Law No. 05-20 on cybersecurity stipulates in its Article 19 that any sensitive information system (SIS) of critical infrastructure (CI) must have its security approved before being put into operation.

This approval is intended to inform the CI managers of the risks associated with the operation of their sensitive information systems. It is a process that leads to a decision made by the CI manager. This decision constitutes a formal act by which he/she:

•  Certifies knowledge of the information system and the technical, organizational, or legal security measures implemented;
•  Accepts the residual risks that remain.

This guide details the steps to follow to approve a sensitive information system of critical infrastructure and establishes the form and content of the approval decision.