What is AI regulation in Morocco?
AI regulation: countries and regions
As of June 2026, Morocco does not have a single stand-alone AI Act. AI is regulated mainly through Law 09-08 on personal data protection, CNDP supervision, and broader digital state policy under Digital Morocco 2030 and newer responsible AI initiatives. In practice, the main legal pressure points are personal data use, biometrics, cross-border transfers, security, and public sector digital governance, while a fuller national AI framework is still being built.
What this means
In Morocco, "AI regulation" currently means a mix of laws, regulator powers and state strategy, not one all-purpose AI code. If an AI system uses personal data, the clearest legal questions usually come from privacy law. If it sits inside public services, identity systems or state digital platforms, public digital governance also starts to matter.
That is why people should distinguish AI law from AI policy. Morocco has a clear policy direction on AI, sovereignty, responsible use, digital public services and talent development. But the binding duties most organisations can point to today still come mainly from Law 09-08, CNDP procedures, and related rules on data handling and international transfers.
Why it matters
For organisations deploying or buying AI in Morocco, the practical point is simple: do not wait for a future AI statute before doing compliance work. If your tool uses customer data, employee records, biometric identifiers, health information, national ID numbers, or data sent to foreign cloud infrastructure, Moroccan law may already shape what you can do and how you must do it.
It also matters because Morocco is trying to expand AI use in both the public sector and the digital economy while preserving trust, sovereignty and rights. That creates a familiar operating reality: the state wants adoption, but it also expects legitimacy. Teams that treat AI as only a technical or procurement choice can miss the real legal choke points, especially around transparency, data minimisation, security, authorisation and cross-border architecture.
How it works
Morocco has an emerging AI governance model, not a single AI act
The official sources reviewed do not show a general Moroccan AI law in force that works like a national AI code. Instead, Morocco's approach is being assembled from binding data protection law, public digital governance, and strategic policy instruments. Digital Morocco 2030 treats AI as one of the enabling technologies of national digital transformation. More recent ministry material points to "AI Made in Morocco", "Maroc IA 2030", and responsible AI frameworks for public activity.
That means Morocco currently mixes hard law and soft governance. The hard law is clearest where AI processes personal data. The softer layer is made up of strategy documents, government programmes, institutional partnerships, centres of excellence, and official language around sovereignty, inclusion, trust and ethics. This is important because strategy can shape procurement, hosting, design and public scrutiny even before a dedicated AI statute arrives.
Law 09-08 is the main binding layer for many AI uses
Law 09-08 is still the core legal instrument for many AI deployments because it governs the processing of personal data. CNDP's public material explains that the law applies where the controller is established in Morocco, and also where a controller outside Morocco uses processing means located in Morocco. It does not apply to purely personal or domestic use, and some state security, defence and specially legislated files sit outside or partly outside the normal regime.
For AI teams, this means the legal trigger is usually not the label "AI" by itself. The trigger is the handling of personal data through collection, storage, matching, scoring, inference, sharing or reuse. CNDP guidance defines personal data broadly, and sensitive data includes, among other things, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health and genetic data. So a chatbot, ranking tool, fraud system or internal assistant can raise Moroccan legal issues if it uses identifiable data, even if it looks like an ordinary software feature.
Core duties follow the data, not the algorithm
CNDP's guidance explains that controllers must collect and process personal data fairly, legitimately and transparently. They must respect the stated purpose of the processing, keep data proportionate and not excessive, maintain data quality, limit retention, and ensure security and confidentiality. Individuals must be informed about the processing and have rights around access, rectification, and objection. CNDP's public-facing material also emphasises notice at the point of collection and the ability of people to challenge bad or outdated records.
In practical AI governance terms, this means a model built on poor data discipline is already on weak legal ground. If the organisation cannot clearly state why the data is being used, keep it accurate, honour access requests, or limit how long it is retained, the problem begins before any larger debate about AI safety, bias or explainability. Morocco's current model therefore regulates many AI uses indirectly, by regulating the data practices that make those systems possible.
CNDP is the main regulator where AI uses personal data
The CNDP is the central Moroccan authority for personal data protection. It was created by Law 09-08 and is tasked with checking that data processing is lawful and does not undermine privacy, freedoms or fundamental rights. Its institutional material says it handles complaints, reviews declarations and authorisation requests, keeps a public register, advises public authorities on draft texts affecting personal data, and carries out legal and technological monitoring.
CNDP also has investigation and control powers. Its own mission page says it can inspect processing operations and that controls may lead to administrative, financial or criminal sanctions under the applicable framework. For organisations using AI, this makes CNDP the main institution to watch whenever a system processes personal data. It is not only a complaints office after a failure. It is also the authority that structures formalities before launch and supervises whether certain high-risk uses are acceptable.
