According to Art. 15 of Law No. 77-03 on Audiovisual Communication, as amended by Law No. 66-16, audiovisual communication services include on-demand audiovisual media services. Art. 15.1 defines these services as any “communication to the public or a section thereof enabling the viewing, for a fee, of programmes or parts of programmes, at the user's choice and on demand, from a catalogue of programmes whose selection and organisation are carried out under the responsibility of the publisher of that service.” Under the amended Art. 29, the High Authority for Audiovisual Communication is empowered to grant authorisations for the operation of such on-demand audiovisual services.

According to Art. 13 of Law No. 53-05, relating to the electronic exchange of legal data, the import, export, supply, operation, or use of means or cryptographic services is subject to a prior statement and prior approval from the authority.
Moreover, pursuant to Art. 46 of Law No. 43-20 on Trusted Services for Electronic Transactions, in order to safeguard national defence and state security, the import, export and supply of cryptographic means, as well as the provision of cryptographic services, are subject to regulatory control. Specifically: (i) a prior declaration to the national authority is required where the sole purpose of such means or services is to authenticate a transmission or ensure the integrity of electronically transmitted data; and (ii) prior authorisation from the national authority is required where their purpose differs from that set out in point (i) above.

It is reported that irregularities in certain government procedures, particularly the lack of clear and accessible information on new import-related regulations and certification requirements, constitute one of the principal obstacles to operate in Morocco.

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data and its implementation Decree No. 2-09-165 of 21 May 2009 provides a comprehensive regime of data protection in Morocco.

According to Art. 7 of Law No. 43-05 relating to the fight against money laundering, institutions in finance and insurance services are obliged to keep the documents relating to the transactions carried out by their clients, as well as documents relating to the identity of their customers for 10 years.

Morocco lacks a comprehensive regime for the protection of trade secrets.

In accordance with Art. 22bis of Law No. 24-96 on Postal and Telecommunications Services, public telecommunications network operators are required to comply with requests from any other public telecommunications network operator to share their infrastructure, in order to allow the installation and/or operation of telecommunications equipment, provided that such sharing does not interfere with public use. The infrastructure concerned includes engineering structures, ducts and pipelines, high points and telecommunications lines owned by legal persons governed by public law, public service concessionaires and public telecommunications network operators. Decree No. 2-97-1026 on the General Conditions for Operating Public Telecommunications Networks further details the procedures governing such infrastructure sharing.

The State retains ownership stakes in all three main operators in the telecommunications sector: Maroc Telecom, Orange Maroc and Inwi. Maroc Telecom is 53% owned by Etisalat, with the Moroccan State holding a 22% share. Orange Maroc is 49% owned by the Orange Group, while the remaining 51% is divided equally between the state-owned Caisse de Dépôt et de Gestion (CDG) and O Capital Group (25.5% each). Inwi (Wana Corporate) is majority-owned by Al Mada (formerly Société Nationale d’Investissement), which holds 69% of its capital, with the remaining 31% held by Kuwait’s Zain Group and the Al Ajial Investment Fund. The three operators together account for a market share of approx. 61%, 36% and 3%, respectively.

It is reported that Morocco does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Morocco has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the National Agency of Telecommunications Regulation (ANRT), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Art. 11 of the Law on Cybersecurity stipulates that sensitive data processed by entities or operators of infrastructure of critical importance must be stored exclusively within the national territory, and therefore it cannot be hosted on cloud systems. Sensitive data includes information whose compromise in terms of confidentiality, integrity, or availability would adversely affect an entity or infrastructure of critical importance, defined as installations, facilities, and systems essential for maintaining vital societal functions, including health, safety, security, and economic or social well-being. The disruption, unavailability, or destruction of these would result in the failure of these functions.
In addition, Art. 34 of Decree No. 2-21-406, which implements Law No. 05-20, mandates that sensitive data pertaining to cybersecurity services, such as the monitoring, analysis, and management of cybersecurity incidents, must also be stored exclusively within the territory of Morocco.

Art. 16 of ANRT Decision/DG/No.02/2024 stipulates that any entity intending to provide domain name services must operate a secure Domain Name System (DNS) infrastructure comprising at least two servers, one of which must be physically located within Morocco.

According to Art. 43 of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data, the transfer of personal data to a foreign country is only allowed if the country offers an adequate level of protection of the privacy and fundamental rights and freedoms of individuals. In the Decision No. 236-2015 of 18 December 2015, the Moroccan data protection authority (CNDP) recognised the following countries as offering an adequate level of data protection: Austria, Belgium, Bulgaria, Canada, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom.
The transfer of personal data to a country that does not provide an adequate level of data protection is only allowed subject to certain conditions, including the express consent of the data subject or if the transfer is necessary to safeguard the data subject's life, to safeguard the public interest, to comply with judicial obligations, for the performance of a contract between the controller and the data subject or pre-contractual measures taken at the request of the latter. Personal data may also be transferred if the transfer is carried out pursuant to a bilateral or multilateral agreement to which Morocco is a party, or with the express and reasoned authorisation of the CNDP when the personal data processing guarantees a sufficient level of protection of privacy and the fundamental rights and freedoms of individuals, in particular, because of the contractual clauses or internal rules to which it is subject.

Morocco has not joined any agreement with binding commitments to open transfers of data across borders.