According to Art. 14 of Law 24-09 of 2011, relating to the safety of products, declaration of conformity for industrial products to their relevant Moroccan standards (NM) is the sole responsibility of the manufacturer or importer. In the absence of Moroccan standards, the producer can rely on international standards. If the producers do not have the means to evaluate their products, they are allowed to rely on an external body. This body must, however, be recognised by Morocco.
With effect from 1 February 2020, it is reported that the Government, in pursuance of Law 24-09, complemented by Decree No 2-212-502 and Order No 3873-12, introduced a new Verification of Conformity Program for goods imported into Morocco. Under the new program, the verification is supposed to take place in the country of export or on arrival at the border in Morocco. Products subject to border control include electrical items such as mobile phone chargers and circuit breakers, while goods subject to verification prior to export include electrical equipment within certain voltage limits and equipment related to electromagnetic compatibility and are required to be accompanied by a Certificate of Conformity (CoC). The transitional period during which manufacturers could continue to export in Morocco without the CoC was until April 2020. Organisations officially recognised as having the relevant certifications of conformity include Bureau Veritas, TUV Rheinland, Applus Fomento, and SGS.

According to Decree 2-13-881, adopted in 2015, the responsibility for authorising and monitoring “electronic certifications,” including encryption, shifted from the Telecommunications Regulator 'ANRT' to the military’s General Directorate for the Security of Information Systems. It is reported that the civil society advocates found the change of authorities problematic, given the lack of accountability and oversight at military institutions.
Moreover, according to Art. 13 of Law No. 53-05, relating to the electronic exchange of legal data, the import, export, supply, operation, or use of means or cryptographic services is subject to a prior statement and prior approval from the authority.
Moreover, pursuant to Art. 46 of Law No. 43-20 on Trusted Services for Electronic Transactions, in order to safeguard national defence and state security, the import, export and supply of cryptographic means, as well as the provision of cryptographic services, are subject to regulatory control. Specifically: (i) a prior declaration to the national authority is required where the sole purpose of such means or services is to authenticate a transmission or ensure the integrity of electronically transmitted data; and (ii) prior authorisation from the national authority is required where their purpose differs from that set out in point (i) above.

Online purchases for individuals in Morocco are capped at 15,000 dirhams (about USD 1,500) per recipient per calendar year, which is in line with Art. 151 of the 2022 General Instruction of Foreign Exchange Operations. The current limit was revised under the 2019 General Instructions from 10,000 dirhams in 2013 and remains the same in 2022.

Under Art. 151 of the 2022 General Instruction of Foreign Exchange Operations, innovative start-ups are permitted to pay up to MAD 1,000,000 (approx. USD 100,000) annually for the import of services related to their business using international payment cards, an increase from the MAD 500,000 (approx. USD 50,000) limit established in the 2019 General Instruction. Additionally, Art. 151 stipulates that for entities incorporated under Moroccan law, payments for current e-commerce transactions are capped at MAD 200,000 (approx. USD 20,000) per calendar year and per beneficiary. This cap applies to entities that do not hold an account in foreign currency or convertible dirhams and is determined based on the amount of corporate or personal income tax (IS or IR) paid or the minimum contribution for the last fiscal year.

Decision No. D-188-2020 governing the data protection impact assessment requires the data controllers or processors to carry out DPIAs when necessary and to present the Data Protection Impact Assessments (DPIA) to the data protection authority (CNDP) in the event of a control. Situations that warrant DPIA relate mainly to processing operations presumed to involve a risk of breaching the protection of privacy and personal data, which fall into one or more of the following categories:
- Processing which violates the provisions of Art. 11 of the Law regarding the neutrality of effects and which allows decisions to be taken on the basis of automated processing of personal data;
- Large-scale processing of sensitive data which, according to Article 1 of the Law, reveal racial or ethnic origin, political opinions, political opinions, religious or philosophical convictions, or the data subject's union membership, or relating to his/her health, including his/her genetic data;
- Processing operations which allow systematic surveillance of the data subjects; and
- Processing carried out in the context of the use of innovative technological or organisational solutions.

