Data protection and cybersecurity laws in Morocco

Law 09-08 on the Protection of Individuals with regard to the Processing of Personal Data (“Law 09-08”), enacted on 18 February 2009, is Morocco’s principal data protection legislation. Law 09-08 was modelled on the EU Data Protection Directive 95/46/EC, and Morocco was among the first countries in Africa and the Arab world to adopt a comprehensive data protection framework.

Law 09-08 applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of such a system, carried out by a natural or legal person whose data controller (in French: Responsable de traitement) is established in Morocco or by a data controller not established in Morocco but using automated or non-automated means of processing located in Moroccan territory (unless the means are used solely for the transit of data through Morocco or through the territory of a state whose data protection legislation is recognized as equivalent to that of Morocco). “Personal data” is defined broadly as any information, regardless of its nature and irrespective of the medium on which it is recorded, relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or one or more factors specific to that person’s physical, physiological, genetic, mental, psychological, economic, cultural or social identity referred to as the “data subject” (in French: Personne concernée).

Law 09-08 is supplemented by Decree No. 2-09-165 of 21 May 2009, which establishes the detailed implementing provisions. In addition, the Commission Nationale de contrôle de la protection des Données à caractère Personnel (“CNDP”) has issued various decisions and deliberations that provide further guidance on compliance obligations.

The Commission Nationale de contrôle de la protection des Données à caractère Personnel (“CNDP”) is Morocco’s independent data protection authority, established under Law 09-08. The CNDP is responsible for ensuring compliance with data protection legislation, processing notifications and authorisation requests, investigating complaints, and issuing guidance and recommendations. The CNDP has powers to carry out inspections (including on-site inspections) and to impose sanctions for non-compliance.

www.cndp.ma

Morocco has been considering reforms to Law 09-08 to bring its data protection framework more closely into alignment with the EU General Data Protection Regulation (GDPR). Draft amendments have been under discussion, which are expected to modernise the framework by introducing concepts such as mandatory breach notification, data protection impact assessments, enhanced data subject rights (including data portability), and an accountability-based compliance model. 

However, it is worth to recall that Morocco is a signatory to Council of Europe Convention 108.

As of 2026, no formal amending legislation has been enacted, but the CNDP has signalled its intention to move towards a GDPR-aligned framework. 

In addition, Morocco’s adequacy status with the European Union remains relevant. The European Commission has not issued an adequacy decision in respect of Morocco, although the CNDP has pursued efforts to demonstrate the adequacy of Morocco’s data protection standards. Any future legislative reforms are likely to be designed in part to support a potential future adequacy finding.

Fines: The CNDP has the power to impose administrative sanctions, including financial penalties. Under Law 09-08, the CNDP may impose fines of up to MAD  300,000 (approximately EUR 18,000) for certain violations.

Criminal sanctions: Law 09-08 provides for criminal penalties for serious data protection violations. These include:

Implementation of a personal data file without authorisation or notification to the CNDP or continuation of carrying out personal data processing activities despite the withdrawal of the receipt of authorization or notification:  without prejudice to any civil liability, a fine of MAD 10,000 to MAD 100,000.

Processing of sensitive personal data in violation of the law: imprisonment of 6 months to 2 years and/or a fine of MAD 50,000 to MAD 300,000.

Obstruction of the CNDP’s control or investigation missions (including refusal to receive its inspectors or to provide requested documents or information): imprisonment of 3 to 6 months and/or a fine of MAD 10,000 to MAD 50,000.

Failure to comply with the decisions of the CNDP: imprisonment of 3 months to 1 year and/or a fine of MAD 10,000 to MAD 100,000.

transfer of personal data to a foreign State in breach of Law 09-08: imprisonment of 3 months to 1 year and/or a fine of MAD 20,000 to MAD 200,000.

Others: The CNDP may also issue warnings and formal notices (mise en demeure) requiring organisations to bring their processing into compliance within a specified timeframe. In cases of serious or persistent non-compliance, the CNDP may withdraw authorisations previously granted. Data subjects may also bring civil claims for damages arising from unlawful processing of their personal data.

Prior notification to the CNDP is required before any processing of personal data is carried out. Notifications must include details of the controller, the purpose of processing, the categories of data processed, the recipients of the data, and the security measures in place. The CNDP issues a receipt upon notification.

