Morocco: Adopted Law on cybersecurity including security measures for critical information infrastructure providers

On 17 July 2020, the House of Councillors adopted the Law on cybersecurity. The law mandates the identification of critical infrastructure sectors and the classification of sensitive information systems, requiring their security to be validated prior to exploitation. It introduces regular risk assessments, monitoring, and audits by authorised agents or qualified contractors. Entities responsible for critical infrastructure must comply with directives issued by the National Cybersecurity Authority, ensure incident reporting, and adopt measures to address identified vulnerabilities. The draft law also establishes criteria for outsourcing cybersecurity services and mandates the use of qualified providers to enhance system resilience and mitigate risks.