Reports indicate that public authorities in Morocco possess broad discretionary powers to request personal data and that there are credible allegations of government surveillance of private online communications without appropriate legal authority. According to the National Control Commission for the Protection of Personal Data (CNDP), the Moroccan data protection authority, individuals retain the right to approve or deny the processing of their personal data by both public and private entities. However, exceptions exist, such as when the processing is deemed to be in the national interest or if the party accessing the data has a “legitimate interest.” Furthermore, Morocco’s data protection law contains broadly defined terms that potentially permit authorities to access personal user data, compounded by a reported lack of transparent oversight of the intelligence services. The law's provisions on data access include “exceptions” that are reportedly open to interpretation, which may result in inconsistent legal application.

Law No. 34-05 establishes a safe harbour regime for intermediaries for copyright infringements. A service provider is defined, according to Part IV-bis, as an operator of facilities for online services or for access to networks with no alteration of the content between the points specified by the user and of his choice. Under Law 34-05, a service provider is not liable for information transmitted or stored on its network if it does not modify the content of the material or does not directly enjoy financial gain attributable to the activity of infringing copyright or related rights under circumstances in which it has the right and ability to control that activity. However, a service provider is expected to act without delay to withdraw the material hosted on its system or network or to restrict access to that material on becoming aware of an infringement of copyright or related rights or of facts or circumstances that indicate that copyright or related rights have been infringed, as a result of formal notice of allegations of infringement of copyright.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Morocco's law and jurisprudence.

Under the Telecommunications Authority (ANRT) decision of 11 February 2014 concerning the identification of mobile subscribers, purchasers of SIM cards must register their names and national identity numbers with telecommunications operators. The ANRT enforces a ban on unregistered SIM cards, reportedly in accordance with Law no. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data.

The indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in Morocco for the year 2024. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."

According to Art. 65 of Law No. 77-03, advertisements must be broadcast in Arabic, Amazigh or Moroccan dialects if they are intended for the Moroccan public. The use of other languages is, among other reasons, authorised if the communication of the said commercials in Arabic, Amazigh or Moroccan dialects proves to be difficult due to the specific technical concepts involved. It is not clear whether the law applies to online content.

The Press Code, published in August 2016, imposes licensing requirements for online media and mandates the registration of journalists. A director of an electronic media outlet is required to hold a press card, which is a form of certification that was previously not required for an online outlet. It is reported that it took seven months for directors of two French-language online news sites, Yabiladi and Le Desk, to receive their press cards in 2018.
To obtain press cards and benefit from state financial support, Arts. 34 and 35 of the Press Code require online news portals to acquire two types of authorisations from two different bodies, and are valid for one year at a time:
- authorisation from the Moroccan Cinema Center (CCM) to produce video content; and
- authorisation from the Telecommunications Authority (ANRT) to host domain names under "press.ma.".

According to Art. 15 of Law No. 77-03 on Audiovisual Communication, as amended by Law No. 66-16, audiovisual communication services include on-demand audiovisual media services. Art. 15.1 defines these services as any “communication to the public or a section thereof enabling the viewing, for a fee, of programmes or parts of programmes, at the user's choice and on demand, from a catalogue of programmes whose selection and organisation are carried out under the responsibility of the publisher of that service.” Under the amended Art. 29, the High Authority for Audiovisual Communication is empowered to grant authorisations for the operation of such on-demand audiovisual services.

According to Art. 13 of Law No. 53-05, relating to the electronic exchange of legal data, the import, export, supply, operation, or use of means or cryptographic services is subject to a prior statement and prior approval from the authority.
Moreover, pursuant to Art. 46 of Law No. 43-20 on Trusted Services for Electronic Transactions, in order to safeguard national defence and state security, the import, export and supply of cryptographic means, as well as the provision of cryptographic services, are subject to regulatory control. Specifically: (i) a prior declaration to the national authority is required where the sole purpose of such means or services is to authenticate a transmission or ensure the integrity of electronically transmitted data; and (ii) prior authorisation from the national authority is required where their purpose differs from that set out in point (i) above.

It is reported that irregularities in certain government procedures, particularly the lack of clear and accessible information on new import-related regulations and certification requirements, constitute one of the principal obstacles to operate in Morocco.