Morocco: Adopted Decree on Cloud Services Usage by Critical Entities (NO. 2-24-921)

On 20 November 2024, the Decree on Cloud Services Usage by Critical Entities (Decree No. 2-24-921) was published in the official bulletin of Morocco. The Decree focuses on the use of cloud computing, storage, and database services by entities and critical infrastructures. The General Directorate of Information Systems Security (DGSSI) established a qualification framework for Cloud service providers. This Decree includes two levels of qualification. The first level applies to providers handling sensitive information systems. These providers must be Moroccan legal entities and host their operational systems within Morocco to ensure national jurisdiction over cybersecurity. The second level introduces stricter requirements for managing sensitive data, ensuring that such data remains under national jurisdiction and is not subject to foreign legal influence.