Skip to main content
Scoping call

Practical guide

Financial-sector cybersecurity in Morocco: Bank Al-Maghrib and the DGSSI

Financial-sector cybersecurity in Morocco — two regulators (Bank Al-Maghrib, DGSSI), one duty: test.

No sector is under as much cyber pressure as finance. A Moroccan bank, payment institution or insurer does not only answer to the national DGSSI framework: it also answers to its sector regulator, which sets its own security requirements. For credit institutions, that regulator is Bank Al-Maghrib — and its cyber directive has a rare feature: it makes penetration testing mandatory.

This guide explains the two-tier framework that applies to the financial sector, what Bank Al-Maghrib’s Directive 3/W/2016 requires, the role of CERT-BAM, and what it all means for a security team. It complements our DGSSI / Law 05-20 guide, which covers the national framework. As always, the legal qualification of your situation belongs to your counsel.

A two-tier framework

Direct answer: a Moroccan financial institution carries two levels of cyber obligation — the national framework and the sector framework.

Morocco’s financial-sector cyber framework: a national tier (DGSSI, Law 05-20, DNSSI, maCERT) and a sector tier (Bank Al-Maghrib, Directive 3/W/2016, CERT-BAM), with the ACAPS adding to it for insurers.

The first tier is national: Law 05-20, the DGSSI reference frameworks and the DNSSI apply to administrations, the operators in scope and vital infrastructure — a category that often includes large financial institutions. The second tier is sectoral: the sector regulator adds its own rules. For credit and payment institutions, that is Bank Al-Maghrib; for insurers and mutual funds, the ACAPS. The two tiers stack: complying with one does not exempt you from the other.

Bank Al-Maghrib’s Directive 3/W/2016: what it requires

Direct answer: Directive no. 3/W/2016 sets the minimum rules credit institutions must observe to conduct penetration tests of their information systems — and makes those tests mandatory.

Issued in 2016, the directive is specifically about penetration testing: it sets the minimum rules credit institutions must follow to conduct these tests, and expects a regular program — at least annual — whose results are reported to Bank Al-Maghrib. It is narrower than a general IT-security rulebook, and that is the point: it singles testing out and makes it a supervised obligation. For a bank, penetration testing stops being an optional good practice: it is a supervisory expectation, verifiable and recurring.

Penetration testing — a duty, not an option

Direct answer: for a credit institution, a regular penetration-testing program is not a security “nice to have,” it is a prudential requirement.

This is what sets finance apart from the rest of the economy. Elsewhere, a penetration test answers a client, an ISO 27001 audit or an internal doubt; in banking, it also answers the regulator. A compliant program means deliberate coverage (external, internal, applications and APIs, cloud), an at-least-annual cadence, reproducible findings, prioritization by impact, a retest of the fixes — and a usable trail for reporting to the supervisor. A scanner export does not fill that role; a test run by practitioners does.

CERT-BAM: the banking sector’s incident response

Direct answer: the banking sector has its own incident-response centre, CERT-BAM, distinct from the national maCERT.

Bank Al-Maghrib operates CERT-BAM, the monitoring, detection and incident-response centre dedicated to the financial sector. Where the maCERT (attached to the DGSSI) coordinates response at the national level, CERT-BAM plays that role for the institutions supervised by the central bank — threat-intelligence sharing, sector alerts, incident coordination. For a banking security team, that adds a counterpart and a reporting channel to know before you need it.

Beyond banks: payments and insurance

Direct answer: the sector logic extends to payment institutions (under Bank Al-Maghrib) and insurers (under the ACAPS).

Payment institutions, also supervised by Bank Al-Maghrib, sit on the same trajectory of requirements. Insurance companies and mutual funds fall under the ACAPS, which is pushing the sector toward stronger cyber-risk governance. The direction is common to all of Moroccan finance: demonstrable security measures, regular testing, a detection and response capability — carried no longer by good sense alone, but by the supervisor.

How HackingByte helps

Our work answers directly what the supervisor expects. We run the penetration testing that Directive 3/W/2016 calls for — external, internal, web and API — to international standards (PTES, MITRE ATT&CK, OWASP), with reproducible findings and reporting usable before a regulator. Our security assessments and GRC advisory structure the annual program and the governance expected. One point of honesty: any regulatory audit reserved to DGSSI-qualified providers for the sensitive systems of vital infrastructure belongs to those providers — we work on penetration testing and offensive security, not the reserved audit. And we do not provide legal advice: interpreting the directive belongs to your compliance function and your counsel.

Where to start

If you are a financial institution — bank, payment institution, insurer — the question is not whether you test, but how you build a program that satisfies the supervisor and reveals the real risk. A scoping call is enough to define the coverage and cadence.

Request a scoping call · See penetration testing

Frequently asked questions

What does Bank Al-Maghrib’s Directive 3/W/2016 require?

It sets the minimum rules credit institutions must follow to conduct penetration tests of their information systems, and expects a regular program — at least annual — whose results are reported to Bank Al-Maghrib. It is the directive that makes penetration testing a supervised obligation for banks.

Must Moroccan banks run penetration tests?

Yes. For credit institutions, penetration testing is a supervisory requirement (Directive 3/W/2016), not merely a good practice: it sits within a regular, at-least-annual program.

What is CERT-BAM?

Bank Al-Maghrib’s monitoring, detection and incident-response centre, dedicated to the financial sector. It complements, for institutions supervised by the central bank, the national maCERT attached to the DGSSI.

Does this stack on top of Law 05-20 and the DGSSI?

Yes. The framework is two-tier: the national framework (Law 05-20, DGSSI, DNSSI) applies, and Bank Al-Maghrib’s sector requirements add to it. A financial institution must hold both.

Are payment institutions and insurers concerned?

Payment institutions are supervised by Bank Al-Maghrib and follow the same trajectory. Insurers and mutual funds fall under the ACAPS, which is strengthening cyber-risk governance expectations.

Can HackingByte run the required tests?

Yes — we run the penetration tests and security assessments expected, to international standards, with usable reporting. Audits reserved to DGSSI-qualified providers (sensitive systems of vital infrastructure) belong instead to those providers.

Read also: DGSSI, Law 05-20 and the DNSSI: the guide. Operating in Morocco? See how we work: Cybersecurity in Morocco.

All posts