law 09-08) | Mandatory to maCERT (Article 8) |
How do the two regulators, DGSSI and CNDP, fit together?
This is the most misunderstood reality in Morocco: a company must satisfy two distinct authorities with different mandates. The DGSSI governs system security (homologation, declaration to maCERT) under Law 05-20. The CNDP (Commission Nationale de contrôle de la protection des Données à caractère personnel) governs personal-data protection under Law 09-08.
Never confuse their powers. Article 23 of Law 09-08 requires the data controller to implement appropriate technical and organizational measures to protect data against destruction, loss, alteration, and unauthorized access or disclosure. Most processing requires a prior declaration to the CNDP, and sensitive processing requires prior authorization. For the detail of obligations and sanctions, see our CNDP and Law 09-08 compliance guide. Your security program must map its controls to both regulators at once, not pick one and hope the other looks away.
What should you do after a personal-data leak?
First clarification: Law 09-08 does not contain a general, GDPR-style mandatory breach-notification mechanism with a fixed deadline (there is no statutory "72 hours"). That does not mean you can ignore an incident. After a leak, the controller must take corrective measures, document the event, then assess whether to inform the CNDP and the affected data subjects based on severity and risk. It is a duty of judgment and traceability, not a regulatory countdown.
Law 09-08's criminal sanctions are real: fines from 10,000 to 300,000 dirhams and/or imprisonment of three months to two years depending on the offence, doubled for legal entities. As examples, Article 52 covers processing without the required declaration or authorization (fines from 10,000 DH), Article 55 covers processing without the required security or conformity measures (20,000 to 200,000 DH and 3 months to 1 year), Article 56 covers processing sensitive data without consent (up to 300,000 DH), and Article 62 covers obstructing the CNDP's work.
How do you structure incident response and resilience?
The incident-response cycle follows six steps: prepare, detect and analyze, contain, eradicate, recover, then learn (the post-incident review). Each step should rest on a named IR plan, an on-call team, and pre-agreed escalation, including notification to maCERT/DGSSI and, where relevant, to the CNDP and the affected data subjects.
On resilience, distinguish the PRA (Plan de Reprise d'Activité, disaster recovery) from the PCA (Plan de Continuité d'Activité, business continuity). The PRA restores systems; the PCA keeps the business running. For each critical process, define an RTO (Recovery Time Objective: the maximum tolerable time to restore a service) and an RPO (Recovery Point Objective: the maximum tolerable data loss, measured in time), via a Business Impact Analysis. ISO 22301 frames this approach, and ISO 27001 control 5.30 ties it back to the ISMS.
For banking, Bank Al-Maghrib adds a layer through Directive n° 3/W/2016, which requires credit institutions to build a cyber-risk mapping, run regular IT audits and intrusion tests, and deploy detection and response capabilities. BAM also promotes the CROE (Cyber Resilience Oversight Expectations) framework for financial-market infrastructures. To frame your roadmap, our digital consulting offer always starts from an assessment against a framework before closing baseline gaps.
FAQ
Is ISO 27001 certification mandatory in Morocco? No. ISO 27001 and NIST CSF 2.0 are voluntary frameworks, useful for structuring and prioritizing your controls by risk. The only legal requirement of that kind is DGSSI homologation of sensitive information systems, and it applies only to administrations, public establishments and operators of vital-importance infrastructure, not to every Moroccan company.
Is my company a vital-importance infrastructure? It depends on an official designation, usually in banking, energy, transport, health, telecoms and water. If you are designated, Law 05-20 requires an RSSI, a PSSI, homologation, audits by qualified providers and incident declaration to maCERT. If not, you fall mainly under Law 09-08 and the CNDP. When in doubt, have your status formally qualified.
Must I notify every data leak to the CNDP within 72 hours? No. Law 09-08 has no fixed GDPR-style notification deadline. After an incident you must take corrective measures, document the event, then assess whether to inform the CNDP and the affected individuals based on severity and risk. It is a duty of judgment and traceability, not a statutory countdown you can fail by the clock.
What is the difference between RTO and RPO? The RTO (Recovery Time Objective) is the maximum tolerable time to restore a service after a disruption. The RPO (Recovery Point Objective) is the maximum amount of data you can afford to lose, measured in time. Both, defined per critical process via a Business Impact Analysis, size your PRA and PCA plans.
Where do we concretely start? Assess your current posture against a framework (ISO 27001 or NIST CSF 2.0), close baseline gaps first (MFA, patching, tested backups, monitoring), then mature toward homologation or certification if your status requires it. A tabletop exercise often reveals that the response plan exists on paper but has never been rehearsed under pressure.
Sources
Last verified: 17 June 2026.
- DGSSI, Law n° 05-20 on cybersecurity (dgssi.gov.ma) and LexisNexis Maroc text of Law 05-20 (Articles 4, 6, 8, 19, 20).
- DGSSI, incident-reporting page and maCERT (dgssi.gov.ma); Décret n° 2-21-406; DNSSI 2023.
- DGSSI, National Cybersecurity Strategy 2030 (dgssi.gov.ma).
- CNDP, Law 09-08 (Article 23) and "Liste des infractions à la loi 09-08 et des sanctions prévues" (cndp.ma); Medias24 (1 July 2023).
- Bank Al-Maghrib, Directive n° 3/W/2016 and CROE framework (bkam.ma); Finances News Hebdo (fnh.ma).
- ISO/IEC 27001 (Annex A control 5.30), ISO 22301; NIST Cybersecurity Framework 2.0 (NIST.gov); CISA, "Back Up Your Data" (cisa.gov).
Bottom line: enterprise cybersecurity in Morocco is neither a tool purchase nor a legal formality, but a baseline that is built and then rehearsed, mapped to both the DGSSI and the CNDP. To assess your maturity and build your roadmap, let's talk.