Some higher risk processing needs prior authorisation
Morocco does not yet use a full AI-specific risk ladder like some other jurisdictions, but Law 09-08 already contains something close to a risk gate for certain kinds of processing. CNDP requires prior authorisation where processing involves sensitive data, many forms of genetic data, criminal or security related data, use of the national identity card number, interconnection of files with different main purposes, or use of personal data for purposes other than those for which it was originally collected.
That matters for AI because many intrusive or higher impact systems sit exactly in those categories. In other words, Morocco's current framework is not yet a formal AI risk regime, but it already treats some forms of data-intensive automation as needing stronger review before deployment.
Biometric access control is the clearest example. CNDP's dedicated biometric guidance says a public or private body may use biometric access control only under strict conditions, especially for restricted or highly sensitive premises. It must justify why less intrusive alternatives are not reliable enough, prefer authentication over identification where possible, avoid keeping raw biometric data where possible, inform the people concerned, secure the data, and seek prior authorisation from CNDP. That is a concrete sign that Morocco already distinguishes between ordinary digital processing and more intrusive forms of automated control.
Cross-border data and hosting choices are a real compliance issue
If an AI project stores or sends personal data outside Morocco, CNDP's international transfer rules become central. Transfers can proceed to destinations on the CNDP list. If the destination is not on that list, the transfer needs another recognised basis, such as the person's explicit consent, strict necessity for a limited set of purposes, an international agreement binding Morocco, or express CNDP authorisation supported by sufficient safeguards such as contractual clauses or internal company rules. CNDP also states that a transfer request is only granted where the underlying processing has already been properly declared or authorised.
This has direct operational consequences for model hosting, vendor selection, cloud architecture and support arrangements. A company cannot assume that a reputable foreign provider alone makes the transfer lawful.
Digital Morocco 2030 adds a strategic layer on top of that legal regime. Its cloud pillar says sensitive Moroccan data should remain on Moroccan territory and be governed by Moroccan law, and it describes a sovereign cloud offer reserved for the public sector and operators of vital importance. That is better understood as a national policy and infrastructure direction, not as a universal statutory localisation rule for every AI deployment. Even so, it has real design consequences, especially for public services and high sensitivity datasets.
National digital strategy is pushing AI into public administration and the economy
Digital Morocco 2030 is not just a general innovation statement. It gives Morocco's AI governance story an institutional shape. The strategy is built around digital public services, the digital economy, cloud, connectivity, digital talent and inclusive usage, with AI presented as an integral or transversal lever. The AI pages in the strategy point to building data repositories and registries, supporting best practices, encouraging AI companies and startups, developing skills and research, and applying evaluation mechanisms that support responsible use.
For public administration, that matters because AI is being inserted into a wider architecture of digital identity, shared infrastructure, simplified service delivery and state platforms. Official materials around Idarati X.0 and the broader digital administration agenda show a push toward integrated public service access, stronger interoperability and citizen-facing digital pathways. The legal effect is indirect but real: AI in government is likely to be judged together with data protection, digital identity, interoperability and service law, not as a free-standing experiment.
The institutional side is becoming more concrete. In September 2025, the Ministry of Digital Transition and Administration Reform and CNDP signed a convention to build a national responsible AI platform and a framework for national LLM-based platforms for governmental activity. In January 2026, the ministry's "AI Made in Morocco" event linked implementation to the recommendations from the national AI conference and to the "Maroc IA 2030" initiative. That shows Morocco moving from broad strategy into applied institutional governance, especially in the public sector.
African and Francophone context helps explain the direction of travel
Morocco's AI approach is not developing in isolation. The African Union's Continental AI Strategy, endorsed in 2024, calls for coordinated national approaches and promotes an Africa-centric model of ethical, responsible and equitable AI. Morocco's own official discourse on AI repeatedly emphasises sovereignty, African relevance, trust and responsible use. That regional framing matters because it helps explain why Morocco is talking about AI as a state capacity, development and governance issue, not only as a consumer technology issue.
There is also a Francophone and broader international privacy context in the background. CNDP's public material places Morocco in dialogue with Convention 108 references, Convention 108+ references, the GDPR, the Malabo Convention and Francophone data protection networks. That helps explain why privacy, transfers, regulator procedure and institutional trust loom so large in Moroccan AI governance. For now, that is the clearest bridge between Morocco's existing legal architecture and its emerging AI agenda.
Examples
A company wants to use fingerprint or facial access control at a restricted industrial site. In Morocco, that is not just an IT security purchase. CNDP treats biometric control as high risk. The organisation must justify why less intrusive access controls are not reliable enough, use the system for authentication rather than open-ended identification where possible, inform the affected people, secure the data, and apply for CNDP authorisation before installation.
A Moroccan business wants to run a customer support assistant on a foreign cloud service that will process names, account details and customer history. The legal question is not only whether the model works well. The business must first regularise the underlying processing with CNDP, then check whether the foreign destination is on the CNDP list or whether another lawful transfer basis exists, and be ready to show safeguards if express CNDP approval is needed.
