"The development of digital technology has been on the agenda of public action in Morocco for several years. Our country, under the enlightened leadership of His Majesty the King, may God assist Him, has chosen to give an increasingly large place to new information and communication technologies, given their crucial role in economic and social development. The dynamics recorded for accelerating the national digital transition have been supported by the new development model, which has dedicated digital technology as a transversal lever to ensure responsible and inclusive development.
Within public administration, the development of digitalization has already begun. Digital technology, which indeed offers immense potential, is currently contributing strongly to the modernization of public structures.
While digitalization is an indispensable asset and offers many opportunities in terms of economic development, sovereignty, and good governance, it also carries risks and threats. Accelerated digitalization, combined with the widespread use of computer means, provides fertile ground for cybercrime and malicious activities.
To address this challenge, cybersecurity has always been an integral part of digitalization strategies in Morocco. Many efforts have been made to strengthen the security and resilience of information systems at the national level. Cybersecurity is indeed a crucial pillar for the development of digital trust and the growth of digital services.
In line with this vision, a sustained dynamic has been initiated since the creation of the General Directorate of Information Systems Security (DGSSI) to establish a comprehensive legal framework that takes into account the challenges our country faces in the field of cybersecurity.
In 2014, the National Directive on Information System Security (DNSSI) was published by Circular No. 3/2014 of the Head of Government. The DNSSI aims to raise and standardize the level of protection and security maturity of all information systems of public administrations and organizations, as well as critical infrastructures.
In 2020, the national legal arsenal was enriched with the promulgation of Law No. 05-20 on cybersecurity. This law provides a set of organizational and technical security measures designed to enhance national capabilities in the field of cybersecurity, support the Kingdom’s digital transition, and coordinate prevention and protection actions against cybersecurity attacks and incidents. Decree No. 2-21-406, enacted in 2021, implements Law No. 05-20.
Continuing these efforts, and to account for the constant evolution of the information technology environment and the associated threats and risks, the DGSSI, executing the High Royal Instructions, updated the National Directive on Information System Security. The new Directive incorporates lessons learned from control, audit, incident management, and handling actions carried out notably by the DGSSI within various organizations. It also takes into account changes to the legal and normative framework and best practices applicable in the field of information system security.
According to Law No. 05-20 on cybersecurity, the scope of the new version of the Directive covers state administrations, public institutions and enterprises, legal entities of public law, local authorities, as well as all critical infrastructures (IIV) whether public or private.
In essence, this version reviews and updates all the security measures that entities and IIVs must implement, both organizationally and technically. It thus constitutes a national reference setting the objectives and establishing the minimum security rules for information systems applicable to said entities and IIVs.
Regarding the implementation modalities, entities and IIVs have a period of six (6) months from the date of its publication to set a schedule of measures to be implemented to comply. Additionally, a compliance assessment tool for the DNSSI has been developed by the DGSSI to enable entities to assess their compliance with the rules prescribed by the Directive."