In August 2025, the Head of Government signed a decree that marks a turning point for cloud computing in Morocco. This decree, published in Official Gazette No. 7432, establishes a specific set of qualification standards for all cloud service providers working with sensitive entities. In practical terms, it translates the obligations of Decree No. 2-24-921 of October 2024 into measurable technical and organizational requirements.
For affected companies, choosing an unqualified cloud service provider is no longer an option. Here’s what this framework covers and how it will affect you in 2026.
To understand the basics of the sovereign cloud and its benefits, start by reading our comprehensive guide to the sovereign cloud in Morocco.
Key Takeaways
- Decree No. 3-17-25 of August 1, 2025 establishes an official qualification framework for cloud service providers.
- It applies to critical entities and infrastructure that hold sensitive data.
- Two levels of qualification: Level 1 (standard) and Level 2 (full sovereignty over Moroccan territory).
- The DGSSI is the authority responsible for reviewing and issuing the certification.
- The framework covers more than 15 areas: encryption, access control, data localization, incident management, audits, and service agreements.
- Every qualified service provider is subject to at least one annual audit conducted by a qualified auditor.
What is the legal framework behind this standard?
This framework did not come out of nowhere. It is part of a legal system that has been developed over several years.
From Law 05-20 to the 2024 Cloud Decree
Law No. 05-20 on cybersecurity, adopted in 2020, entrusted the DGSSI (General Directorate for Information Systems Security) with the mission of protecting critical information systems. In October 2024, Decree No. 2-24-921 specified the conditions under which sensitive entities may use the cloud.The order of August 1, 2025, completed the framework. It defines the specific requirements that each service provider must meet to obtain its cloud certification.
Who is subject to this requirement?
The legislation applies to critical infrastructure entities and facilities that maintain sensitive information or data systems. In practice, this includes government agencies, public institutions, telecommunications providers, banks, and strategic companies. Any such entity that outsources its data to the cloud must use a service provider certified by the DGSSI.
SMEs that do not fall into this category are not directly subject to the requirement. However, they may choose a qualified service provider to enhance their credibility and security posture.
An explanation of the two qualification levels
The framework distinguishes between two levels. The choice of level depends on the sensitivity of the data and the degree of sovereignty required.
Level 1: Standard qualification with strict supervision
Level 1 requires compliance with all technical and organizational requirements of the framework. The service provider may perform certain support operations from abroad. These remote operations must then be conducted via a secure gateway (relay station). An authorized individual, who has passed the framework’s security checks, must supervise each action in real time from Morocco.
Level 2: Data and administration exclusively in Morocco
Level 2 imposes strict requirements. Sensitive data must be stored, processed, and managed exclusively within Moroccan territory. Encryption keys remain under the sole control of the client (the “principal” in the text). Technical data (administrator identities, logs, certificates, access configurations) must also reside in Morocco, without exception. In the event of a security incident, the Level 2 service provider must rely solely on a qualified incident response provider.
Comparison of the two levels
| Criterion | Level 1 | Level 2 |
| Sensitive data | Hosted under the service agreement | Exclusively in Morocco |
| Technical specifications | In Morocco (recommended) | In Morocco (mandatory and exclusive) |
| Remote support | Available via a secure gateway | Possible with strict oversight |
| Encryption keys | Managed by the service provider | Known only to the customer |
| Service Administration | From Morocco or abroad (boxed) | From Moroccan territory |
| Incident Response | Documented procedure | Certified incident response provider (required) |
| DGSSI Audit | Yes, minimum annual | Yes, minimum annual |
Key technical requirements of the standard
The framework covers more than 15 areas. Here are the key points companies should check with their service provider.
Encryption and Key Management
The service provider must encrypt data in transit and at rest. The protocols used must be up to date and comply with international standards. For Level 2, the private keys used to encrypt stored data must be known only to the customer. The service provider must also implement a complete key lifecycle: generation, distribution, storage, revocation, and secure destruction. Passwords are stored only in salted hash form.
Access Control and Multi-Factor Authentication
Access control is based on the principle of least privilege. Permissions are reviewed annually. The service provider’s and the client’s administrative interfaces are strictly separated.Multi-factor authentication is required for all access to administrative interfaces. The service provider’s administrative accounts must never be accessible from a public network.
