Morocco: Implemented Prime Ministerial Decree No. 2.21.406 implementing Law No. 05.20 on cybersecurity including data localisation requirement

On 9 August 2022, Prime Ministerial Decree No. 2.21.406, implementing Law No. 05.20 on cybersecurity, enters into force. Critical agencies and infrastructure were required to classify their information systems and inform the General Directorate of Information Systems Security (DGSSI) of systems of a sensitive nature. The decree mandates that sensitive data related to cybersecurity services, including the monitoring, analysis, and management of cybersecurity incidents, must be stored exclusively within Morocco. These provisions apply to entities classified as critical information infrastructure and require compliance with national guidelines issued by the General Directorate of Information Systems Security (DGSSI).