Cybersecurity and law 09-08: bringing your business into compliance with the CNDP in Morocco

Why cybersecurity has become a strategic issue for Moroccan businesses

The digital transformation of Moroccan businesses has accelerated: electronic invoicing, CRM, business applications, e-commerce sites, remote working. Each of these uses multiplies the personal data collected and the potential entry points for attackers. A leak of customer data, a ransomware attack that paralyses production, or unauthorised access to HR files are no longer theoretical scenarios: they are operational risks affecting organisations of every size, including SMEs.

Beyond the technical risk, there is a legal and reputational risk. Processing personal data without complying with the legal framework exposes the business to penalties, and a poorly managed security incident lastingly erodes the trust of customers and partners. Investing in cybersecurity in Morocco is therefore no longer an option reserved for large groups: it is a condition for survival, and compliance with law 09-08 is its regulatory foundation.

Law 09-08 and the CNDP: Morocco's data protection framework

Morocco has its own legal framework for personal data: law no. 09-08. It governs the collection, processing, retention and transfer of personal data, that is, any information that makes it possible to identify a natural person directly or indirectly: name, telephone number, email, national ID card (CIN), banking data, location data, video surveillance images, and so on.

The authority responsible for enforcing this law is the CNDP, the National Commission for the Control of Personal Data Protection. It is to this Commission that businesses complete their prior formalities, and it is the body that can inspect data processing operations and receive complaints from the individuals concerned. An important point for executives and IT directors: the framework applicable in Morocco is indeed law 09-08 under the oversight of the CNDP. Companies that work with European partners may face additional contractual requirements, but their compliance in Morocco is built first and foremost on law 09-08.

Your obligations: prior formalities with the CNDP

The central principle of law 09-08 is that personal data processing cannot be improvised: it must be declared to the CNDP before being implemented, and certain processing operations deemed more sensitive are subject to a prior authorisation regime rather than a simple declaration. In practical terms, the business must inventory its processing operations — customer management, personnel management, video surveillance, commercial prospecting, for example — and then complete the appropriate formality for each one with the Commission.

Beyond the formalities, the law sets out substantive principles that every processing operation must respect. Compliance with law 09-08 is therefore not a file that you submit once and for all: it is an ongoing discipline that must be reviewed with every new project involving personal data (a new application, a new service provider, a new collection channel).

• Inventory all of the company's personal data processing operations (customers, HR, marketing, video surveillance, etc.)
• Submit the prior declarations to the CNDP, or request an authorisation for the processing operations that require one
• Collect data for specified, legitimate and explicit purposes, without reusing it for other ends
• Limit collection to the data genuinely necessary and set appropriate retention periods
• Inform the individuals concerned and obtain their consent where the law requires it
• Establish a legal framework for subcontractors and any data transfers abroad

Individuals' rights: what your customers and employees can demand

Law 09-08 grants the individuals whose data is processed rights that they can exercise directly with your business: a right to information about the use made of their data, a right of access, a right to rectification of inaccurate data, and a right to object, in particular to commercial prospecting. In the event of difficulty, these individuals can also refer the matter to the CNDP.

For an executive or an IT director, this means being organised enough to respond: knowing where a given person's data is held, being able to correct it or stop using it, and tracking these requests. Information notices on forms, an internal procedure for handling requests, an identified point of contact: these simple measures make the difference between a company that endures compliance and a company that turns it into an argument for trust with its customers.

Securing data: the obligation that links law 09-08 and cybersecurity

Law 09-08 requires the data controller to guarantee the security and confidentiality of personal data, that is, to take the appropriate technical and organisational measures to protect it against destruction, loss, alteration or unauthorised access. This is where compliance fully meets cybersecurity: a company may have filed all its declarations with the CNDP and still be in breach if its information systems are vulnerable.

Protecting a business's data in Morocco therefore rests on a foundation of concrete measures, proportionate to the sensitivity of the data and to the risks involved. The point is not to stack up tools, but to build a coherent defence that is documented and maintained over time.

• Access control: named accounts, strong passwords, rights management based on the need to know
• Technical protection: regular updates, antivirus/EDR, firewall, encryption of sensitive data
• Tested backups and a recovery plan to withstand an incident or a ransomware attack
• Staff awareness training, the first line of defence against phishing and human error
• Security incident management procedures and logging of access to data

Where to begin? The IT security audit as a starting point

Faced with these obligations, the right approach is neither panic nor wait-and-see, but a structured assessment of the situation. An IT security audit coupled with a law 09-08 compliance diagnosis makes it possible to answer the essential questions: what personal data do we process, where is it stored, who accesses it, which CNDP formalities have been completed, and what technical vulnerabilities genuinely expose the business?

From this audit flows a prioritised action plan: regularising the formalities with the CNDP, updating information notices and contracts with subcontractors, then gradually rolling out the technical and organisational security measures. This step-by-step approach makes compliance achievable, even for an SME, and turns a regulatory constraint into a genuine lever of commercial trust.

This is precisely the approach taken by CRYSTAL IT: as a software development company and software publisher based in Rabat, we offer tailor-made cybersecurity services — security audits, data protection and support with law 09-08 compliance — as well as consulting to embed these requirements from the design stage of your digital projects.