Two coworkers having a conversation while looking at a tablet

Morocco: Cloud in Public Sector

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER: Azure for Secure Worldwide Public Sector Cloud
Adoption

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The public sector currently faces a significant challenge to enable active citizenship, increase efficiency of service delivery, facilitate inclusive economic growth and transformation, and to do so cost effectively and securely with constrained resources. To meet these challenges and also to address fraud and corruption, the Moroccan government envisages an ecosystem of digital networks, services, applications, content, and devices that will connect public administration to the active citizen; promote economic growth; development and competitiveness; and support local, national, and regional integration.

Cloud services will be at the forefront of the government's digital transformation. The cloud can provide cost effective access to unprecedented power to rapidly process and analyze vast quantities of data to produce actionable analysis, insights, and better decision-making. Easily accessible data storage and multiple access and communication channels provide a modern, consistent, and seamless experience for officials as well as the public, facilitating public participation and co-operative governance and inter-departmental collaboration and broadening social inclusion. The cost optimization, data security, and potential for open government made possible by cloud services are far superior to manual paper based processes.

In a highly regulated sector such as the public sector, it is however crucial to ensure that any move to the cloud complies with applicable regulation, and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE MOROCCAN PUBLIC SECTOR

We believe that no cloud services provider has more experience of delivering compliant solutions to the public sector in Morocco than Microsoft. Microsoft is one of the first service providers to actively collaborate with the public sector in Morocco to find ways of optimizing government information and communications technology spend and maximising government's return on investment.

Microsoft stands ready to support our public service customers in Morocco to achieve similar benefits. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - from data centres located in the Middle East & Africa (MEA) region, which will offer enterprise-grade reliability and performance to our customers in the MEA region.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory, and practical aspects of any cloud project. This is all part of our commitment to helping our public sector customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

There is presently no uniform regulation for cloud services in Morocco. However, for the public sector, there are a number of laws that are relevant to any decision to move to cloud services, that facilitate the use of cloud services and that place constraints on the manner in which cloud services may be used.

  • The Security of the IT System Department ("DGSSI") within the Ministry of Defence is the government agency responsible for providing information systems, determining approved policy and standards of the IT systems of the public sector, and authorizing and certifying electronic services’ compliance with its security measures.

  • Cloud services are permitted. However, certain processes may need to be followed and certain requirements may need to be met prior to migrating to cloud services (see below).

  • A move to cloud services would require consideration of a number of regulatory regimes.

    (i) Public procurement

    A public sector body must ensure that when it contracts for information, communication, and technology services, it does so in a manner that is fair, equitable, transparent, cost-effective, and competitive.1 This will ordinarily mean that a public sector body cannot contract directly with a supplier, but must follow a competitive public tender process. It may be possible to deviate from a competitive public tender process and approach a supplier directly in circumstances where, for example, the procurement is urgent, takes place in emergency circumstances, or involves a sole supplier.2

    (ii) Access to information, transparency, and public participation

    Any citizen is authorized to access information held by the public administration, elected institutions and organisms in charge of public services.3 As a result, it is obliged to make information publicly accessible to allow the public to participate in government processes. The public has the right of access to records of public sector bodies and the information officer of public sector bodies must consider the request and, where it is granted make the documents available within 15 days of the request being made.4 Public sector bodies may be faced with requests for a significant number of records. Storage of information on the cloud can ensure that all information held by the public body is accessible, searchable, and easy to find with minimal effort to ensure that access to information requests can be addressed timeously. Microsoft's cloud solutions offer significant data storage capacity and multiple access channels to facilitate the achievement of Morocco's commitment to open data.

    (iii) Data security

    Furthermore, any public institution or infrastructure of vital importance5 should ensure compliance with the National Directive for the Security of Information Systems6 and Decree No. 2-15-712 dated 22 March 2016 laying down the plan for the protection of sensitive information systems of institutions of vital importance and ensure that its sensitive data7 is hosted in Morocco. The National Directive for the Security of Information Systems does not define what sensitive data refers to within the context of each institution. Accordingly, a data classification framework that is adopted by an institution and endorsed by the regulator is always recommended in order to define what “sensitive data” means to such institution and stay compliant with the National Directive for the Security of Information Systems. Indeed, each administrative body and public entity should implement the information security policy and must comply with the minimum information security standards policy approved by the DGSSI. Thus before making a decision to move data to the cloud, a public sector body should consider what types of data will be stored in the cloud, the manner in which the information will be stored (using private cloud infrastructure, including on-premises, or hyperscale cloud infrastructure) and whether the cloud service provider meets the relevant security requirements for the type of information that will be stored. Furthermore, regardless of its status of infrastructure, of vital importance and subject to specific exemptions8, any public sector body having recourse to encryption means or services is required to file a prior declaration or authorization9, as the case may be, before the General Direction for the Security of Information Systems.10

  • Under the Law No. 09-08 relating to the protection of individuals with respect to the processing of personal data (the "Law 09-08"), personal information may be transferred out of Morocco as long as the requirements of the Law 09-08 are met. Law 09-0811 permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in Law 09-08, or with prior authorization of the National Control Commission for the Protection of Personal Data (CNDP).

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation which came into force in May 2018.

  • 1 Decree n° 2-12-349 on public tenders dated 20 March 20 2013
    2 Article 86 of Decree n°2-12-349 on public tenders
    3 Article 27 of the Constitution of the Kingdom of Morocco
    4 Article 13 of Law 31-13 on the right of access of information
    5 Defined in Decree No. 2-15-712 dated 22 March 2016 to mean all facilities, works and systems that are essential to the maintaining of the vital functions of the society, public health, safety, security and economic or social well-being, the damage of which or the unavailability or the destruction would have an impact leading to the failure of these functions.
    6 ”Directive Nationale de la Sécurité des Systèmes d’Information”, issued on December 2013, available at Sécurité des systèmes d'information
    7 Defined in the National Directive for the Security of Information Systems and in Decree No. 2-15-712 dated 22 March 2016 to mean information the compromising, alteration, misappropriation or destruction of which is likely to harm the continuity of functioning or to endanger the informational patrimony of the infrastructure of vital importance.
    8 Article 2 of Decree 2-08-518 dated 21 May 2009 for the application of Law 53-05, as subsequently amended and completed. See Appendix II of the Decree for the list of exemptions.
    9 Art 13 of Law 53-05 dated 6 December 2007 relating to the electronic exchange of legal data.
    10 Decree 2-08-518 dated 21 May 2009 for the application of Law 53-05, as subsequently amended and completed.
    11 Article 43 of Law 09-08

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Privacy

Our policies and processes help keep your data private and in your control

Compliance

We provide industry-verified conformity with global standards

Transparency

We make our policies and practices clear and accessible to everyone

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

CUSTOMER STORIES

*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.