Morocco's digital economy is advancing rapidly. In 2024, the country ranked 4th among African economies in the E-Government Development Index and 57th globally in the Digital Transformation Index. According to the Ministry of Digital Transformation, Morocco reached an internet penetration rate of 103.45%, comprising 38.3 million subscribers in 2024. To support this digital transformation, the government adopted the Digital Morocco 2030 Strategy, which aims to boost GDP by 10% through digital initiatives. On the international stage, Morocco collaborates with the World Bank, which approved USD 500 million to support financial and digital inclusion reforms. Additionally, Morocco is engaging in digital trade through initiatives within the African Union, such as the African Continental Free Trade Area.

But what do Morocco’s domestic digital policies stand for? Our DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Morocco-specific points of emphasis.

• Data governance: Morocco implemented the Personal Data Protection Law and the Cybersecurity Law and adopted security standards for critical infrastructure. 

• Content moderation: Morocco implemented two laws that affect online content and adopted a draft decree empowering the Ministry of Communications to address fake news.

• Competition policy: Morocco applied its general competition law to digital markets, updated merger control rules and investigated compliance in the electronic payments sector. 

• Artificial Intelligence: Morocco is deliberating a Bill to establish a National Agency for AI Governance and emphasised AI as a “transversal lever” of the Digital Morocco 2030 Strategy.

• Morocco’s points of emphasis include the taxation of the digital economy and the regulation of digital currencies. 

Jump directly to the section that interests you most:

Discover the details of Morocco's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Maria Buza and Sherif Taha. Edited by Tommaso Giardini.

Morocco's primary data protection framework is the 2009 Law on the Protection of Individuals with Regard to the Processing of Personal Data and its implementation decree. The Law grants individuals the right to access, rectify, and oppose the processing of their data. Controllers and processors must ensure lawful, fair, and transparent data processing. Additionally, data controllers and processors must implement appropriate security measures. 

The Law also established the National Commission for the Protection of Personal Data (CNDP) as the primary supervisory authority, with the power to issue additional rules:

• In December 2020, the CNDP issued a deliberation on the use of facial recognition technologies, clarifying that their use is subject to prior authorisation.

• In December 2020, the CNDP adopted rules on data protection impact assessments. Data controllers are required to document processing activities, assess privacy risks, and implement mitigation measures to address identified risks.

In July 2020, Morocco implemented the Cybersecurity Law, setting security requirements for critical infrastructure providers managing sensitive information systems. The Law establishes a risk-based framework, mandating risk assessments, incident response protocols, and breach notification. It also introduces a classification system for both information systems and government data. Information systems are categorised from Class A, where security incidents could have "very grave" consequences, to Class D, where incidents would have minimal effects. Similarly, data is classified from "very secret" for highly sensitive information to "restricted" for less critical information. In July 2021, the Prime Minister signed a decree requiring critical infrastructure providers to classify their information systems and notify the General Directorate of Information Systems Security (DGSSI). The decree also outlines specific organisational and technical measures that providers must implement, with requirements tailored to the classification level of their systems.

The cybersecurity framework is supplemented by several implementing regulations: 

• In February 2024, the DGSSI adopted rules for approving audit providers working with critical information infrastructure.

• In November 2024, the Council of Ministers adopted a decree on cloud use by critical entities, setting security requirements and oversight mechanisms. 

• In July 2023, the DGSSI implemented the directive on information system security establishing mandatory security measures for critical information infrastructure providers.

• In January 2023, the DGSSI issued the cybersecurity incident management framework outlining a six-phase approach for managing incidents and specifying reporting rules.

• In January 20202, the DGSSI issued the application security verification framework, including 14 audit topics and 286 controls across various security levels.

Morocco does not impose a general data localisation requirement but has established specific mandates for certain types of data and systems.

• In February 2024, the National Telecommunications Regulatory Agency adopted rules mandating entities providing domain name commercialisation services to maintain a secure, operational platform with at least two servers, one of which must be located in Morocco.

