Cybersecurity law in Morocco

The Internet is a virtual space that should normally be governed by prudential rules intended to protect computer networks, telecom networks and their users. This set of preventive rules, which can be likened to a cybersecurity law, is supposed to provide protection against cyber attacks. These usually have the objective of deliberately or unintentionally harming natural and legal persons and sometimes even States.

With the increase in these computer attacks, the establishment of a specific cybersecurity law has become essential at the level of each country and also at the international level. Because, in most cases, the cyber attacker does not reside in the same country as the victim of the attack. Likewise, the global dimension of the Internet complicates the application of classical law alone.

Because it is exposed to the phenomenon of cyber-attacks like all countries in the world, Morocco has put in place the first milestones in cyber law, as well as national cyber-security actions.

Proactive and chronological awareness by the Moroccan state
Among these high-profile measures, we can cite the ratification by the Moroccan parliament of the convention on cyber attacks adopted in November 2001 in Budapest. This is the first international treaty on computer and internet crimes.

We also note the adoption, almost 18 years ago, ie on November 11, 2003, of Law No. 07-03, about attacks on automated data processing systems.

This law is the first text in Moroccan law to deal with IT offenses and which punishes breaches of IT systems. It provides, for example, a criminal regime for fraudulent access and for obstructing the operation of an automated system.

In 2011, Morocco also created entities responsible for setting up a whole legal and technical arsenal to ensure the security of information systems.

In 2012, Morocco had a National Cybersecurity Strategy and a National Information Systems Security Directive, applicable since 2014 to administrations and public bodies.

As part of the strengthening of the legal arsenal governing cybersecurity, the Moroccan government decided on May 15, 2014, via Decree No. 2-13-881, that all activities related to cryptography come under the auspices of the National Defense Administration (ADN) and more precisely of the General Direction of Information Systems Security.

Morocco had also created a computer incident alert and management center (MA-CERT) under the ADN, without forgetting the role of the National Telecommunications Regulatory Agency (ANRT), which is an Agency, working in close collaboration with Internet service providers and international organizations concerned with cybersecurity.

In 2016, ADN also drew up a decree setting out the system for the protection of sensitive information systems (SIS) of vital infrastructure. This text was completed by the drafting, in 2018, of a decree by the Head of Government setting the criteria for the approval of audit providers of SIS and the procedures for carrying out the audit.

Complete update of the legal arsenal
Cybersecurity law in Morocco has been deeply strengthened and updated by the implementation of Law No. 05-20 in July 2020 and Decree No. 2-21-406 taken for its application, which has just been issued. enter into force (publication in the Official Bulletin of August 9, 2021).

It should be remembered that this law aims to put in place an appropriate legal framework recommending to the entities concerned a minimum set of rules and security measures in order to ensure the reliability and resilience of their Information Systems.

It also aims to develop digital trust, digitize the economy and more generally ensure the continuity of economic and societal activities in our country. The ultimate goal is to promote the development of a National cybersecurity ecosystem.

The Purpose of Law 05-20
This law provides in particular:
The rules and security provisions applicable on the one hand to the information systems of State administrations, local authorities, public administations an companies, and any other legal entity governed by public law and, on the other hand, to infrastructures of vital importance;

the security rules and provisions applicable to operators of public telecommunications networks, Internet service providers, cybersecurity service providers, digital service providers and Internet platform publishers;

the national cybersecurity governance framework;

the framework for collaboration and exchange of information between the national cybersecurity authority and the relevant state services responsible for handling offenses against automated data processing systems;

the support provided by the national authority of cybersecurity to the appropriate national bodies for the strengthening of digital trust, the development of digital services provided by the State and the protection of personal data;

the powers of the national authority of cybersecurity, particularly in terms of developing national expertise, raising awareness in the field of cybersecurity and strengthening cooperation with national and foreign organizations.

As for the aforementioned decree n ° 2-21-406, taken for the application of the law n° 05-20, its purpose is to define the framework allowing to guarantee the secure use of the digital space, to manage the cyber threats and, ultimately, strengthen digital trust. It aims to define the measures to protect the information systems of the entities covered by the law and of private operators.

Thus, the text provides the establishment of two governance bodies. It’s about the following.

1 / The “National Cyber Security Authority”, which has been entrusted with the implementation of the State’s strategy in this area. According to the decree, the National Defense Administration (General Direction of Information Systems Security – DGSSI) is designated as the national cybersecurity authority.

2 / the “Cybersecurity Strategy Committee” responsible for establishing a framework defining the responsibilities of members and measures relating to crisis management and the modalities of communication and exchange of information.

With regard to measures to protect the security of public sector information systems, the decree entrusts the government authority responsible for the National Defense Administration with the task of :

Defining national guidelines for the security of information systems and establishing organizational and technical rules which must be applied by the aforementioned concerned entities;

Seting up technical tools on the public communications networks and the networks of internet service providers exclusively, with a view to detect events likely to influence the security of the information systems of the customers of operators, entities and infrastructures of vital importance. In addition, the autoritity is charged of taking the necessary protective measures to preserve and neutralize the effects of threats or offenses affecting the information systems of these customers.

Also, with a view to strengthen the national cybersecurity, this decree established a qualification system for cybersecurity providers in the areas of incident detection, analysis, investigation and reaction to these incidents. Also, this text defines the conditions to be met for obtaining this qualification.

Finally, sensitive information systems of vital infrastructure are subject to an audit by the national authority or qualified audit providers.

Cyber security training
As the application of the law requires a qualification and advanced human skills, capable of analyzing and understanding advanced techniques in cybersecurity, training has been planned at the level of technical universities and engineering schools such as the National Institute of post and Telecommunications (INPT) of Rabat. These training courses are expected to expand to be provided in magistrates’ training institutes and law universities.
For illustrations purposes, in a Moroccan court, it was not possible to rule recently, in a case dealing with the electronic signature (law n ° 53-05 relating to the electronic exchange of legal data), in the absence of a sworn expert in this field. Also, the success of cybersecurity actions depends on raising awareness and establishing a culture in this area; that is within the public administration and at the level of all companies.

Outlook
In order to complete its cybersecurity system, it remains for Morocco, after its reintegration into the Organization of the African Union on January 30, 2017, to complete this inclusive computer security system by ratifying the African convention of Malabo on cybersecurity and personal data protection, adopted on June 27, 2014.

By Mr. Med Taher SBIHI, Graduate of the Faculty of Law and Economics in Rabat and of the higher education management pragram of ISCAE in Casablanca