Three acronyms come up in every serious conversation about cybersecurity in Morocco: the DGSSI, Law 05-20 and the DNSSI. Many teams know them by name without knowing precisely who is covered, by what, and with which practical consequences. This guide puts the three in their place — the authority, the law, the directive — and answers the question that matters: what does this change for your organization, whether you sit inside the regulatory perimeter or not. As always, we stay on operational ground: qualifying your legal situation belongs to your counsel and to the texts, not to a blog post.
Who the DGSSI is — and who is actually in its perimeter
The DGSSI — Direction Générale de la Sécurité des Systèmes d’Information — is Morocco’s national authority for information systems security. It carries the State’s strategy on the matter, publishes the reference frameworks, and operates national-level monitoring and incident response, notably through maCERT.
The legal framework it animates was consolidated in two steps. Law 05-20 on cybersecurity, promulgated in 2020, sets the rules and measures meant to strengthen the security and resilience of the information systems of the State and of essential actors: state administrations, territorial collectivities, public establishments and enterprises, other public-law legal entities — and, decisively, vital infrastructure, whether public or private. Decree no. 2-21-406, adopted in 2021, specifies its application: it defines the protection measures expected of the entities in scope, including private operators that fall within it.
The practical consequence deserves to be stated plainly: if you are an “ordinary” private company, Law 05-20 probably does not target you directly. You enter its orbit mainly in two ways — by operating vital infrastructure, or by serving entities that are subject to it. We come back to this below, because that is where most readers of this guide actually sit.
The DNSSI in practice: one framework, classes, measures
The DNSSI — Directive Nationale de la Sécurité des Systèmes d’Information, whose current version was published by the DGSSI in 2023 — is the text that turns obligations into concrete measures. It is the “how” of the framework: where the law designates who must protect what, the directive describes what a properly protected information system must implement.
Two mechanisms structure the directive. First, a classification of information systems into three classes — A, B and C — according to their sensitivity: a system’s class determines how demanding the applicable measures are. Second, eleven security domains covering the full spectrum of a serious program, from governance and organization down to technical controls and incident management.
For a security team, the DNSSI therefore reads as a national requirements framework: classify your systems, walk the domains, identify the gaps, treat them in risk order. If you have worked with ISO 27001 or comparable frameworks, the approach will feel familiar — with one notable difference: this framework carries the authority of the Moroccan State.
Vital infrastructure: the audits are reserved to qualified providers
The most demanding regime in Law 05-20 targets vital infrastructure — organizations, public or private, whose disruption or compromise would affect essential functions of the country — and, among their systems, sensitive information systems.
For those systems, the law does not stop at requiring measures: it organizes their verification. The sensitive information systems of vital infrastructure are subject to audits conducted by the national authority or by audit providers it has qualified — audits that cover, among other things, organization, architecture, development and intrusion testing. The entity also designates an information systems security officer, responsible for the security policy and its follow-up.
Let us be as clear as the law: those reserved audits belong to DGSSI-qualified providers, and HackingByte does not hold that qualification and claims none. If you are vital infrastructure, your regulatory audit happens with a qualified provider — that is a fact, not a nuance. Our place in this landscape is upstream and around it: helping an organization know its gap against the directive before the audit that counts, hardening what needs hardening, and producing evidence that holds. We support that work; we do not replace it.
Not vital infrastructure? Why the DNSSI concerns you anyway
Most Moroccan companies are not vital infrastructure. Three reasons make the directive relevant to them all the same.
The first is contractual: if you provide services to the State, to a public establishment or to vital infrastructure — particularly digital services or access to their systems — your client’s security partly depends on yours, and the requirements travel down the chain. Supplier questionnaires and security clauses citing the national framework are already a reality in tenders.
The second is referential: the DNSSI is, in effect, the national yardstick of what a serious organization implements. When a partner, an insurer or a large Moroccan client evaluates your posture, it is the market’s most natural reading grid. Voluntarily aligning with its domains, in proportion to your risks, is rarely a bad investment.
The third is simply strategic: regulatory frameworks expand over time, rarely the reverse. Organizations that have already classified their systems and treated their gaps approach every perimeter extension — or every incident — with a head start.
Security officers, incidents and maCERT: the operating obligations
Beyond technical measures, the framework installs a way of operating. Entities in scope designate an information systems security officer — the person who carries the security policy, monitors its application and reports regularly on threats and incidents. And when a security incident occurs, entities in the perimeter declare it to the national authority, which operates the coordinated response through maCERT.
For teams, this means two capabilities to build before they are needed: detection — you cannot declare what you cannot see — and fast qualification, with usable logs and a known decision chain. That is exactly the kind of capability that can be tested: a simulated incident reveals in one day what an incident-management policy can spend years not saying.
Where to start: measure the gap before a third party does
Whether you are inside the regulatory perimeter or simply decided to align with the national framework, the reasonable sequence is the same — and it starts with an honest measurement of the gap.
Concretely: classify your systems by their real sensitivity; walk the directive’s domains against what exists; rank the gaps by risk rather than by convenience; then verify on the ground that the declared measures hold. That is the work we run as GRC advisory for the framework and governance side, as security assessments for the technical state of play, and as penetration testing when it comes to proving — evidence in hand — what actually gives way against an attacker. Together they produce what an audit, a client or an authority will ask for anyway: named gaps, defensible priorities, dated evidence.
Law 05-20, Law 09-08, GDPR: three regimes, one evidence program
A serious Moroccan organization rarely lives under a single text. Law 05-20 and the DNSSI look at the resilience of your systems; Law 09-08 and the CNDP look at the personal data you process; and the GDPR joins as soon as you serve people located in the EU. Three regimes, three authorities — but one common foundation: knowing what you operate and process, protecting it in proportion to the risk, and being able to prove it.
The practical consequence is the same as for personal-data compliance: one security program, documented once, feeds all three compliances. Inventory and classification, measures aligned on a framework, evidence that controls work, detection and response capability — each text draws from it what it requires. Organizations that build three parallel programs pay three times for the same work, done worse.
If a deadline is approaching — a tender citing the national framework, a supplier questionnaire, an audit to prepare — tell us what you are working with: a scoping call is enough to size the real work.
For an overview of our cybersecurity services in Morocco, see our Morocco page.
Frequently asked questions
What is the DGSSI?
The Direction Générale de la Sécurité des Systèmes d’Information is Morocco’s national cybersecurity authority. It carries the regulatory framework born of Law 05-20, publishes the DNSSI and the associated reference documents, and operates national incident response, notably via maCERT.
Who must apply the DNSSI?
The entities covered by Law 05-20 and its implementing texts: state administrations, territorial collectivities, public establishments and enterprises, other public-law legal entities, and vital infrastructure, public or private. Determining your precise situation belongs to the texts and to your counsel.
What is vital infrastructure?
An organization — public or private — whose unavailability or compromise of systems would affect essential functions of the country. These infrastructures carry the framework’s most demanding obligations, particularly on their sensitive information systems.
Who may audit a sensitive information system?
Audits of the sensitive information systems of vital infrastructure are conducted by the national authority or by audit providers qualified by it. HackingByte does not hold that qualification and claims none — we work upstream, on readiness, the gap against the directive, and security evidence.
Does Law 05-20 apply to private companies?
Directly, mainly if they operate vital infrastructure; indirectly, as soon as they serve entities in the perimeter — through contractual requirements and supplier questionnaires. And even outside the perimeter, the DNSSI remains the most natural national framework for structuring a security program in Morocco.