Archived data from 2016-2023

32. Morocco 70.13

32nd National Cyber Security Index
50th Global Cybersecurity Index
100th ICT Development Index
81st Networked Readiness Index
Population 33.3million
Area (km2) 446.6thousand
GDP per capita ($) 8.3thousand
NCSI FULFILMENT PERCENTAGE
NCSI DEVELOPMENT TIMELINE 3 years All data
RANKING TIMELINE
NCSI Update Data source
23 Feb 2022 Government officials

Version 23 Feb 2022

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 5/5 100%
    5
    5 100%
    • 5.1. Cyber security responsibility for digital service providers 1
      1
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Article 4, 5, 29, 32

      Article 29

      Operators of public telecommunications networks telecommunication networks, Internet service providers, cybersecurity service providers, digital service providers and Internet platform service providers and Internet platform publishers must, within the framework of the directives of the national authority, take the necessary protective measures to prevent and neutralize the effects of threats or attacks on the information systems of their customers.

       

    • 5.2. Cyber security standard for the public sector 1
      1
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/fr/directive-nationale-de-la-securite-des-systemes-d-information.html

      National Directive on Information Systems Security (Directive Nationale de la Sécurité des Systèmes d’Information, DNSSI) aimed at “raising and homogenizing the level of protection and maturity of the security of the information systems of administrations, public entities, and infrastructures of vital importance.”

      The DNSSI describes the organizational and technical security measures that must be applied by the administrations and public bodies as well as the infrastructures of vital importance.

      This base of minimum rules can be enriched for certain uses. The necessary additional measures are defined by the authorities concerned and subsequently shared with the DGSSI.

       

      https://www.dgssi.gov.ma/sites/default/files/attached_files/directive_nationale_de_la_securite_des_systemes_d_information.pdf

      2. SCOPE OF APPLICATION
      The DNSSI applies to all information systems of administrations, public bodies and infrastructures of vital importance.
      The DNSSI addresses all the staff of these entities as well as third parties (contractors, etc.).

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Section 3. - Specific provisions to operators

      Article 32
      Digital service providers must identify the risks that threaten the security of their information systems and take the technical and organizational measures necessary to manage these risks, to avoid incidents likely to harm their networks and information systems. as well as to minimize their impact, so as to guarantee the continuity of their services.

      Article 33
      Digital service providers must, as soon as they become aware of them, report to the national authority incidents affecting the networks and information systems necessary for the provision of their services, when the information at their disposal shows that these incidents have occurred. a significant impact on the provision of these services.

    • 5.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/evenements/decret_n_2-21-406_pour_l_application_de_la_loi_n_05-20_relative_a_la_cybersecurite_version_finale_en_francais.pdf

      Chapter One: Cybersecurity Governance Bodies 
      Section One: The National Cybersecurity Authority 
      Article 1 
      The national authority for cybersecurity within the meaning of the aforementioned Act No. 05-20 shall be understood to mean the General Directorate for Information Systems Security under the authority of the National Defense Administration, hereinafter referred to as the "national authority".

       

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Article 28

      For the purposes of the security of information systems of entities and infrastructures of vital importance, authorized agents of the of the national authority are authorized, for the sole purpose of prevent and characterize the cyberthreat, to carry out at the premises of operators of public telecommunications networks Internet access providers, cybersecurity service providers, and service providers, digital service providers and Internet platform and Internet platform publishers, to collect and analyze only technical data only, to the exclusion of any other exploitation.

      The national authority is entitled to install, on public telecommunications networks and those of Internet access providers Internet access providers, technical devices for the sole purpose of for the sole purpose of detecting events likely to affect the security the security of the information systems of entities and of vital importance.

      These devices are installed for the time and to the extent strictly necessary to characterize the strictly necessary to characterize the threat.

      Article 30
      When operators of public telecommunications networks, Internet access providers, cybersecurity service providers, digital service providers and Internet platform publishers detect events that may affect the security of their customers' information systems, they must inform the national authority without delay.

      Article 33

      Digital service providers must, as soon as they become aware of it, declare to the national authority incidents affecting the networks and the information systems necessary for the provision of their services, when the information at their disposal shows that these incidents have a significant impact on the provision of these services

      Article 34

      When the national authority is informed, by any means whatsoever, that a digital service provider does not meet one of the obligations provided for by this law, it may submit it to checks intended to verify compliance with these obligations as well as the level of security of the networks and information systems necessary for the provision of its services.

