This article explains the general shape of Moroccan cybersecurity and data protection rules for business planning purposes. It is not legal advice — consult a qualified lawyer for advice specific to your situation.
Law No. 09-08 — protection of personal data
Law 09-08 governs how organizations collect, process, and store personal data in Morocco. If your business holds customer names, contact details, ID numbers, health data, or payment information, this law likely applies to you.
- The CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) is the regulator responsible for enforcing the law.
- Declaration/authorization. Certain types of data processing must be declared to, or authorized by, the CNDP before you start.
- Data subject rights. Individuals have rights to access, correct, and in some cases delete their personal data.
- Security obligation. Organizations must take appropriate technical and organizational measures to protect the personal data they hold.
- Cross-border transfers. Sending personal data outside Morocco can trigger additional requirements.
Directive/Law on information systems security (sector-specific obligations)
Beyond personal data, Morocco has developed a framework — coordinated through the national cybersecurity authority (DGSSI) — for securing information systems, particularly for operators considered part of critical or "vitally important" infrastructure (finance, telecoms, energy, and similar sectors). Requirements in this space typically include security audits, incident reporting, and baseline security controls appropriate to the sector.
Most SMEs are not directly classified as critical infrastructure, but businesses that supply services to organizations that are (banks, telecom operators, government) increasingly find these expectations flow down through contracts and security questionnaires.
What this means practically for an SME
- If you collect customer or employee personal data, review whether your processing needs to be declared to the CNDP.
- Have a clear, honest privacy policy that reflects what you actually do with data (our own is a working example — see our Privacy Policy).
- Apply reasonable security measures proportionate to the sensitivity of the data you hold — this overlaps directly with good general cybersecurity practice.
- If you serve regulated clients (banks, telecoms, public sector), expect security questionnaires referencing these frameworks and be ready to answer them.
- Know how you'd respond to a data breach — who to notify, and how quickly.
Compliance and security reinforce each other. Almost everything that helps you meet these obligations — access control, encryption, incident response, vendor due diligence — is also good security practice on its own. You don't need to treat them as separate projects.
Where JectarOne fits in
We are not a law firm and don't provide legal opinions. What we do is help you translate these expectations into concrete technical and organizational controls — through a security assessment, and through Compliance Readiness work aligned with ISO 27001 and local requirements.