In an effort to accelerate the digital transformation of our country and boost the growth of the national digital sector, promoting the use of Cloud technologies has been placed at the center of the new national strategy. As part of this strategy, the aim is to highlight the adoption of Cloud technologies and encourage administrations, public institutions and enterprises, local authorities, and other economic actors to utilize this technology when outsourcing their information systems.

This strategic approach is justified by the numerous advantages and opportunities offered by Cloud technology. With its transformative impact, the Cloud provides flexible access to computing resources, reduces infrastructure costs, allows rapid scalability, facilitates remote collaboration, and delivers value-added services such as data backup, analysis, and security.

The shift toward Cloud usage will undoubtedly lead entities and critical infrastructures to carefully evaluate criteria for selecting and comparing service offerings based on the specific requirements and sensitivity of their information systems, as well as the approach needed to manage security risks.

To this end, the General Directorate for Information Systems Security (DGSSI), acting under High Royal Instructions, has drafted a decree regulating the use of Cloud services by entities and critical infrastructures handling sensitive information systems. This includes the establishment of a qualification framework for Cloud service providers.

Managers of these entities and infrastructures are reminded that, under the provisions of Law 05-20 and its implementing decree, they are required to take the necessary measures to protect their information assets and systems based on their level of sensitivity, in accordance with the guidelines and standards published by the DGSSI. Furthermore, Article 25 of the aforementioned Law 05-20 mandates that these managers must also use services, products, or solutions defined by the national authority to enhance security functions.

In compliance with these provisions, this decree establishes a qualification framework for Cloud service providers and sets out rules for selecting these providers when the management of sensitive information systems and data, as defined under Law No. 05-20, is entrusted to them.

From a cybersecurity perspective, this framework will enable contracting authorities to ensure guarantees regarding the competence of providers and their personnel, the quality of technical, organizational, and security measures implemented, and the overall trustworthiness of the service providers.

The qualification framework, based on a set of requirements, is structured around two levels of certification. When managers of entities and critical infrastructures use Cloud services to host, manage, or operate, in part or in full, their sensitive information systems, they must engage Level 1 certified providers. These providers must be established as companies under Moroccan law and must also deploy all their operational and administrative systems within the national territory.

The purpose of this first level of certification is to enable the country to exercise its jurisdiction, particularly in cybersecurity matters, and to oversee the activities of Cloud providers handling sensitive information systems.

The second level of certification imposes additional legal and technical requirements. It is required when processing, managing, or storing sensitive data, as defined under Law 05-20. The objective is to ensure that such sensitive data, given its confidentiality, is processed exclusively on infrastructures controlled by companies subject solely to national laws, thus avoiding exposure to extraterritorial jurisdiction.

Finally, taking into account the current maturity level of the national Cloud services ecosystem and the fact that the necessary market offerings to meet all needs may take time to develop, a transitional measure has been introduced. This measure allows critical entities and infrastructures, in the absence of a qualified national Cloud service provider, to use non-qualified providers. However, under the cybersecurity law's approval process, decisions to adopt Cloud solutions must be made by the highest authority within the entity or critical infrastructure. These decisions must be supported by an impact assessment—covering business and legal implications—as well as a risk analysis to evaluate the consequences of Cloud adoption on system security and, if applicable, the confidentiality of sensitive data.