Morocco: Implemented Prime Ministerial Decree No. 2.21.406 implementing Law No. 05.20 on cybersecurity including security measures for critical information infrastructure providers

On 9 August 2022, Prime Ministerial Decree No. 2.21.406, implementing Law No. 05.20 on cybersecurity, enters into force. Critical agencies and infrastructure were required to classify their information systems and inform the General Directorate of Information Systems Security (DGSSI) of systems of a sensitive nature. The decree categorises information systems based on their sensitivity, ranging from limited to very serious impact levels. Providers must implement tailored organisational and technical measures, including risk management, regular audits, and incident reporting. Critical systems are subject to classification and compliance with national directives issued by the General Directorate of Information Systems Security (DGSSI). The framework mandates inspections, periodic security reviews, and coordination among public and private entities to ensure resilience against cyber threats across vital sectors, including health, energy, and banking.