Morocco: Signed Prime Ministerial Decree No. 2.21.406 implementing Law No. 05.20 on cybersecurity including data localisation requirement

On 15 July 2021, the Prime Minister signed Decree No. 2.21.406 to implement Law No. 05.20 on cybersecurity. Critical agencies and infrastructure have until 9 August 2022 to classify their information systems and inform the General Directorate of Information Systems Security (DGSSI) of systems of a sensitive nature. The decree mandates that sensitive data related to cybersecurity services, including the monitoring, analysis, and management of cybersecurity incidents, must be stored exclusively within Morocco. These provisions apply to entities classified as critical information infrastructure and require compliance with national guidelines issued by the General Directorate of Information Systems Security (DGSSI).