Certain categories of processing require prior authorisation (as opposed to mere notification) from the CNDP. These include: processing of sensitive personal data (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, and data relating to offences or criminal convictions); processing personal data for different purposes; processing that includes a national identity number of the data subject ; and the interconnection of personal data filing systems operated by one or more legal persons managing a public service, where the public-interest purposes pursued are different, or the interconnection of filing systems operated by other legal persons whose principal purposes are different.  .

Failure to notify or obtain authorisation from the CNDP before commencing data processing is a criminal offence under Law 09-08 (see “Sanctions & non-compliance” above).

Law 09-08 sets out core data protection principles that are broadly consistent with the EU Data Protection Directive 95/46/EC. The main obligations and processing requirements include:

Lawfulness and fairness: Personal data must be processed fairly and lawfully. Processing is only permissible if the data subject has given their consent, or if it is necessary for the performance of a contract to which the data subject is a party, compliance with a legal obligation to which the data subject or the data controller is subject, protection of the vital interests of the data subject if the latter is physically or legally incapable of giving his or her consent, the performance of a task carried out in the public interest, or relating to the exercise of official authority vested in the controller or in the third parties to whom the data are disclosed, or  necessary for the purposes of the legitimate interests pursued by the controller or by the recipient, provided that such interests do not override the interests or the fundamental rights and freedoms of the data subject. 

Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes.

Data minimisation: Personal data must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed.

Accuracy: Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate data is erased or rectified pursuant legal provisions of Law 09-08.

Storage limitation: Personal data must not be kept for longer than is necessary for the purposes for which it was collected or further processed. Data may be kept for longer periods for historical, statistical or scientific purposes, subject to  the CNDP’s authorization.

Security: The controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing.

Sensitive personal data: The processing of sensitive personal data (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, genetic data, and data relating to offences or criminal convictions) is prohibited unless the data subject has given explicit consent or one of the other limited exceptions set out in Law 09-08 applies. Processing of sensitive data is also subject to the requirement to obtain prior authorisation from the CNDP.

Data subjects have the following rights under Law 09-08:

Right to information: At the time of data collection, the controller must provide the data subject with information including the identity of the controller, the purposes of the processing, the categories of data concerned, the recipients of the data, whether the data subject is obliged to respond (and the consequences of failure to respond), the existence of rights of access and rectification, and whether the data will be transferred internationally.

Right of access: Data subjects have the right to obtain from the controller confirmation as to whether personal data concerning them is being processed, and where that is the case, access to the personal data and information about the purposes of the processing, the categories of data concerned, the recipients of the data, the period for which the data will be stored, and any available information about the source of the data.

Right of rectification: Data subjects have the right to obtain from the controller the rectification, completion, updating, locking or erasure of personal data that is inaccurate, incomplete, ambiguous, or whose collection, use, disclosure or storage is prohibited.

Right of objection: Data subjects have the right to object, on legitimate grounds, to the processing of their personal data. They also have the right to object, without charge, to the use of their personal data for direct marketing purposes.

Complaints: Data subjects may lodge complaints with the CNDP in relation to the processing of their personal data. They may also seek judicial remedies before the Moroccan courts.

Where a controller engages a processor to carry out processing on its behalf, the controller must choose a processor that provides sufficient guarantees in respect of the technical and organisational security measures governing the processing.

A written contract must be in place between the controller and the processor. The contract must stipulate that the processor acts only on instructions from the controller and is bound by the same security obligations as those to which the controller is subject under Law 09-08. The processor must not process personal data for any purpose other than those specified in the contract.

The controller remains fully responsible for ensuring compliance with Law 09-08, including in respect of any processing carried out by a processor on its behalf.

Under Law 09-08, the transfer of personal data by a data controller to a foreign country is only permitted where the country in question ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals in relation to the processing of their data.

The CNDP assesses the adequacy of a country’s level of protection, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, the rules of law in the recipient country, and the security measures implemented. The CNDP maintains  the list of countries considered to provide an adequate level of protection.

Where the recipient country does not provide an adequate level of protection, the transfer may still be permitted with the prior authorisation of the CNDP, provided that the controller adduces sufficient safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, and the exercise of corresponding rights. Such safeguards may result from appropriate contractual clauses.