• The Cybersecurity Law requires data classified as "very secret" or "secret" to be stored in Morocco. The Law's implementing decree further details the classification of information systems based on the potential severity of cybersecurity incidents. Systems that could cause a "very grave" or "grave" impact are considered sensitive and must be hosted locally. Additionally, the law requires providers of critical infrastructure in vital sectors to store sensitive data in Morocco.

Regarding data transfers, the Law on the Protection of Natural Persons Regarding Personal Data sets several mechanisms.

• Data transfers are generally allowed to countries that ensure an adequate level of protection. In December 2015, the CNDP issued a list specifying that the European Union’s member states, Iceland, Liechtenstein, Norway, Switzerland, Canada, and the United Kingdom provide such protection. 

• Transfers to non-listed countries are allowed under specific conditions, including the data subject's explicit consent and derogations for transfers that protect the data subject's life or the public interest, execute international agreements involving Morocco, or are explicitly authorised by the CNDP.

Transfer requests to non-listed countries must include information such as the transferor's and recipient's name and address, categories of data, individuals concerned, and the purpose, mode, and frequency of the transfer. Requests based on derogations or international agreements must further specify the relevant derogation. Transfers requiring CNDP approval must outline measures to ensure data protection, such as contractual agreements and internal rules. 

The CNDP issued several guidelines to clarify data protection obligations:

• In February 2023, the CNDP issued guidance for data controllers on access control using biometric information, best practices for protecting personal information, camera surveillance in the workplace, and direct promotion using electronic communications.

• The CNDP addressed emerging technologies through several deliberations, including regulations on facial recognition technologies in December 2020, facial recognition for proof of life verification in July 2020, and architecture of identifiers in July 2020.

• In February 2015, the CNDP issued compliance tools, including model declarations for customer management, supplier management, and human resources management. It also issued deliberation outlining conditions for exercising the right to access personal data.

Currently, there are no public, official sources on enforcement action by the CNDP or DGSS.

In April 2025, the Government Council adopted a draft decree to expand the powers of the Ministry of Communications. The new responsibilities include setting up systems to address fake news and supporting the video game industry. The decree also creates three new directorates: video games and IT systems, media studies and modernisation, and communication and media relations.

Morocco's content moderation framework currently is based on two laws. 

• The 2017 Law on Press and Publishing regulates media production and distribution, prohibiting content that threatens national security, including material undermining the Islamic religion, attacking territorial integrity, or defaming the royal family. The Law also bans harmful content such as false news disrupting public order, incitement to crime, hate speech, discrimination, terrorist propaganda, and child exploitation. Content removal and blocking require judicial approval. 

• The 2003 Law on Combating Terrorism criminalises the dissemination of content supporting terrorist activities or organisations through any means, including digital platform intermediaries.

At the international level, Morocco participates in several initiatives regarding online content:

• In February 2024, Morocco joined other African governments in adopting the Association of African Election Authorities' Digital and Social Media Guidelines, which establish standards for the responsible use of digital platforms during electoral processes.

• In June 2023, Morocco was among 71 governments that signed the International Statement to Remove Online Child Sexual Abuse Materials, committing to proactive measures against child exploitation online.

• In May 2024, as a member of the African Union, Morocco adopted the African Union Child Online Safety and Empowerment Policy which provides a framework for protecting children online while promoting digital literacy and skills.

Currently, no public or official sources regarding enforcement actions or guidelines related to Morocco’s content moderation framework are available.

Morocco has not adopted specific rules for digital competition and instead applies the 2014 Law relating to freedom of prices and competition. The Law addresses unilateral conduct by prohibiting the abuse of a dominant position and sets out rules on anti-competitive agreements between market participants. 

Additionally, the Law requires entities to obtain approval for mergers that reach established thresholds. In June 2023, the Competition Council (MCC) updated the thresholds for mandatory filings. Entities must obtain approval from the MCC if any of the following conditions are met: 

• The combined global turnover exceeds MAD 1.2 billion (approx. USD 120 million), with at least one party having a turnover in Morocco above MAD 50 million (approx. USD 5 million);

• The combined turnover in Morocco exceeds MAD 400 million (approx. USD 40 million), with at least two parties having turnover greater than MAD 50 million in Morocco; or 

• The combined market share exceeds 40%.