      The checks are carried out by the national authority or by audit service providers qualified by the said authority. In the latter case, the cost of the controls is the responsibility of the digital service provider.

      In the event of a breach noted during an inspection, the national authority may issue a formal notice to the managers of the service provider concerned to comply, within a period that it sets, with the obligations incumbent on the service provider by virtue of this section.

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Section 2. - The National Cybersecurity Authority

      Article 38
      The national authority is responsible for implementing the State's cybersecurity strategy.
      To this end, in addition to the missions assigned to it by this law, the national authority is responsible for :

      -...

      - to qualify auditors of sensitive information systems of critical infrastructures and cybersecurity service providers

      - assisting and advising the entities and infrastructures of vital importance in strengthening the security of their information systems;
      - ...

  • 6. Protection of essential services 6/6 100%
    6
    6 100%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Section 2. - Provisions specific to critical infrastructures with sensitive information systems

      Article 15
      The list of sectors of vital importance and of government authorities, public establishments or other legal persons under public law, ensuring the coordination of these sectors shall be determined by regulation. 

      Article 16
      The infrastructures of vital importance are designated for each sector of activity of vital importance by the government authority, the public establishment or the legal person under public law responsible for the coordination of this sector, and this after the opinion of the national authority. The list of these infrastructures must be kept secret and must be updated at regular intervals and at least every two years. 

      Article 17
      The manager of the critical infrastructure shall draw up a list of sensitive information systems on the basis of the results of a risk analysis and shall forward it to the national authority, together with any updates.
       

      https://www.dgssi.gov.ma/sites/default/files/evenements/decret_n_2-21-406_pour_l_application_de_la_loi_n_05-20_relative_a_la_cybersecurite_version_finale_en_francais.pdf

      Art 18 

      The list of sectors of activity of vital importance and the government authorities, public establishments or other legal persons governed by public law ensuring the coordination of these sectors, is set out in Annex 1 of this decree.
      The aforementioned list may be amended or supplemented by order of the Head of Government on a proposal from the national defense administration.

       

      ANNEXE  1

    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Section 2. - Provisions specific to critical infrastructures with sensitive information systems (from article 14 to 25)

      Article 14 
      The provisions of Section 1 of this Chapter shall apply to infrastructures of vital importance.

      Article 15 
      The list of sectors of vital importance and of government authorities, public establishments or other legal persons under public law, ensuring the coordination of these sectors shall be determined by regulation.


      Article 16
      The infrastructures of vital importance are designated for each sector of activity of vital importance by the government authority, the public establishment or the legal person under public law responsible for the coordination of this sector, and this after the opinion of the national authority. The list of these infrastructures must be kept secret and must be updated at regular intervals and at least every two years.

      Article 17
      The manager of the critical infrastructure shall draw up a list of sensitive information systems on the basis of the results of a risk analysis and shall forward it to the national authority, together with any updates.

      Article 18
      The national authority may make comments to the person responsible for the critical infrastructure on the list of sensitive information systems transmitted to it. In such a case, the manager of the critical infrastructure shall be required to amend its list in accordance with those comments and shall transmit the amended list to the national authority within two months of the date of receipt of the comments. The list of sensitive information systems must be kept secret.
       

      Article 19
      Any sensitive information system must be certified for its security before it is put into operation. The certification guide for sensitive information systems is established by the national authority.
       

      Article 20

      At the request of the national authority, the persons responsible for the infrastructures of vital importance shall submit the sensitive information systems of the said infrastructures to an audit carried out by the said authority or by audit providers qualified by the said authority. The criteria for the qualification of audit providers and the procedures for the conduct of the audit shall be laid down by regulation.
       

      Article 21
      The managers of critical infrastructures are required to provide the national authority or the qualified audit service provider with the information and elements necessary to carry out the audit, including documents relating to their security policy and, where applicable, the results of previous security audits, and to allow them access to the networks and information systems subject to the audit in order to carry out analyses and collect technical information. Qualified audit providers and their employees are bound, under penalty of the penalties provided for in the penal code, to respect professional secrecy throughout the duration of the audit mission and after its completion, on the information and documents collected or brought to their knowledge during this mission.
       