Transfers may also be made without CNDP authorisation in certain limited circumstances, including where the data subject has given explicit consent to the proposed transfer, or where the transfer is necessary for the performance or conclusion of a contract between the data subject and the controller (or between the controller and a third party in the interest of the data subject), or where the transfer is necessary for reasons of public interest, or for the establishment, exercise or defence of legal claims, where such transfer is necessary to safeguard the life of the data subject, to execute a measure of international judicial cooperation, for the prevention, diagnosis or treatment of medical conditions, or where the transfer is made in accordance with a bilateral or multilateral agreement to which the Kingdom of Morocco is a party. 

Law 09-08 does not contain a mandatory requirement to appoint a Data Protection Officer (“DPO”). However, in practice, many organisations operating in Morocco, particularly those with European parent companies or those processing significant volumes of personal data, have voluntarily appointed a DPO or equivalent privacy lead as a matter of good practice.

If a future reform of Law 09-08 aligns the framework more closely with the GDPR, it is expected that mandatory DPO appointment requirements may be introduced for certain categories of controllers and processors (see “Anticipated changes to local laws” above).

Under Law 09-08, the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected.

The controller must take particular account of the risks presented by the processing, the nature of the personal data, and the state of the art and cost of implementation when determining the appropriate level of security. Where processing is carried out on behalf of the controller by a processor, the controller must ensure that the processor also implements appropriate technical and organisational security measures and complies with those measures.

Law 09-08, as originally enacted, does not contain a specific mandatory obligation to notify the CNDP or data subjects of personal data breaches. This represents a significant difference from the EU GDPR and, by extension, the UK GDPR, both of which impose specific breach notification duties on controllers.

However, the CNDP has, through its guidance and deliberations, encouraged organisations to report significant security incidents. In practice, many organisations operating under international standards or with EU parent companies adopt voluntary breach notification procedures aligned with GDPR standards.

It is expected that any future reform of Law 09-08 (see “Anticipated changes to local laws” above) will introduce mandatory breach notification obligations, including requirements to notify the CNDP within a specified timeframe and, where the breach poses a high risk to individuals, to notify affected data subjects.

Under Law 09-08, direct marketing by means of an automated calling system, a facsimile machine, electronic mail, or any technology of a similar nature is prohibited where it uses, in any form whatsoever, the contact details of a natural person who has not given prior consent to receive direct marketing communications by such means.

Data subjects have an absolute right to object to the use of their personal data for direct marketing purposes, including profiling for direct marketing. This right may be exercised at any time and without charge. The controller must inform the data subject of this right at the time the data is collected.

Morocco’s Law 53-05 on the Electronic Exchange of Legal Data (2007) also contains provisions relevant to unsolicited commercial electronic communications pursuant to which information requested for the purpose of concluding a contract, or information provided during its performance, may be transmitted by electronic mail if the recipient has expressly agreed to the use of this means. Information intended for professionals may also be transmitted by electronic mail where they have provided their email address.

Morocco does not currently have specific dedicated legislation equivalent to the EU’s e-Privacy Directive or the UK’s PECR that specifically regulates the use of cookies, tracking technologies or adtech. However, the general principles of Law 09-08 apply to the extent that cookies or similar technologies involve the processing of personal data. Where personal data is collected through cookies or tracking technologies, a valid lawful basis (typically consent) is required, and the data subject must be informed of the processing.

In practice, many organisations operating in Morocco, particularly those with an international presence, adopt cookie consent mechanisms based on EU/GDPR standards. The CNDP has not issued specific detailed guidance on cookies or adtech as of 2026, though any future reform of Law 09-08 may address this area more specifically.

Moderate

• Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP): www.cndp.ma
• Law 09-08 (French text): available via the CNDP website and the Official Bulletin of the Kingdom of Morocco No.5714 of March 5^th, 2009.
• Decree No. 2-09-165 of 21 May 2009 (implementing regulations): available via the CNDP website and the Official Bulletin of the Kingdom of Morocco No. 5744 of June 18^th, 2009.

The key cybersecurity laws and regulations that apply in Morocco include the following:

Law 05-20 on Cybersecurity (“Law 05-20”), promulgated by Dahir No. 1-20-69 of 25 July 2020, is Morocco’s principal cybersecurity legislation. It establishes the legal framework for the protection of national information systems and critical infrastructure against cyber threats.

Decree No. 2-21-406 of 26 July 2021 implements the provisions of Law 05-20, setting out detailed requirements for compliance by public and private entities.

