Enterprise Data, Security & IT Compliance in Morocco

Enterprise IT compliance in Morocco is the full set of legal, technical and organizational obligations governing data governance, personal data protection (CNDP, Law 09-08), cybersecurity (DGSSI, Law 05-20) and operational resilience. In 2025-2026, what used to be a CIO topic has become a boardroom topic.

Quick answer: Mastering data, security and IT compliance in Morocco rests on five pillars: (1) structured data governance (mapping, classification, ownership), (2) CNDP compliance with Law 09-08 and soon Law 07-26, (3) a cybersecurity baseline aligned with the DGSSI and Law 05-20, (4) a cloud versus on-premise choice informed by sovereignty (Oracle Casablanca region, Cloud First policy), and (5) an incident response framework with BCDR. The 2025 trigger: the CNDP moved to active enforcement, and two major breaches (CNSS, Marjane) turned compliance into a leadership issue.

This pillar guide maps the entire landscape. Each sub-topic is positioned as an entry point, and CNDP compliance, the densest of them all, is covered in a dedicated deep-dive article.

Why has enterprise data governance become strategic in Morocco in 2025-2026?

Because the risk has materialized and the regulator has changed its stance. Morocco ranks Tier 1 in the ITU Global Cybersecurity Index 2024 with a score of 97.5/100, the only Maghreb country in that elite category. Yet this institutional excellence contrasts with corporate reality: the CNSS data breach in April 2025 exposed information on nearly 2 million employees and nearly 500,000 companies, and Marjane Group, the country's largest retailer, faced a ransomware claim in November 2025. In parallel, the CNDP officially closed its fifteen-year awareness phase in February 2025 and moved to active sectoral enforcement. For a Moroccan executive, the question is no longer "should we deal with this?" but "how long do we have before an audit or an incident?". Data governance has become the foundation that drives compliance, resilience and customer trust at once.

What is data governance, and where do you start?

Data governance is the set of rules, roles and processes that define who can access which data, under what conditions and for what purpose. Before any compliance effort, it is the essential prerequisite: you cannot protect, or declare to the CNDP, data you have never inventoried.

Three concrete workstreams to begin:

• Data mapping. Inventory every processing activity: HR, payroll, CRM, video surveillance, marketing, subcontractors. For each, identify the purpose, legal basis, recipients and hosting location (a critical point for transfers).
• Classification. Distinguish public, internal, confidential and sensitive data (health, banking, opinions). Sensitive data triggers reinforced obligations under Law 09-08.
• Data ownership. Assign a business owner to every dataset. Without a named owner, no retention, sharing or deletion decision ever holds.

This mapping feeds directly into your CNDP declarations and your cybersecurity risk analysis. It is the reference document from which everything else flows.

CNDP and Law 09-08: what obligations, and declaration or authorization?

Law 09-08, enacted in 2009, is the legal backbone of personal data protection in Morocco. The CNDP is its authority: it informs, advises, controls and sanctions. Any company processing personal data must complete a prior formality, and the choice between two regimes is often misunderstood.

| Formality | When to use it | Key feature | |---|---|---| | Declaration | Routine processing (HR, payroll, customer files) | Processing can start once filed | | Prior authorization | Sensitive cases: health data, cross-border transfers, surveillance | Processing cannot begin before CNDP approval |

The legal stakes are real: Law 09-08 provides for fines of 20,000 to 200,000 MAD and imprisonment of 3 months to 1 year. The CNDP can also issue a warning, a formal notice, suspend processing for up to 3 months, or withdraw an authorization. Since February 2025, these levers are no longer theoretical.

This topic is the densest in the entire framework. We have detailed it in our flagship article: CNDP and Law 09-08 compliance for your business, worth reading before any filing.

Law 07-26 (2026): what changes versus Law 09-08?

Law 07-26 modernizes Law 09-08 rather than replacing it. It aims to bring the Moroccan framework closer to international standards (logic close to the European GDPR) while strengthening sovereignty. The reported changes are structural for leadership teams.

According to a secondary source (which must be verified against the official text published in the Bulletin Officiel before any decision), Law 07-26 would introduce:

• New fine tiers: 10,000 to 50,000 MAD for minor violations, and 100,000 to 600,000 MAD per major violation, a considerable step up from the current 200,000 MAD ceiling.
• A mandatory 72-hour notification to the CNDP in case of a data breach, a reflex most Moroccan companies have not yet built.
• Data localization for critical infrastructure.
• Imprisonment raised from 3 months to 2 years.

The message for an executive: the tolerance window is closing. Organizations that structure their governance now will navigate the transition calmly; the rest will discover the 72-hour deadline in the chaos of an incident. Treat Law 07-26 as a program to anticipate, not a regulatory update to absorb after the fact.

What is the minimum cybersecurity baseline in Morocco?

The regulatory cybersecurity baseline rests on the DGSSI (Directorate General for Information System Security), created in 2011 within the National Defense Administration. It is the national authority that sets the rules for public administrations and vital/critical infrastructure (OIV/IIV).