      Article 22
      Where the audit is carried out by a qualified audit provider, the audit report shall be transmitted by the manager of the critical infrastructure to the national authority. The qualified audit provider shall ensure the confidentiality of the audit report.
       

      Article 23
      When audit operations are carried out by qualified audit providers, the costs are borne by the manager of the critical infrastructure concerned by these operations.
       

      Article 24
      Each manager of an audited critical infrastructure shall put in place an action plan to implement the recommendations contained in the audit reports and shall forward it to the national authority for monitoring of its implementation.
       

      Article 25
      Those responsible for critical infrastructures must use services, products or solutions that enable the strengthening of security functions, as defined by the national authority. In the event of outsourcing of cybersecurity services, the managers of critical infrastructures must use service providers qualified by the national authority. The qualification criteria for cybersecurity service providers are set by regulation.

      https://www.dgssi.gov.ma/sites/default/files/evenements/decret_n_2-21-406_pour_l_application_de_la_loi_n_05-20_relative_a_la_cybersecurite_version_finale_en_francais.pdf

      Chapter II: The information systems security system 

      Section 1: Provisions specific to entities and infrastructures of vital importance with sensitive information systems (which is composed of three sub-sections)

      1. Subsection 1: The National Directive on Information Systems Security
      2. Sub-section 2: The referential for the classification of information assets and information systems
      3. Subsection 3: Missions of the information systems security officer
    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/evenements/decret_n_2-21-406_pour_l_application_de_la_loi_n_05-20_relative_a_la_cybersecurite_version_finale_en_francais.pdf

      Chapter 1: Cybersecurity Governance Bodies
      Section 1: The National Cybersecurity Authority
      Article 1
      The national authority for cybersecurity within the meaning of the aforementioned law No. 05-20 shall be understood to mean the General Directorate for Information Systems Security under the authority of the National Defense Administration, hereinafter referred to as the "national authority".

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Section 2. - The National Cybersecurity Authority

      Article 38

      The national authority is responsible for implementing the State's cybersecurity strategy. To this end, in addition to the missions assigned to it by this law, the national authority shall be responsible for:

      -....

      - propose to the cybersecurity strategic committee measures intended to respond to crises affecting or threatening the security of the information systems of vital entities and infrastructures;

      - ensure the conduct of security audits of the vital infrastructures information systems ;

      - assist and advise entities and vital infrastructures to strengthening the security of their information systems;

      - assist and support entities and vital infrastructures to establish systems for detecting events affecting or likely to affect the security of their information systems and coordinate the reaction to these events;

      -...

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Article 20
      At the request of the national authority, the persons responsible for the infrastructures of vital importance shall submit the sensitive information systems of the said infrastructures to an audit carried out by the said authority or by audit providers qualified by the said authority. The criteria for the qualification of audit providers and the procedures for the conduct of the audit shall be laid down by regulation.

    • 6.4. Regular monitoring of security measures 1
      1
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/evenements/decret_n_2-21-406_pour_l_application_de_la_loi_n_05-20_relative_a_la_cybersecurite_version_finale_en_francais.pdf

      Article 28
      Entities and infrastructures of vital importance shall audit the security of their sensitive information systems according to the domains set out in Annex No. 2 to this decree, provided that the frequency of each audit relating to the same domain shall not exceed three (03) years. 

      https://www.dgssi.gov.ma/fr/homologation-des-si-sensibles-sis-des-infrastructures-d-importance-vitale-iiv.html

      The law n ° 05-20 relating to cybersecurity stipulates in its article 19 that any sensitive information system (SIS) of an infrastructure of vital importance (IIV) must be the object of the homologation of its security before its commissioning.

      https://www.dgssi.gov.ma/fr/declaration-des-systemes-d-information-sensibles-des-infrastructures-d-importance-vitale.html

      Each vital infrastructure must declare its sensitive information systems to the national authority (DGSSI) using a declaration form.

      In addition, each vital  infrastructure carries out a review of the classification of its information systems at least once every three (03) years or whenever this proves to be necessary.

  • 7. E-identification and trust services 8/9 89%
    8
    9 89%
    • 7.1. Unique persistent identifier 1
      1
      1
      Requirements
      Criteria

      The government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.