The National Directive on Information Systems Security (“DNSSI”), issued by the Direction Générale de la Sécurité des Systèmes d’Information (“DGSSI”) under the Administration de la Défense Nationale, sets out baseline security standards and requirements for government bodies and operators of vital importance.

Law 07-03 supplementing the Penal Code with regard to offences relating to automated data processing systems (2003) criminalises various cybercrimes including unauthorised access to, and interference with, computer systems.

Law 43-20 relating to trust services for electronic transactions of December 31^st 2020 establishes the legal framework for electronic signatures, certificates, and cryptography in Morocco.

Morocco’s National Cybersecurity Strategy (“Stratégie Nationale de Cybersécurité”) sets out the government’s roadmap for strengthening the country’s cybersecurity posture. The strategy is periodically updated to reflect evolving threats and priorities.

Further regulations and guidance under Law 05-20 continue to be developed, including sector-specific cybersecurity requirements for critical infrastructure operators. The DGSSI is expected to issue additional directives and technical standards to strengthen the cybersecurity framework.

Morocco’s digital transformation agenda, including the “Maroc Digital 2030” strategy, is expected to drive further cybersecurity regulatory developments as more public services and critical infrastructure are digitalised

Law 05-20 and Decree No. 2-21-406 apply to the following categories:

Government administrations, public institutions and entities, as well as any other legal entity governed by public law (“Entity(ies)”), are subject to the cybersecurity requirements set out in Law 05-20 and the DNSSI.

Vital infrastructures (“ Infrastructures d’Importance Vitale” or “ VIs”):the facilities, structures and systems that are essential for maintaining the vital functions of society, health, safety, security, and economic or social well-being, and whose damage, unavailability or destruction would have an impact leading to the failure of these functions.

Operators of public telecommunications networks, internet service providers, cybersecurity service providers, digital service providers, and online platform providers  are also subject to obligations under Law 05-20,.

Law 07-03 (cybercrime) applies generally to any person who commits the specified offences, regardless of sector.

A number of different authorities have competent jurisdiction depending on the relevant laws and regulations that apply:

Direction Générale de la Sécurité des Systèmes d’Information (DGSSI): The DGSSI, operating under the Administration de la Défense Nationale, is the primary national cybersecurity authority. It is responsible for overseeing the implementation of Law 05-20, issuing cybersecurity standards and directives (including the DNSSI), coordinating national cybersecurity policy, and monitoring compliance by Entities and  VIs.

Autorité Nationale de la Cybersécurité: Law 05-20 provides for the establishment of a national cybersecurity authority to oversee the implementation of the national cybersecurity strategy. The DGSSI currently fulfils this role.

The CNDP is the relevant authority in respect of cybersecurity matters relating to the protection of personal data (see “Data Protection” section above).

The Moroccan courts have jurisdiction over cybercrime offences under Law 07-03 and the Penal Code.

Law 05-20 and the DNSSI impose the following key obligations on entities within scope:

Information systems security governance:  Entities must establish an information systems security governance framework, including the appointment of a responsible officer for information systems security (“Responsable de la Sécurité des Systèmes d’Information” or “RSSI”).

Risk assessment: Entities must carry out regular risk assessments in respect of their information systems and implement appropriate technical and organisational measures to manage identified risks.

Compliance with the DNSSI: Government entities and  VIs must comply with the security standards and requirements set out in the DNSSI, which covers areas including access control, network security, incident management, business continuity, and security auditing.

Security incident reporting:  VIs are required to report cybersecurity incidents to the DGSSI. Reporting must be made promptly upon detection of an incident that has a significant impact on the continuity of the entity’s services or the security of its information systems.

Security audits:  Entities may be subject to cybersecurity audits carried out by or on behalf of the DGSSI to verify compliance with Law 05-20 and the DNSSI.

Use of cryptography: Under Law  43-20,in order to safeguard national defence interests and State security, the import, export, and supply of cryptographic means, as well as the provision of cryptographic services, shall be subject to:

(a) prior notification to the national authority, where such means or services are solely intended to authenticate a transmission or ensure the integrity of data transmitted electronically;

(b) authorisation by the national authority where they serve any purpose other than that referred to in paragraph (a). It is worth to point that pursuant to the provisions of the third paragraph of Article 46 of Law No. 43-20, the types of cryptographic means or services exempt from prior declaration or authorisation are set out in Annex No. 6 to the Decree 2-22-687 relating to Law 43-20.

