The Press Code, published in August 2016, imposes licensing requirements for online media and mandates the registration of journalists. A director of an electronic media outlet is required to hold a press card, which is a form of certification that was previously not required for an online outlet. It is reported that it took seven months for directors of two French-language online news sites, Yabiladi and Le Desk, to receive their press cards in 2018.
To obtain press cards and benefit from state financial support, Arts. 34 and 35 of the Press Code require online news portals to acquire two types of authorisations from two different bodies, and are valid for one year at a time:
- authorisation from the Moroccan Cinema Center (CCM) to produce video content; and
- authorisation from the Telecommunications Authority (ANRT) to host domain names under "press.ma.".

Morocco has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the National Agency of Telecommunications Regulation (ANRT), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

According to Art. 9 of Decree No. 2-15-712, companies and organisations operating in sectors of vital importance and using data deemed sensitive must host their infrastructure and digital databases on Moroccan territory. The concerned entities are defined as those that undertake activities related to the production or distribution of "goods and services essential to the satisfaction of the basic needs for the life of the populations or to the maintenance of the security capacities of the country". It is reported that a detailed list of sensitive infrastructure is kept secret by the government, and its content is reviewed at least once a year.

According to Art. 43 of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data, the transfer of personal data to a foreign country is only allowed if the country offers an adequate level of protection of the privacy and fundamental rights and freedoms of individuals. In the Decision No. 236-2015 of 18 December 2015, the Moroccan data protection authority (CNDP) recognised the following countries as offering an adequate level of data protection: Austria, Belgium, Bulgaria, Canada, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom.
The transfer of personal data to a country that does not provide an adequate level of data protection is only allowed subject to certain conditions, including the express consent of the data subject or if the transfer is necessary to safeguard the data subject's life, to safeguard the public interest, to comply with judicial obligations, for the performance of a contract between the controller and the data subject or pre-contractual measures taken at the request of the latter. Personal data may also be transferred if the transfer is carried out pursuant to a bilateral or multilateral agreement to which Morocco is a party, or with the express and reasoned authorisation of the CNDP when the personal data processing guarantees a sufficient level of protection of privacy and the fundamental rights and freedoms of individuals, in particular, because of the contractual clauses or internal rules to which it is subject.

Morocco has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data and its implementation Decree No. 2-09-165 of 21 May 2009 provides a comprehensive regime of data protection in Morocco.

According to Art. 7 of Law No. 43-05 relating to the fight against money laundering, institutions in finance and insurance services are obliged to keep the documents relating to the transactions carried out by their clients, as well as documents relating to the identity of their customers for 10 years.

Art. 64 of Law No. 77-03, Relating to Audiovisual Communication, mandates audiovisual operators to record each audiovisual program in its entirety and keep it for at least one year. In the event that the said program or one of its elements is the subject of a right of reply or a complaint concerning compliance with the laws and regulations in force, the recording shall be kept for as long as it is likely to serve as evidence. It is reported that it is not clear whether the law applies to online content.

Decision No. D-188-2020 governing the data protection impact assessment requires the data controllers or processors to carry out DPIAs when necessary and to present the Data Protection Impact Assessments (DPIA) to the data protection authority (CNDP) in the event of a control. Situations that warrant DPIA relate mainly to processing operations presumed to involve a risk of breaching the protection of privacy and personal data, which fall into one or more of the following categories:
- Processing which violates the provisions of Art. 11 of the Law regarding the neutrality of effects and which allows decisions to be taken on the basis of automated processing of personal data;
- Large-scale processing of sensitive data which, according to Article 1 of the Law, reveal racial or ethnic origin, political opinions, political opinions, religious or philosophical convictions, or the data subject's union membership, or relating to his/her health, including his/her genetic data;
- Processing operations which allow systematic surveillance of the data subjects; and
- Processing carried out in the context of the use of innovative technological or organisational solutions.

Reports indicate that public authorities in Morocco possess broad discretionary powers to request personal data and that there are credible allegations of government surveillance of private online communications without appropriate legal authority. According to the National Control Commission for the Protection of Personal Data (CNDP), the Moroccan data protection authority, individuals retain the right to approve or deny the processing of their personal data by both public and private entities. However, exceptions exist, such as when the processing is deemed to be in the national interest or if the party accessing the data has a “legitimate interest.” Furthermore, Morocco’s data protection law contains broadly defined terms that potentially permit authorities to access personal user data, compounded by a reported lack of transparent oversight of the intelligence services. The law's provisions on data access include “exceptions” that are reportedly open to interpretation, which may result in inconsistent legal application.

Law No. 34-05 establishes a safe harbour regime for intermediaries for copyright infringements. A service provider is defined, according to Part IV-bis, as an operator of facilities for online services or for access to networks with no alteration of the content between the points specified by the user and of his choice. Under Law 34-05, a service provider is not liable for information transmitted or stored on its network if it does not modify the content of the material or does not directly enjoy financial gain attributable to the activity of infringing copyright or related rights under circumstances in which it has the right and ability to control that activity. However, a service provider is expected to act without delay to withdraw the material hosted on its system or network or to restrict access to that material on becoming aware of an infringement of copyright or related rights or of facts or circumstances that indicate that copyright or related rights have been infringed, as a result of formal notice of allegations of infringement of copyright.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Morocco's law and jurisprudence.

Under the Telecommunications Authority (ANRT) decision of 11 February 2014 concerning the identification of mobile subscribers, purchasers of SIM cards must register their names and national identity numbers with telecommunications operators. The ANRT enforces a ban on unregistered SIM cards, reportedly in accordance with Law no. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data.

It is reported that there is an obligation for passive infrastructure sharing in Morocco to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.