Digital Development in Morocco: The development of digital technology is a priority for public authorities. Under the enlightened guidance of His Majesty King Mohammed VI, may God assist Him, Morocco has a strong ambition to achieve its digital transition and fully benefit from the opportunities offered by new information technologies. Additionally, within the framework of implementing the new development model, our country views digital technology as a true lever for economic and social growth and development.

To support this strategic choice, significant efforts have been made to develop digital trust. Digital trust is an essential pillar for the growth of digital services. Promoting and improving digital trust and cybersecurity for users—administrations, the private sector, and citizens—are key success factors for this strategy. The growth of digitalization, however, depends on mastering the risks related to the legal security of data. To mitigate these risks, trust services provide adequate solutions and promote confidence in digital transactions. The adoption of Law No. 43-20 on trust services for electronic transactions has given a new impetus to the development of digital services and usage. The new legal framework expands the range of solutions offered and adapts them to the diversity of uses and challenges. Beyond the electronic signature provided for by the previous law, Law No. 43-20 now covers a wide range of needs (electronic seal, electronic timestamp, electronic registered delivery, etc.) and strengthens trust and encourages the use of digital processes.

To consolidate this legal framework, the National Defense Administration, executing the High Royal Instructions, drafted Decree No. 2-22-687 for the application of Law No. 43-20. This decree aims to establish a regulatory framework that opens the way for the use of the various trust services provided for by Law No. 43-20. It specifies the rules applicable to each trust service, with reference to international standards, the regime and procedures for the approval and declaration of trust service providers (PSCo), and clarifies the procedures for prior declarations and authorizations for the import, export, or provision of cryptology means and services. The decree, developed in consultation with ministerial departments and several private sector stakeholders, covers:

1. The National Authority for Trust Services for Electronic Transactions: Under this decree, the General Directorate of Information Systems Security (DGSSI) of the National Defense Administration is designated as the national authority for trust services for electronic transactions.


2. The Rules Applicable to Trust Services: This decree sets out the list of data and information that qualified certificates for electronic signatures, electronic seals, and website authentication certificates issued by an approved trust service provider (PSCo) must contain. It also defines basic rules applicable to electronic registered delivery.


3. Compliance Certificates for Electronic Signature or Seal Creation Devices: According to Law No. 43-20, a qualified device for creating an electronic signature or seal, required for creating a qualified electronic signature or seal, must be certified by a certificate issued by the national authority, guaranteeing the device's compliance with the technical and security requirements specified by law. The decree defines the procedures for issuing, validity, renewal, and suspension of this certificate.


4. Approval and Declaration Regimes for Trust Service Providers: The decree emphasizes the need to foster the development of a trust ecosystem, increase the number of actors, and encourage innovation. It specifies that each trust service provider (PSCo) seeking approval must submit an application to the DGSSI. The text outlines the documents required for approval. To grant approval, the DGSSI conducts a compliance check of the trust service against the provisions of Law No. 43-20 and its implementing texts, as well as the security requirements specified in applicable reference frameworks. For the declarative regime for providers offering non-qualified trust services, the decree specifies the documentation required for declaration formalities.

5. Cryptology Means and Services: Law No. 43-20 distinguishes between two regimes (prior declaration or authorization) depending on the use case, which applies to the import, export, and provision of cryptology means and services. The decree specifies the documentation required for each regime and the submission procedures. It also lists types of cryptology means or services exempt from prior declaration or authorization requirements.


Finally, it should be noted that the application procedures for Articles 78 and 79 of Law No. 43-20, concerning real and personal securities and real rights, will be specified by orders from the relevant ministerial authorities.