The primary legal instruments regulating cybersecurity and cybercrime in Morocco are:
The Penal Code is supplemented by: Law No. 07-03 – which covers crimes relating to automated data processing systems;
Decree No. 2-15-712 – which covers the security of sensitive information systems and critical infrastructures; and
Decree No. 2-11-509 and Decree No. 2-82-673 – on the organisation of national defence administration of cybersecurity and information systems.
Additionally, in 2012 CSSSI implemented Morocco's first National Strategy for Cybersecurity (Strategie nationale en Sécurité des Systèmes d'Information), based on the National Strategy for Information Society and the Digital Economy (Digital Morocco 2013 Strategy), with the aim of focusing on four key strategic priorities:
evaluating risks to information systems within government and in vital infrastructures;
protecting the information systems of government agencies, public organizations, and vital infrastructures;
strengthening the foundations of information systems security (legal framework, sensitization, training, research and development); and
promoting national and international cooperation.
Morocco enacted Law 09/08 as its personal data protection law in February of 2009. The guidelines for the processing of personal data were laid down in Article 3(1) of Law 09/08. In specific instances pursuant to Article 12, the Law requires prior authorisation, from its Data Protection authority – the National Commission for the Control of Personal Data (CNDP), before processing can begin