Morocco: Signed Prime Ministerial Decree No. 2.21.406 implementing Law No. 05.20 on cybersecurity including security measures for critical information infrastructure providers

On 15 July 2021, the Prime Minister signed Decree No. 2.21.406 to implement Law No. 05.20 on cybersecurity. Critical agencies and infrastructure have until 9 August 2022 to classify their information systems and inform the General Directorate of Information Systems Security (DGSSI) of systems of a sensitive nature. The decree categorises information systems based on their sensitivity, ranging from limited to very serious impact levels. Providers must implement tailored organisational and technical measures, including risk management, regular audits, and incident reporting. Critical systems are subject to classification and compliance with national directives issued by the General Directorate of Information Systems Security (DGSSI). The framework mandates inspections, periodic security reviews, and coordination among public and private entities to ensure resilience against cyber threats across vital sectors, including health, energy, and banking.