Morocco: Signed Prime Ministerial Circular No. 2/2023 on publishing the National Directive on Information System Security (Version No. 2/2023), establishing mandatory security measures for operators of CII

On 12 January 2023, the Prime Minister signed Circular No. 2/2023 on publishing the National Directive on Information System Security (NDISS) (Version No. 2/2023). The NDISS will be implemented within six months of its publication, establishing mandatory security measures for operators of critical information infrastructure (CII). It requires the implementation of technical and organisational measures to manage risks, secure information systems, and report cyber incidents. CII operators are obligated to conduct regular risk assessments and comply with standards set by the national cybersecurity authority. These include system audits, vulnerability management, and ensuring compliance with minimum security baselines. Operators must collaborate with national authorities to align with the national cybersecurity strategy, ensuring coordinated responses to cyber threats. The NDISS prescribes detailed reporting mechanisms for incidents, requiring immediate notification of any breach affecting critical systems. Furthermore, it mandates the integration of protective controls to prevent unauthorised access, secure data integrity, and maintain system availability.