Four references to know:

• Law 05-20 on cybersecurity (application decree no. 2-21-406) covers administrations, public institutions, local authorities, public enterprises and all critical infrastructure, public or private. It requires designating an information system security officer, preparing continuity and recovery plans, and reporting incidents to the national authority.
• The DNSSI (National Directive on Information System Security) sets minimum security objectives and rules.
• The National Cybersecurity Strategy 2030 is built on 4 pillars, 11 objectives, 26 initiatives and 60 actions.
• For the financial sector, Bank Al-Maghrib's Directive no. 3/W/2016 mandates audits, intrusion tests and advanced detection, with adoption of the CROE framework.

The reality on the ground: according to the AUSIM x PwC 2025 barometer, 64% of Moroccan companies outsource all or part of their cybersecurity. The point is not to internalize everything, but to steer the right setup.

Cloud or on-premise in Morocco: how to choose, and what does sovereign cloud add?

The choice depends on your risk profile, data sensitivity and transfer constraints. The Moroccan landscape has scaled up: the country now has several operational data centers, and Oracle opened the first hyperscaler cloud region in North Africa in Casablanca in April 2026 (hosted by N+ONE), with processing and hosting kept strictly within national borders and a second region planned in Settat.

| Criterion | On-premise | International cloud | Sovereign cloud (Morocco region) | |---|---|---|---| | Physical control | Total | Low | High (data in Morocco) | | Transfer compliance (art. 43-44) | Native | CNDP authorization required | Native, no transfer | | Upfront cost | High (CAPEX) | Low (OPEX) | Low (OPEX) | | Scalability | Limited | Maximum | High | | Fit for sensitive data | Strong | Must be framed | Strong |

The Cloud First policy in the Cloud 2025-2030 roadmap, embedded in Morocco Digital 2030, will progressively make cloud the default option for public services. For a private company, sovereign cloud reconciles OPEX agility with sovereignty requirements, without the regulatory headache of transfers.

Cross-border data transfers: why does sovereignty drive your cloud decision?

Because hosting your data abroad is not a technical detail: it is a regulated legal act. Articles 43 and 44 of Law 09-08 prohibit transferring personal data to a country that does not ensure a sufficient level of protection, except with prior CNDP authorization or the data subject's explicit consent. A crucial point often ignored: using a cloud server located abroad counts as an international transfer, even through a local reseller.

Concretely, if your CRM, payroll or customer data resides in a European or American datacenter via a SaaS provider, you are performing an international transfer that requires a CNDP formality. This is precisely the link that turns the cloud decision into a compliance decision, not a mere IT trade-off. Choosing a cloud region in Morocco (such as Oracle Casablanca) or on-premise hosting removes the transfer qualification for the data concerned, radically simplifying your CNDP file. Sovereignty is therefore not a slogan: it is the parameter that determines whether or not you must seek an authorization, with the delays and risks that entails.

How do you prepare for an incident: incident response, BC and DR?

By assuming the incident will happen, not that it might. In the first half of 2025, around 21 million attacks were detected in Morocco, including 2.1 million RDP attacks; credential theft and spyware each rose 22% versus the first half of 2024. The global average cost of a data breach reached USD 4.44 million in 2025.

Three frameworks to formalize:

• Incident response plan. Who decides, who communicates, who investigates? Law 05-20 already mandates incident reporting; Law 07-26 would add a 72-hour deadline to the CNDP. Without a written, tested procedure, that deadline is unworkable.
• BCP (Business Continuity Plan). How do you keep critical operations running during the incident? Which processes run in degraded mode?
• DRP (Disaster Recovery Plan). Isolated backups (tested, immutable, offline), recovery time and point objectives (RTO/RPO) defined by criticality.

The classic mistake observed at both Marjane and the CNSS: frameworks on paper, never simulated under real conditions. An untested DRP is a reassuring fiction.

What do recent attacks (CNSS, Marjane, the banking sector) teach us?

Three directly actionable lessons. First, personal data is the priority target. The CNSS breach (April 2025), attributed to the actor "Jabaroot", exposed national ID numbers, salaries and banking details of nearly 2 million people, and victims reportedly received no notification from the regulator. This is exactly the scenario the 72-hour notification in Law 07-26 aims to fix.

Second, no sector is spared. Marjane (retail), hit by the Stormous ransomware in November 2025, shows that size and prominence offer no protection; they even increase exposure.

Third, the financial sector shows the maturity path. Bank Al-Maghrib, through its Directive no. 3/W/2016 and the CROE framework, integrates operational resilience into prudential supervision. That model (regular audits, intrusion tests, advanced detection) is transferable to any serious company. Compliance is not an administrative burden: it is the assurance that these scenarios do not become your next press headline.

Where do you actually start: a 90-day roadmap?

By sequencing governance, compliance and security rather than tackling everything at once. Here is a proven trajectory by company profile.

| Company profile | 90-day priority | Starting point | |---|---|---| | SME (50-200 employees) | Mapping + basic CNDP declarations | DATA-TIKA via the CGEM | | Mid-cap / large group | Full audit + tested DRP + transfer file | Structured governance and advisory | | Regulated player (bank, insurer) | CROE / sectoral alignment | Bank Al-Maghrib / ACAPS compliance |

The institutional entry point exists: the CGEM joined the CNDP's DATA-TIKA program on 13 November 2025, creating a CGEM-CNDP "corridor" to guide member companies toward compliance. It is the most structured on-ramp to begin.