      Accepted references

      Legal act

      Evidence

      http://www.sgg.gov.ma/Portals/0/BO/2021/BO_6950_Fr.pdf

      Page 10 

      Law n° 72-18 : Relating to the mechanism for targeting beneficiaries of social of social support programs and establishing the of the National Agency of Registers

      Chapter 2
      National Population Registry

      Article 5 
      The purpose of the National Population Register is to
      -to make available the personal data of Moroccan or foreign individuals residing on Moroccan territory, as referred to in Article 4 above, necessary to facilitate access to the services provided by public administrations, local authorities and public and private organizations
      - to allocate the digital identifier created under Article 8 of this law;
      - to enable the identification of persons wishing to register in the Unified Social Register in order to benefit from social support programs managed by public administrations, local authorities and public bodies, ensuring in particular the identity of the said persons and the veracity of the information and data concerning them;
      - to provide authentication services for the data declared by the above-mentioned persons or to provide additional data to public administrations, local authorities and public and private bodies, in accordance with the conditions and procedures provided for by this law;
      - to contribute to the simplification of administrative procedures relating to the services provided to users.

      Chapter 3 Civil and social digital identifier
      Article 8
      A digital identifier, to be known as the "Civil and Social Digital Identifier", shall be issued by the Agency to each person registered in the National Population Registry.
      Each person may be assigned only one civil and social digital identifier. This identifier may not be reassigned to any other person. 
      The characteristics of the digital identifier and the modalities of its attribution shall be fixed by regulation.

      http://www.sgg.gov.ma/Portals/1/BO/2021/BO_7011_Ar.pdf

      Law No. 18.72 on the System for Targeting Beneficiaries of Social Assistance Programs and the Creation of the National Records Agency, with regard to the Unified Social Register

      Chapter Five
      Transitional and final requirements
      Article 10
      The provisions of this Decree shall come into force, initially, in the prefecture of Rabat and the province of Quneitra, and its execution shall be disseminated to the rest of the workers and regions of the Kingdom by decision of the governmental authority in charge of the interior.
       

    • 7.2. Requirements for cryptosystems 0
      0
      1
      Requirements
      Criteria

      Requirements for cryptosystems in the field of trust services are regulated.

      Accepted references

      Legal act

      Evidence
    • 7.3. Electronic identification 1
      1
      1
      Requirements
      Criteria

      Electronic identification is regulated.

      Accepted references

      Legal act

      Evidence

      http://www.sgg.gov.ma/Portals/1/BO/2020/BO_6907_Ar.pdf?ver=2020-08-12-142412-08

      Law n° 20.04 on the National Electronic Identification Card (page 4)

      Article 1

      The electronic national identification card proves the identity of its holder, including his or her digital identity, by assigning a unique national identification number to each natural person.

    • 7.4. Electronic signature 1
      1
      1
      Requirements
      Criteria

      E-signature is regulated

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/fr/content/loi-ndeg43-20-relative-aux-services-de-confiance-pour-les-transactions-electroniques.html

      Law n ° 43-20on trust services for electronic transactions

      https://dgssi.gov.ma/sites/default/files/attached_files/loi_43.20_fr.pdf

      Subsection 1. - The electronic signature (from article 4 to 12)

      Article 4
      An electronic signature is either a simple, advanced or qualified signature.

      Article 5
      An advanced electronic signature is a simple electronic signature as defined in Article 2 above, which meets the following conditions 
      - be unique to the signatory ;
      - it is capable of identifying the signatory; and
      - it has been created using electronic signature creation data that the signatory can use under his exclusive control, with a high level of trust defined by the national authority;
      - be based on an electronic certificate or any other process deemed equivalent as determined by regulation;
      - and be linked to the data associated with that signature in such a way that any subsequent change to the data is detectable.
       

      Article 6
      A qualified electronic signature is an advanced electronic signature that must be generated by a qualified electronic signature creation device as provided for in section 8 below and that is based on a qualified electronic signature certificate as provided for in section 9 below.

      Article 7
      The legal effect and admissibility of a simple or advanced electronic signature as evidence in legal proceedings may not be denied solely on the ground that the signature is in electronic form or that it does not meet the requirements of a qualified electronic signature as provided in article 6 above.
       

