Morocco: General Directorate of Information Systems Security adopted Guide on Data Classification

On 23 July 2025, the General Directorate of Information Systems Security (DGSSI) adopted the Guide on Data Classification, developed under Law No. 05-20 on cybersecurity and its implementing decree 2.21.406. The Guide is addressed to entities and infrastructures of vital importance and establishes a structured methodology for classifying data as an information asset, with sensitivity levels determined according to risks across confidentiality, integrity and availability dimensions. It sets out the principles of data classification, including lifecycle management, risk assessment, proportionality, governance frameworks and technological neutrality, and specifies the roles and responsibilities of stakeholders such as data owners, custodians, classification specialists, auditors and users. The document also outlines the overall data management process from identification to classification, protection, re-evaluation and deletion, and provides technical and organisational measures for safeguarding sensitive information. It introduces a multi-level impact scale, aligned with Decree No. 2-21-406, to determine classification classes from “no impact” to “very serious impact”, with data placed within Classes I and II considered sensitive and subject to reinforced protection measures, including mandatory residency within national territory.