DGSSI Compliance

By admin , 10 March 2026
Image
Teal

Cybersecurity Alert

Listing Image
Teal
Article Body
Title

High-profile incidents

Description

Including the massive data breaches attributed to the “Jabaroot” group targeting strategic national institutions such as CNSS and ANCFCC — exposed a hard truth:data security can no longer rely on trust alone.

 

In response to this crisis of confidence and the urgent need to safeguard critical infrastructure, the Moroccan State — through the Direction Générale de la Sécurité des Systèmes d'Information (DGSSI) — has enacted a strict national Cloud qualification framework governing all Cloud service providers operating with entities of vital importance.

 

The Countdown Has Begun: What the DGSSI Cloud Framework Requires

This new regulatory framework (Government Decree No. 3-17-25) is not a recommendation — it is a binding legal obligation for any Cloud provider serving critical sectors.

Image
Teal
Title

What the DGSSI Cloud Framework Requires

Items
Description

Demand compliance from your Cloud providers — or rethink your Cloud strategy immediately.

Below are the non-negotiable requirements imposed by the framework:

Requirement

Risk in Case of Non-Compliance

Immediate Action

Data Localization

Loss of digital sovereignty and exposure to foreign jurisdictions for sensitive data.

Verify that your provider guarantees data hosting in Morocco for “Level 2” critical workloads.

Encryption & Access Control

Direct vulnerability to data breaches and unauthorized access.

Require end-to-end encryption and multi-factor authentication (MFA).

DGSSI Qualification

Engagement with unaudited and potentially non-resilient providers.

Ensure your Cloud provider is actively engaged in the DGSSI qualification process.

Risk & Continuity Management

Inability to respond effectively to major cyber incidents.

Integrate business continuity and incident response requirements into contractual agreements.

 

 

Compliance is now a strategic governance issue — not merely a technical IT matter.

Title
For enterprises leveraging Cloud infrastructure, the message is clear:
Layout
Full Width
Description

One of the most costly cybersecurity misconceptions is assuming that the Cloud provider is fully responsible for security. The DGSSI framework reinforces the principle of shared responsibility, and ignorance is no longer a valid defense.

Service Model

Provider Secures (Infrastructure Layer)

You Secure (Data & Applications Layer)

IaaS (Infrastructure as a Service)

Physical infrastructure, network, storage

Operating systems, applications, data

PaaS (Platform as a Service)

Infrastructure and runtime environment

Application security, data protection, configuration

SaaS (Software as a Service)

Application, infrastructure, environment

User access management and data governance

 

Your organization remains accountable for securing what it places in the Cloud.

The new framework elevates this responsibility from best practice to regulatory obligation.

Title
Clarifying the Shared Responsibility Model: Who Secures What?
Layout
Full Width
Description

This regulatory shift represents a pivotal opportunity to professionalize your cybersecurity posture.

Organizations that align early with DGSSI Cloud qualification standards will gain:

  • Enhanced stakeholder trust

  • Stronger digital resilience

  • Competitive advantage in regulated markets

  • Improved governance and risk management maturity

 

Conversely, delayed compliance exposes businesses to:

  • Escalating cyber threats

  • Legal and regulatory sanctions

  • Reputational damage

  • Loss of strategic partnerships

Title
2026: The Year of Compliance — or the Year of Exposure?
Pillars Wysiwyg

References

Infomédiaire – 21 million cyberattacks detected in Morocco in H1 2025.

Le Matin – Morocco ranked third in Africa among countries targeted by state-sponsored cyberattacks.

CybelAngel – Investigation of the CNSS Data Leak (Flash Report).

CybelAngel – Investigation of the ANCFCC Data Leak (Flash Report).

Le360 – Morocco adopts strict Cloud provider qualification framework.

Text

Immediate action is imperative.

Conduct a comprehensive Cloud security assessment, formally request your provider’s DGSSI qualification roadmap, and reinforce your application and data protection architecture.

The 2026 compliance deadline is not a distant milestone — it is a strategic inflection point.

Overline
Conclusion
Sector
Artificial Intelligence
Read Time
10min

Tags

Formatted Title

Is Your Organization Ready for Morocco’s 2026 Cloud Compliance Turning Point?

Text

INTRODUCTION 
 

The time for wait-and-see strategies is over: Morocco’s new DGSSI Cloud regulatory framework mandates immediate compliance.

2025 marked a decisive wake-up call for Morocco’s IT ecosystem. With over 21 million cyberattacks detected in the first half of the year, and Morocco ranking as the third most targeted African country by state-sponsored cyberattacks, the threat landscape has shifted from theoretical to critical.

Contributors
Image
Yassine Bassam
Name
Yassine Bassam
LinkedIn Profile
https://www.linkedin.com/company/teal-technology-services/
Contributors Section Title
Contributor
Inroduction Section Title
INTRODUCTION 
Article Date
DGSSI Compliance