Law 05-20:provides fines applicable to infringements of the legal requirements, without to prejudice to penal sanctions. 

Law 07-03 (cybercrime offences): Depending on the offence,  criminal penalties under Law 07-03 include unauthorised access within the whole or any part of an automated data processing system (imprisonment of 1 to 3 months and/or a fine of MAD 2,000 to MAD 10,000), any person who remains in all or part of an automated data processing system to which they have gained access by mistake, while having no right to do so, shall be liable to the same above-mentioned penalty , interference with the operation of a system (imprisonment of 1 to 3 years and/or a fine of MAD 10,000 to MAD 200,000), and fraudulent introduction, alteration or deletion of data (imprisonment of 1 to 3 years and/or a fine of MAD 10,000 to MAD 200,000).Without prejudice to more severe criminal provisions, any person who fraudulently accesses all or part of an automated data processing system presumed to contain information relating to the internal or external security of the State, or secrets concerning the national economy, shall be liable to imprisonment for a term of six months to two years and a fine of 10,000 to 100,000 dirhams.

Without prejudice to more severe criminal provisions, the penalty shall be increased to imprisonment for a term of two to five years and a fine of 100,000 to 200,000 dirhams where such acts result in the modification or deletion of data contained in the automated data processing system, or in the impairment of the operation of that system, or where such acts are committed by a public official or employee in the performance of, or in connection with, his or her duties, or where he or she facilitates the commission of such acts by another person.

Law 43-20 : Failure to comply with the cryptography regulations under Law 43-20 may also result in criminal penalties, including imprisonment and fines pursuant to articles 66 and 67 of Law 43-20.

Yes. Morocco has an operational Computer Emergency Response Team known as maCERT (Moroccan Computer Emergency Response Team), which operates under the DGSSI within the Administration de la Défense Nationale. maCERT’s role includes:

Monitoring and detecting cybersecurity threats and incidents at a national level; issuing alerts, advisories and early warnings in respect of cybersecurity threats; coordinating incident response across government entities and  VIs; providing technical assistance and guidance to affected organisations during cybersecurity incidents; promoting the sharing of cybersecurity threat information between public and private sector entities; and participating in international CERT/CSIRT cooperation networks.

Yes. Morocco’s national cybersecurity incident management structure is coordinated by the DGSSI and maCERT. The DGSSI acts as the central coordinating authority for national-level cybersecurity incidents, while maCERT serves as the operational arm responsible for incident detection, response and coordination.  VIs and government entities are required to report significant cybersecurity incidents to maCERT, which then coordinates the national response.

The Administration de la Défense Nationale, through the DGSSI, also maintains relationships with international partners and participates in regional and international cybersecurity cooperation frameworks, including collaboration with other national CERTs.

The Moroccan government has implemented several cybersecurity initiatives, including:

National Cybersecurity Strategy (Stratégie Nationale de Cybersécurité): Morocco has adopted a national cybersecurity strategy, which sets out the government’s priorities and roadmap for strengthening the country’s cyber resilience, including capacity building, awareness raising, and public-private cooperation.

Maroc Digital 2030: Morocco’s digital transformation strategy includes cybersecurity as a core pillar, recognising the need to ensure that the digitalisation of public services and the economy is supported by a robust cybersecurity framework.

Cybersecurity awareness and capacity building: The DGSSI conducts cybersecurity awareness campaigns and training programmes aimed at government entities,  VIs, and the wider public. The DGSSI also publishes cybersecurity guidance, best practice recommendations, and technical bulletins.

International cooperation: Morocco participates in international cybersecurity cooperation frameworks, including through bilateral agreements and membership of international organisations such as the International Telecommunication Union (ITU) and the African Union’s Convention on Cyber Security and Personal Data Protection (Malabo Convention), which Morocco signed in 2014.

• maCERT (Moroccan Computer Emergency Response Team): www.macert.ma
• Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP): www.cndp.ma
• Law 05-20 on Cybersecurity and Law 07-03 on cybercrime offences: available via the Official Bulletin of the Kingdom of Morocco (Bulletin Officiel).
• Direction Générale de la Sécurité des Systèmes d’Information (DGSSI): www.dgssi.gov.ma