Days 1-30: data mapping and classification, owner designation. Days 31-60: CNDP declaration filings, cybersecurity audit aligned with Law 05-20, cloud / sovereignty decision. Days 61-90: DRP drafting and testing, incident response plan, team training.

To structure this end to end, our team supports Moroccan companies through digital advisory, from initial mapping to the CNDP file and the resilience plan. The right time to start is before the audit, not after.

FAQ

Does Law 09-08 apply to all companies in Morocco? Yes. As soon as a company processes personal data (employees, customers, prospects, suppliers), it falls within the scope of Law 09-08 and must complete a prior formality with the CNDP, a declaration or authorization depending on sensitivity. Company size does not change the obligation, only the complexity of the file.

What is the difference between a CNDP declaration and authorization? A declaration covers routine processing (HR, payroll, customer files), and processing can start as soon as it is filed. Prior authorization covers sensitive cases (health data, cross-border transfers, surveillance) and prohibits starting the processing before the CNDP's explicit approval. Choosing the wrong regime exposes you to non-compliance, even in good faith.

Is my data hosted in a foreign cloud an international transfer? Yes. Under articles 43-44 of Law 09-08, using a cloud server located outside Morocco constitutes an international transfer of personal data, even through a local reseller. This requires CNDP authorization or the explicit consent of the data subjects. A cloud region in Morocco, such as Oracle Casablanca, removes that qualification.

What are the fines for non-compliance in Morocco? Law 09-08 provides for fines of 20,000 to 200,000 MAD and imprisonment of 3 months to 1 year. Law 07-26 (2026) would raise these, according to sources to be verified against the official text, to 100,000-600,000 MAD per major violation, with mandatory 72-hour notification and imprisonment of up to 2 years.

Do I need a Moroccan sovereign cloud to be compliant? Not always, but it radically simplifies compliance. Hosting your data in Morocco (Oracle Casablanca region, on-premise, or a national datacenter) removes the international transfer qualification and the associated CNDP authorization requirement. For sensitive data or critical infrastructure, it is often the safest and easiest option to defend.

Sources

• CNDP, official leaflet on Law 09-08: https://www.cndp.ma/wp-content/uploads/2023/01/CNDP-depliant-fr.pdf
• Declaration vs authorization (CNDP): https://avocat-jawhari.com/2025/12/18/declaration-autorisation-cndp/
• Law 09-08 penalties: https://void.ma/en/guides/conformite-cndp-donnees-personnelles/
• CNDP shift to enforcement (February 2025): https://lafroujiavocats.com/protection-donnees-maroc-cndp-maroc/
• International transfers (art. 43-44): https://www.upsilon-consulting.com/transfert-international-donnees-personnelles-maroc/
• Law 07-26 (verify against the Bulletin Officiel): https://9anonai.com/en/blog/data-breach-fines-morocco-2026
• DATA-TIKA / CGEM-CNDP: https://www.lavieeco.com/au-royaume/la-cgem-adhere-au-programme-data-tika-lance-par-la-cndp
• DGSSI: https://www.dgssi.gov.ma/en/actualites/morocco-has-improved-its-position-global-cybersecurity-index-recently-published/
• Law 05-20 on cybersecurity: https://www.dgssi.gov.ma/fr/textes-legislatifs-et-reglementaires/loi-ndeg-05-20-relative-la-cybersecurite/
• National Cybersecurity Strategy 2030: https://www.dgssi.gov.ma/sites/default/files/publications/pdf/2023-12/strategie_nationale_de_cybersecurite_2030.pdf
• Global Cybersecurity Index 2024 (Tier 1): https://en.yabiladi.com/articles/details/154060/morocco-achieves-tier-global-cybersecurity.html
• Oracle Casablanca cloud region: https://medias24.com/2026/04/07/infrastructures-numeriques-oracle-ouvre-une-region-cloud-a-casablanca-un-tournant-pour-lia-et-la-souverainete-des-donnees-1655599/
• Cloud Strategy 2025-2030: https://leseco.ma/business/strategie-cloud-2025-2030-le-maroc-trace-la-voie-pour-ses-administrations-publiques-video.html
• CNSS breach (April 2025): https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach
• Marjane ransomware (November 2025): https://www.moroccoworldnews.com/2025/11/267759/stormous-ransomware-claims-attack-on-moroccos-largest-retailer-marjane/
• Bank Al-Maghrib Directive 3/W/2016 and CROE: https://fnh.ma/article/actualite-financiere-maroc/banques-strategies-cyberattaques
• AUSIM x PwC Cybersecurity Barometer 2025: https://northafricapost.com/87183-moroccan-cybersecurity-barometer-2025-reveals-key-trends-challenges.html

Last verified: 16 June 2026.