In order to accelerate the digital transformation of our country and stimulate the growth of the national digital sector, the promotion of Cloud technology adoption has been placed at the core of the new national strategy. As part of this strategy, the aim is to encourage the use of Cloud technologies and to prompt administrations, public institutions and enterprises, local authorities, as well as all other economic actors, to adopt this technology when outsourcing their information systems.

This strategic direction is justified by the numerous advantages and opportunities offered by Cloud technology. With its transformative impact, Cloud technology provides flexible access to computing resources, reduces infrastructure costs, enables rapid scalability, facilitates remote collaboration, and offers value-added services such as data backup, analysis, and security.

The shift toward Cloud usage will inevitably require entities and critical infrastructures to carefully consider the criteria for selecting and evaluating Cloud service offerings based on the specific requirements and sensitivity of their information systems. It will also necessitate adopting a risk management approach to address security concerns.

To this end, the General Directorate for Information Systems Security (DGSSI), acting under High Royal Instructions, has drafted a decree governing the use of Cloud services by entities and critical infrastructures handling sensitive information systems. This includes the establishment of a qualification framework for Cloud service providers.

It is important to recall that the managers of these entities and infrastructures are required, under the provisions of Law 05-20 and its implementing decree, to take the necessary measures to protect their information assets and systems, in accordance with their level of sensitivity and the guidelines issued by the DGSSI. Furthermore, Article 25 of the aforementioned Law 05-20 stipulates that these managers must also use services, products, or solutions approved by the national authority to enhance security functions.

In alignment with these provisions, this decree proposes a qualification framework for Cloud service providers and defines the criteria for selecting providers entrusted with managing sensitive information systems and data, as defined by Law 05-20.

From a cybersecurity perspective, this framework ensures that contracting authorities can rely on providers with verified expertise, robust technical, organizational, and security measures, and a high level of trustworthiness.

The qualification framework, structured around two levels of certification, is based on a set of stringent requirements. When managers of critical entities and infrastructures rely on Cloud services to host, manage, or operate, in part or in full, their sensitive information systems, they are required to engage Level 1 certified providers. These providers must be incorporated under Moroccan law and must deploy their operational and administrative systems entirely within the national territory.

The purpose of this first level of certification is to enable the country to exercise its jurisdiction, particularly in cybersecurity matters, and to oversee the activities of Cloud providers handling sensitive information systems.

The second level of certification imposes additional legal and technical requirements. It applies when processing, managing, or storing sensitive data, as defined under Law 05-20. The objective is to ensure that such sensitive data, given its confidentiality, is processed exclusively on infrastructures controlled by companies subject solely to national laws, thus avoiding exposure to extraterritorial jurisdiction.

Finally, to account for the current maturity level of the national Cloud services ecosystem and the fact that the necessary market offerings to meet all needs may take time to develop, a transitional measure has been introduced. This measure allows critical entities and infrastructures, in the absence of a qualified national Cloud service provider, to use non-qualified providers. However, under the cybersecurity law's approval process, decisions to adopt Cloud solutions must be made by the highest authority within the entity or critical infrastructure. These decisions must be supported by an impact assessment—covering business and legal implications—as well as a risk analysis to evaluate the consequences of Cloud adoption on system security and, if applicable, the confidentiality of sensitive data.