      Article 8
      A qualified electronic signature creation device is an electronic signature creation device attested by a certificate of conformity issued by the national authority. This device must meet the following requirements
      - guarantee by appropriate technical means and procedures that the electronic signature creation data cannot be found by deduction and that the electronic signature is reliably protected against falsification by available technical means ;
      - ensure by appropriate technical means and procedures that the electronic signature creation data cannot be established more than once and that its confidentiality is assured and can be satisfactorily protected by the signatory against use by third parties;
      - does not result in any alteration or modification of the content of the electronic document to be signed and does not prevent the signatory from having accurate knowledge of the content before signing it.
      In addition, the generation or management of qualified electronic signature creation data on behalf of the signatory may only be entrusted to a trust service provider approved in accordance with the provisions of article 33 of this law.
      The list of qualified electronic signature creation devices is published on the website of the national authority.

      Article 9
      The qualified electronic signature certificate shall be issued by an approved trust service provider and shall include data and information determined by regulation.

      Article 10
      The process of validating a qualified electronic signature confirms the validity of that signature provided that:
      - the certificate on which the signature is based was, at the time of signing, a qualified electronic signature certificate in accordance with the provisions of article 9 above;
      - the qualified certificate was issued by an authorized trust service provider and was valid at the time of signing;
      - the signature validation data correspond to the data communicated to the Relying Party; 
      - the unique data set representing the signatory in the certificate is correctly provided to the Relying Party;
      - the use of a pseudonym is clearly indicated to the Relying Party, if a pseudonym was used at the time of signing;
      - the electronic signature was created by a qualified electronic signature creation device and the requirements of section 5 of this Act were met at the time of signing;
      - the integrity of the signed data has not been compromised.
      In addition, the system used to validate the qualified electronic signature shall provide the using party with the correct result of the validation process and shall allow the using party to detect any relevant problems with the security of that process.
       

      Article 11
      A qualified electronic signature validation service may be provided only by a licensed trust service provider that:
      - provides validation in accordance with the provisions of article 10 above ;
      - and enables the Relying Party to receive the result of the validation process in an automated, reliable, efficient manner and bearing the advanced electronic signature or advanced electronic seal of the said provider.

      Article 12
      A qualified electronic signature storage service may be provided only by an authorized trust service provider that uses procedures and technologies that extend the reliability of qualified electronic signatures beyond technological validity.
       

    • 7.5. Timestamping 1
      1
      1
      Requirements
      Criteria

      Timestamping is regulated.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/fr/content/loi-ndeg43-20-relative-aux-services-de-confiance-pour-les-transactions-electroniques.html

      Law n ° 43-20on trust services for electronic transactions

      https://dgssi.gov.ma/sites/default/files/attached_files/loi_43.20_fr.pdf

      Subsection 3. - Electronic Time-Stamping (from article 22 to 25)

      Article 22
      An electronic timestamp is a simple or qualified timestamp.

      Article 23
      Simple electronic time-stamping consists of data in electronic form that associate other data in electronic form with a particular time and establishes proof that the latter data existed at that time.
       

      Article 24
      Qualified electronic time stamping is a simple electronic time stamping that meets the following conditions:
      - to link the date and time to the data in such a way as to exclude the possibility of undetectable modification of the data ;
      - be based on an accurate clock linked to Coordinated Universal Time and ;
      - be signed with an advanced electronic signature or sealed with an advanced electronic seal from the approved trust service provider.
      A qualified electronic timestamp enjoys a presumption of the accuracy of the date and time it indicates and the integrity of the data to which that date and time relates.


      Article 25 
      The legal effect and admissibility of a simple electronic time-stamp as evidence in court cannot be denied solely on the grounds that it is in electronic form or that it does not meet the requirements of the qualified electronic time-stamp referred to in Article 24 above.

    • 7.6. Electronic registered delivery service 1
      1
      1
      Requirements
      Criteria

      Electronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/fr/content/loi-ndeg43-20-relative-aux-services-de-confiance-pour-les-transactions-electroniques.html

      Law n ° 43-20 on trust services for electronic transactions

      https://dgssi.gov.ma/sites/default/files/attached_files/loi_43.20_fr.pdf

      Subsection 4. - The electronic registered mail service (from 26 to 29)
      Article 26
      An electronic registered mail service is a simple or qualified electronic registered mail service.