The MCC has the power to conduct market studies, investigate potential violations, and impose penalties for anti-competitive behaviour.

• In October 2024, the Competition Council accepted binding commitments from the Interbank Monetary Center (CMI) and its shareholder banks in response to complaints regarding anti-competitive practices in the electronic payment market. These commitments include both structural and behavioural changes, such as transferring merchant contracts to independent acquirers, ensuring fair access to processing services, and capping interchange fees to address competition concerns.

• In October 2024, the Competition Council launched an investigation into Imprimerie Nationale's acquisition of Idemia, both of which operate in the secure digital identity services market, among others. The investigation will evaluate the potential impact of the transaction on competition in the sector.

Morocco has not yet adopted laws or regulations specifically governing the development and use of Artificial Intelligence (AI).

In April 2024, a Bill to establish the National Agency for AI Governance was introduced. The Agency would oversee AI activities, develop national strategies, and ensure compliance with ethical standards and data protection regulations. It would further be responsible for setting licensing requirements, establishing standards, and adopting policies to foster AI innovation.

AI also features prominently in the Digital Morocco 2030 strategy. The strategy has 2 objectives: stimulating the digital economy and digitising public services. They are achieved through three accelerators (digital talents, cloud, connectivity) as well as “transversal levers,” one of which is AI. Furthermore, the strategy emphasises that the latest technological innovations are integral, specifically AI. Finally, AI features as part of the "stimulating the digital economy" objective. The positioning of the “national offer on high-value-added sectors such as AI” is a key measure for the vision of upgrading and developing Morocco as an outsourcing and digital export hub

At the international level, Morocco participated in numerous initiatives on AI governance:

• In February 2025, Morocco joined members of the African Union, the European Union, the G20, the G7, and the United Nations in adopting the Statement on Inclusive and Sustainable AI at the Paris AI Action Summit. 

• In January 2024, Morocco joined the Digital Cooperation Organization Generative AI Initiative, which aims to promote responsible development and use of generative AI technologies through international collaboration and knowledge sharing.

• The African Union, of which Morocco is the newest member, adopted the Continental AI Strategy, the AI for Sustainable Youth Development framework, and the cooperation on AI research and development with China. 

Currently, there are no publicly available official sources regarding enforcement action or guidelines related to Morocco's regulatory framework on AI.

In January 2024, Finance Law No. 55 established a 20% value-added tax (VAT) on e-commerce imports and digital services provided to Moroccan consumers by both resident and non-resident entities. These services include website hosting, digital content, video-on-demand, and software provision or maintenance. Non-resident digital service providers are required to register for VAT in Morocco and implement systems for tax collection and remittance. For business-to-consumer transactions, they must charge VAT directly to Moroccan users, while business-to-business dealings are subject to a reverse charge mechanism.

In February 2024, the General Tax Directorate issued a circular clarifying these obligations. It stipulates that non-resident providers of remote services must register, declare turnover, and remit VAT, but cannot claim input tax deductions. They are also required to retain transaction records for 10 years and present them to the authorities upon request.

Morocco is currently considering a law to lift the ban on cryptocurrency transactions and regulate cryptoassets. In November 2024, the Central Bank of Morocco announced that it is drafting a law to regulate cryptoassets. The draft law was submitted to the Ministry of Finance but its text is yet not publicly available. Previously, in November 2017, the Exchange Office issued a notice banning cryptocurrency transactions, citing fraud risks, money laundering, and terrorism financing. The notice also specified that transactions conducted through virtual currencies violate foreign exchange regulations and are subject to financial penalties. 

In February 2021, the Central Bank established the Central Bank Digital Currency (CBDC) Committee to explore the possibility of introducing a CBDC and assess the impact of digital assets on Morocco's economy. The Committee is required to examine technological and cyber-resilience aspects and propose relevant CBDC pilot projects.