Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
High-profile incidents
Including the massive data breaches attributed to the “Jabaroot” group targeting strategic national institutions such as CNSS and ANCFCC — exposed a hard truth:data security can no longer rely on trust alone.
In response to this crisis of confidence and the urgent need to safeguard critical infrastructure, the Moroccan State — through the Direction Générale de la Sécurité des Systèmes d'Information (DGSSI) — has enacted a strict national Cloud qualification framework governing all Cloud service providers operating with entities of vital importance.
The Countdown Has Begun: What the DGSSI Cloud Framework Requires
This new regulatory framework (Government Decree No. 3-17-25) is not a recommendation — it is a binding legal obligation for any Cloud provider serving critical sectors.
What the DGSSI Cloud Framework Requires
Demand compliance from your Cloud providers — or rethink your Cloud strategy immediately.
Below are the non-negotiable requirements imposed by the framework:
Requirement | Risk in Case of Non-Compliance | Immediate Action |
|---|---|---|
Data Localization | Loss of digital sovereignty and exposure to foreign jurisdictions for sensitive data. | Verify that your provider guarantees data hosting in Morocco for “Level 2” critical workloads. |
Encryption & Access Control | Direct vulnerability to data breaches and unauthorized access. | Require end-to-end encryption and multi-factor authentication (MFA). |
DGSSI Qualification | Engagement with unaudited and potentially non-resilient providers. | Ensure your Cloud provider is actively engaged in the DGSSI qualification process. |
Risk & Continuity Management | Inability to respond effectively to major cyber incidents. | Integrate business continuity and incident response requirements into contractual agreements.
|
Compliance is now a strategic governance issue — not merely a technical IT matter.
One of the most costly cybersecurity misconceptions is assuming that the Cloud provider is fully responsible for security. The DGSSI framework reinforces the principle of shared responsibility, and ignorance is no longer a valid defense.
Service Model | Provider Secures (Infrastructure Layer) | You Secure (Data & Applications Layer) |
|---|---|---|
IaaS (Infrastructure as a Service) | Physical infrastructure, network, storage | Operating systems, applications, data |
PaaS (Platform as a Service) | Infrastructure and runtime environment | Application security, data protection, configuration |
SaaS (Software as a Service) | Application, infrastructure, environment | User access management and data governance |
Your organization remains accountable for securing what it places in the Cloud.
The new framework elevates this responsibility from best practice to regulatory obligation.
This regulatory shift represents a pivotal opportunity to professionalize your cybersecurity posture.
Organizations that align early with DGSSI Cloud qualification standards will gain:
Enhanced stakeholder trust
Stronger digital resilience
Competitive advantage in regulated markets
Improved governance and risk management maturity
Conversely, delayed compliance exposes businesses to:
Escalating cyber threats
Legal and regulatory sanctions
Reputational damage
Loss of strategic partnerships
Immediate action is imperative.
Conduct a comprehensive Cloud security assessment, formally request your provider’s DGSSI qualification roadmap, and reinforce your application and data protection architecture.
The 2026 compliance deadline is not a distant milestone — it is a strategic inflection point.
References
Infomédiaire – 21 million cyberattacks detected in Morocco in H1 2025.
Le Matin – Morocco ranked third in Africa among countries targeted by state-sponsored cyberattacks.
CybelAngel – Investigation of the CNSS Data Leak (Flash Report).
CybelAngel – Investigation of the ANCFCC Data Leak (Flash Report).
Le360 – Morocco adopts strict Cloud provider qualification framework.
Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?
Learn how we can help you achieve similar results with a customized digital transformation strategy.