      Article 27
      The simple electronic registered mail service allows the transmission of data by electronic means, provides evidence of the processing of the transmitted data, including proof of sending and receipt, and protects the transmitted data against loss, theft, alteration or any unauthorized modification.
       

      Article 28
      The qualified electronic registered mail service is a simple electronic registered mail service which meets the following conditions
      - to be provided by one or more accredited trust service providers ;
      - to guarantee the identification of the sender with a high degree of trust, defined by the national authority
      - guarantee the identification of the recipient before the data is provided;
      - secure the sending and receiving of data by means of an advanced electronic signature or an advanced electronic seal, so as to exclude any possibility of undetectable modification of the data;
      - clearly indicate to the sender and recipient any modification of the data necessary for sending or receiving the data;
      - indicate by means of a qualified electronic time stamp, the date and time of sending and receiving as well as any modification of the data.
      Data sent and received by means of a qualified electronic registered mail service shall be presumed to be complete, to have been sent by the identified sender and received by the identified recipient, and to have been sent and received at the correct date and time indicated by the service.
       

      Article 29
      The legal effect and admissibility of the data sent and received by means of a simple electronic registered service as evidence in court cannot be refused on the sole ground that this service is in an electronic form or that it does not meet the requirements of the qualified electronic registered service provided for in article 28 above.

    • 7.7. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      There is an authority responsible for the supervision of qualified trust service providers.

      Accepted references

      Official website or legal act

      Evidence

      https://www.dgssi.gov.ma/fr/content/loi-ndeg43-20-relative-aux-services-de-confiance-pour-les-transactions-electroniques.html

      Law n ° 43-20 on trust services for electronic transactions

  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
  • 9. Cyber incidents response 4/6 67%
    4
    6 67%
    • 9.1. Cyber incidents response unit 3
      3
      3
      Requirements
      Criteria

      The government has a unit (CSIRT, CERT, CIRT, etc.) that is specialised in national-level cyber incident detection and response.

      Accepted references

      Official website or legal act

      Evidence

      https://www.dgssi.gov.ma/macert.html

    • 9.2. Reporting responsibility 1
      1
      1
      Requirements
      Criteria

      Digital service providers and operators of essential services have an obligation to notify appointed government authorities of cyber security incidents.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/fr/content/loi-ndeg-0520-relative-la-cybersecurite.html

      Law n 05-20 relating to cyber security

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Article 8
      Each entity shall, as soon as it becomes aware of an incident affecting the security or functioning of its information systems, report it to the national authority.
      At the request of the national authority, each entity shall provide it, without delay, with additional information relating to incidents affecting the security or functioning of its information systems.
      The national authority shall specify the technical data and information relating to incidents that must be communicated and the procedures for their transmission.
      It shall send the entity concerned a summary of the measures and recommendations relating to the handling of the incident.
       

      Article 30
      When operators of public telecommunications networks, Internet access providers, cybersecurity service providers, digital service providers and Internet platform publishers detect events that may affect the security of their customers' information systems, they must inform the national authority without delay.


      Article 33
      Digital service providers must, as soon as they become aware of them, report to the national authority incidents affecting the networks and information systems necessary for the provision of their services, where the information available to them indicates that these incidents have a significant impact on the provision of these services.
       

    • 9.3. Single point of contact for international coordination 0
      0
      2
      Requirements
      Criteria

      The government has designated a single point of contact for international cyber security coordination.

      Accepted references

      Official website or legal act

      Evidence
  • 10. Cyber crisis management 4/5 80%
    4
    5 80%
    • 10.1. Cyber crisis management plan 1
      1
      1
      Requirements
      Criteria

      The government has established a crisis management plan for large-scale cyber incidents.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/sites/default/files/attached_files/loi_n-05.20_version_francaise.pdf

      Article 36
      A committee for the management of crises and major cyber events is hereby set up under the Strategic Committee for Cyber Security, with the task of ensuring a coordinated response to the prevention and management of crises following cyber security incidents.
      To this end, operators of public telecommunication networks, Internet service providers, cybersecurity service providers and digital service providers must respond to the requirements and requests for assistance and technical support of the crisis management committee and major cyber events.
      The composition and operating procedures of this committee, as well as the area of intervention of each of its members, are set by regulation.