Data Location and Service Agreement
The service provider must inform the customer of the exact location where their data is stored and processed. For Level 2, no exceptions are permitted: all data must remain within Moroccan territory.
Each service is governed by a service agreement subject to Moroccan law. This agreement specifies the responsibilities of each party. It includes a reversibility clause and allows the client to terminate the agreement without penalty if the service provider loses its qualification. The service provider must also provide, upon request, information regarding the risks associated with the exposure of data to foreign legislation.
Audits, Incidents, and Business Continuity
The service provider must establish a three-year audit plan. At least one audit per year must be conducted by a qualified audit firm. The DGSSI may also audit the service at any time.
Incident management follows a documented procedure. The service provider immediately notifies the customer and the relevant authorities. The customer may select the severity levels for which they wish to be notified. A business continuity plan and regular backups are mandatory. Backups are subject to the same security requirements as the primary site.
Physical Security of Data Centers
The guidelines require that the premises be organized into three types of zones: public, private, and sensitive. Sensitive zones are exclusively dedicated to housing the production information system. Access to these zones is individually controlled, tracked, and logged for at least three months. Protective measures against fire, water leaks, and power outages (such as UPS systems and generators) are mandatory.
The Qualification Process in Practice
The qualification process consists of four stages, in accordance with Articles 6 through 10 of Decree No. 2-24-921.
The service provider submits a qualification application to the DGSSI. The templates are published on the website of the national cybersecurity authority.
The DGSSI is reviewing the application. It may request additional documents regarding the articles of incorporation, the identities of the partners, the individuals involved in management, or references.
The service provider shall undergo the technical and organizational audits required by the standards.
The certification is granted (or denied). The certified service provider must indicate its status in each service agreement.
The guidelines also specify that IaaS, PaaS, and SaaS services are covered. Traditional external hosting services (dedicated or shared) are treated as IaaS services. Only colocation is excluded from the scope.
What businesses need to do right now
If your organization handles sensitive data or operates critical infrastructure, here are the steps you should take.
Verify that your current cloud service provider is certified by the DGSSI or in the process of obtaining certification. Determine the certification level appropriate for the sensitivity of your data. Review your service agreement: it must comply with the framework (Moroccan law, reversibility clause, specified location). Insist on transparency regarding the location of data centers, encryption mechanisms, and incident response procedures. This framework represents a major step forward for the Moroccan cloud ecosystem. It establishes clear and verifiable requirements for the protection of data hosted in the cloud.
FAQ
What is the Moroccan Cloud Qualification Framework?
This is a set of technical and organizational requirements established byOrder No. 3-17-25 of August 1, 2025. It defines the criteria that cloud service providers must meet to obtain certification from the DGSSI. It covers security, encryption, access control, data localization, audits, and business continuity.
What is the difference between Level 1 and Level 2 certification?
Level 1 allows certain operations to be conducted from abroad, subject to strict oversight via a secure gateway. Level 2 requires that all sensitive and technical data be stored, processed, and managed exclusively within Moroccan territory. Encryption keys remain under the sole control of the customer.
What types of cloud services are covered by the framework?
The framework covers IaaS, PaaS, and SaaS services. It also treats traditional external hosting (dedicated or shared) as IaaS services. Only colocation is excluded from the scope.
How can you verify that a cloud service provider is qualified?
The DGSSI publishes information regarding certification on its website. The service provider must indicate its status as a certified provider and includethe certification in the service agreement signed with you.
Does this framework apply to small and medium-sized enterprises?
Not directly. The requirement applies to critical entities and those that handle sensitive data. SMEs that do not fall into this category may voluntarily choose a qualified service provider to enhance their compliance and security.
Source: Decree of the Head of Government No. 3-17-25 of 7 Safar 1447 (August 1, 2025), published in the Official Gazette No. 7432 of August 21, 2025. View the full text.
Ismail oversees SEO at NindoHost, working on expanding online visibility across African hosting markets. He creates clear, actionable tutorials and guides that help users navigate web hosting at every stage of their website journey.