      https://www.dgssi.gov.ma/sites/default/files/evenements/decret_n_2-21-406_pour_l_application_de_la_loi_n_05-20_relative_a_la_cybersecurite_version_finale_en_francais.pdf

      Section 3: The major cyber event and crisis management committee (Articles 6 to 8)

      Article 6 
      Pursuant to the provisions of the third paragraph of Article 36 of the aforementioned Act No. 05-20, the committee for the management of major cyber crises and events, chaired by the General Directorate for Information Systems Security, is composed of representatives of the following authorities and bodies 
      - the government authority in charge of the interior ;
      - the General Inspectorate of the Royal Armed Forces
      - the Royal Gendarmerie;
      - the General Directorate of Studies and Documentation
      - The General Directorate of National Security;
      - the General Directorate of Territorial Surveillance;
      - the 5th office of the General Staff of the Royal Armed Forces;
      - the Royal Armed Forces' signals inspectorate.
      The above-mentioned authorities and organizations shall appoint their permanent representatives and alternates.
      The chairman of the committee for the management of major cyber crises and events may invite any person or organization whose participation he deems useful.
       

      Article 7
      The Major Cyber Event and Crisis Management Committee shall prepare reports on its work and submit them to the Strategic Cyber Security Committee.

      Article 8
      In application of the third paragraph of Article 36 of the above-mentioned Act No. 05-20, the major cyber event and crisis management committee shall draw up a major cyber event and crisis management framework and submit it to the Strategic Committee for Cyber Security for approval.
      The aforementioned management framework shall define, among other things, the scope of action of each member of the major cyber crisis and event management committee, as well as crisis management procedures and communication and information exchange arrangements.
      Each member of the crisis and major cyber event management committee is responsible, within the limits of the prerogatives of the authority or organization to which he or she reports, for initiating and following up on the actions decided by the committee.

      https://www.dgssi.gov.ma/fr/le-comite-de-gestion-des-crises-et-evenements-cybernetiques-majeurs.html

      In accordance with article 36 of law n ° 05-20 on  cybersecurity, a committee for the management of major cybernetic crises and events has been set up with the strategic cybersecurity committee, responsible for ensuring a coordinated intervention in prevention and crisis management following cybersecurity incidents

    • 10.2. National-level cyber crisis management exercise 2
      2
      2
      Requirements
      Criteria

      The government has conducted a national-level cyber crisis management exercise or a crisis management exercise with a cyber component in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence

      https://www.dgssi.gov.ma/fr/content/organisation-du-cyberdrill-2021.html

      CYBERDRILL 2021

      The General Directorate of Information Systems Security organized, on Tuesday November 30 and Thursday December 2, 2021, the fifth edition of its cyber simulation exercise (CyberDrill-2021), under the theme: "ACTIVE DIRECTORY SECURITY".
       

      https://www.dgssi.gov.ma/fr/content/cyberdrill-2020.html

      CYBERDRILL-2020

      The General Directorate of Information Systems Security organized, on October 06 and 08, 2020, the fourth edition of the online cyber simulation exercise "CyberDrill-2020", under the theme: "Supply chain attacks"

      https://www.dgssi.gov.ma/fr/content/cyberdrill-2019.html-0

      CYBERDRILL 2019

      The General Directorate of Information Systems Security organized the third edition of its cyber simulation exercise (CyberDrill) on October 15 and 17, 2019.

    • 10.3. Participation in international cyber crisis exercises 1
      1
      1
      Requirements
      Criteria

      The country's team has participated in an international cyber crisis management exercise in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence

      https://www.dgssi.gov.ma/fr/content/9th-arab-regional-oic-cert-cyber-drill-2021.html

       

      THE 9TH ARAB REGIONAL & OIC-CERT CYBER DRILL 2021

      maCERT Incident Response Team participated in the 9th edition of the cyber-drill organized by the Arab Regional Center for Cybersecurity of the International Telecommunication Union (ITU-ARCC), in collaboration with the 'OIC-CERT.

    • 10.4. Operational support of volunteers in cyber crises 0
      0
      1
      Requirements
      Criteria

      The procedures for using volunteers in the field of cyber security are established by legislation.

      Accepted references

      Legal act

      Evidence
  • 11. Fight against cybercrime 9/9 100%
    9
    9 100%
    • 11.1. Cybercrimes are criminalised 1
      1
      1
      Requirements
      Criteria

      Cybercrimes are defined by legislation.

      Accepted references

      Legal act

      Evidence

      https://www.dgssi.gov.ma/uploads/media/Loi_n__07-03_Code_Penal.pdf

      This law makes it possible to sanction all unauthorized intrusions into an automated data processing system.

      http://blog.infosec.ma/lois-cybercriminalite-maroc/

      Text of the law, can be translated with Google.

    • 11.2. Cybercrime unit 3
      3
      3
      Requirements
      Criteria

      There is a government entity with a specific function of combatting cybercrime.

      Accepted references

      Official website or legal act

      Evidence

      https://www.unodc.org/documents/Cybercrime/SG_report/V1908182_E.pdf

      This document has been prepared pursuant to General Assembly resolution 73/187, entitled “Countering the use of information and communications technologies for criminal purposes”. 

      on page 46 in item 215, we find the declaration of  the government entity that combat cybercrime.

      https://rm.coe.int/3692-cybersouth-sitrep-morocco-final/1680a243d5

      29 brigades specializing in the fight against cybercrime are distributed geographically in the country (page 10)

    • 11.3. Digital forensics unit 3
      3
      3
      Requirements
      Criteria

      There is a government entity with a specific function of digital forensics.

      Accepted references

      Official website or legal act

      Evidence

      https://rm.coe.int/3692-cybersouth-sitrep-morocco-final/1680a243d5

      This report was prepared within the framework of the Cybersud project (sponsored by the Council of Europe). This project contributes to the prevention and control of cybercrime and other crimes involving electronic evidence, in accordance with international standards for the protection of human rights and respect for the rule of law as well as good practices.
      Beneficiary countries: Morocco, Algeria, Jordan, Lebanon and Tunisia.

      4.2 Structures at regional level
          4.2.1 Overview
      The DGSN has 6 specialized forensic laboratories spread across the country, namely:

      • Rabat (central laboratory),
      • A Laboratory at the National Brigade of the Judicial Police Marrakech,
      • Fes,
      • Casablanca,
      • Laâyoune.

      On the other hand, 29 brigades specializing in the fight against cybercrime are distributed
      geographically in the country.
      Four of these brigades have a laboratory (Casablanca, Fez, Marrakech, and Laâyoune).

       

    • 11.4. 24/7 contact point for international cybercrime 2
      2
      2
      Requirements
      Criteria

      The government has designated an international 24/7 contact point for cybercrimes.

      Accepted references

      Official website or legal act

      Evidence

      https://www.coe.int/en/web/conventions/full-list?module=declarations-by-treaty&numSte=185&codeNature=3&codePays=MOR

      In accordance with Article 35 of the Convention, the Government of Morocco declares that the points of contact 24/7 designated for the purpose of investigations related to Cybercrime are:

      Bureau Central National d’Interpol Rabat
      Direction de la Police Judiciaire,
      Direction Générale de la Sûreté Nationale,       Rabat

      Présidence du Parquet Général
      Pôle de Suivi des Affaires Pénales et de la Protection des Catégories Spéciales
      Avenue Al Arz, Mahaj Ryad, Rabat

  • 12. Military cyber operations 0/6 0%
    0
    6 0%
    • 12.1. Cyber operations unit 0
      0
      3
      Requirements
      Criteria

      Military forces have a unit (cyber command, etc.) that is specialised in planning and conducting cyber operations.

      Accepted references

      Official website or legal act

      Evidence
    • 12.2. Cyber operations exercise 0
      0
      2
      Requirements
      Criteria

      Military forces have conducted a cyber operations exercise or an exercise with a cyber operations component in the country in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence
    • 12.3. Participation in international cyber exercises 0
      0
      1
      Requirements
      Criteria

      The country's military team has participated in an international cyber operations exercise in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence
Information Disclaimer

The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.

What can I do to improve my country's data in NCSI?

Become a data contributor Update a specific indicator with evidence data