A ministry or public body wants to add AI features to a digital citizen service. That project now sits inside a broader governance stack that includes Digital Morocco 2030, integrated public service delivery, identity and interoperability design, and CNDP's role in responsible AI and personal data protection. In practice, teams should expect scrutiny around user information, lawful data sharing, security, traceability and whether the tool is proportionate to the public service need.
Common misunderstandings
"Morocco already has a full AI Act." Not yet. The official sources reviewed point instead to a data-protection-led regime plus emerging strategy and institutional frameworks.
"If a system is bought from a foreign vendor, Moroccan law does not apply." That is too simple. If personal data is processed within the scope of Law 09-08, Moroccan duties can still attach.
"Only obviously sensitive sectors are regulated." No. Many ordinary business tools can still fall under Law 09-08 if they process identifiable people, and some categories trigger stricter formalities.
"Cross-border hosting is just a contract issue." No. CNDP's transfer regime still matters, and the underlying processing must already be regularised.
"Biometrics are allowed whenever they improve convenience." No. Moroccan guidance treats biometric access control as exceptional and tightly conditioned.
Risks and boundaries
Morocco's current model has real limits. Data protection law reaches many AI systems, but it does not answer every question about foundation models, synthetic media, competition, copyright, model liability, or sector-specific safety. That is one reason official materials now speak in broader terms about responsible AI frameworks and national coordination.
It is also important to separate policy direction from enacted legal duty. Digital Morocco 2030, AI Made in Morocco, the ministry-CNDP responsible AI convention, and the national AI conference all show strong movement. But they are not the same thing as a single Moroccan AI code with a settled list of prohibited uses, risk tiers, conformity assessments and penalties.
There are scope boundaries inside the existing legal framework too. CNDP's own material says Law 09-08 does not apply in the same way to purely personal or domestic use, and it excludes some defence and state security processing. So this article maps the main civilian governance picture, not every possible state use of AI.
The near-term uncertainty is therefore not whether Morocco cares about AI governance. It clearly does. The uncertainty is which parts of that agenda will harden into binding law, on what timetable, and whether Morocco will keep relying mainly on privacy law plus sectoral instruments or move toward a more explicit AI statute.
What to do next
Start by mapping every AI system that touches information about identifiable people. Separate ordinary personal data from sensitive, biometric, health, genetic, criminal and national ID data, because those distinctions change the legal path.
Then work out the CNDP formalities before launch. In Morocco, the practical question is often whether you need a declaration, prior authorisation, and possibly an international transfer request, not whether the product team is calling the tool "AI".
Build governance into procurement, not after procurement. Vendor due diligence should cover hosting location, transfer mechanics, security, confidentiality, subcontracting, data retention, rights handling and the ability to operate the system within Morocco's legal perimeter.
If you are dealing with public services, critical infrastructure or highly sensitive datasets, design with Morocco's sovereignty direction in mind. The country's digital strategy places clear weight on trusted infrastructure, public-service interoperability and domestic control over sensitive data.
Finally, document your reasoning. Even without a stand-alone AI Act, teams should keep a written record of purpose, data categories, legal basis, data flows, human oversight, retention periods, incident handling and escalation to CNDP where needed. That discipline is likely to age well even if Morocco later adds more explicit AI legislation.
FAQs
Does Morocco have a dedicated AI law?
Not a general stand-alone AI law in force, based on the official sources reviewed as of 6 June 2026. The clearest binding layer today is still Law 09-08 and CNDP procedure.
Which Moroccan law matters most for AI right now?
Usually Law 09-08, if the system processes personal data. That is the main legal framework most organisations will feel first.
Who regulates AI in Morocco?
There is no single AI-only regulator. CNDP is the key authority where AI systems use personal data. The Ministry of Digital Transition and Administration Reform, and related public digital institutions, shape the wider policy and public-sector governance agenda.
When is prior CNDP authorisation more likely to be needed?
Especially where the processing involves sensitive data, some genetic data, criminal or security related records, use of the national identity card number, interconnection of files with different main purposes, or reuse of data for a new purpose.
Can AI data be hosted outside Morocco?
Sometimes, yes, but not automatically. Transfers abroad are subject to CNDP's rules, and the underlying processing must already have been properly declared or authorised.
Are biometric AI systems allowed in Morocco?
They are not broadly banned, but they are tightly controlled. Biometric access control requires strong justification, prior authorisation and specific safeguards.
Is Morocco already using a risk-based AI model?
Not in the form of a general AI statute. But parts of the current system behave in a risk-sensitive way, because some forms of intrusive or sensitive processing face stricter CNDP scrutiny before deployment.
Is Digital Morocco 2030 itself a law?
No. It is a national strategy. It matters because it shapes direction, institutions and public-sector design, but the direct legal duties still come mainly from enacted laws and CNDP procedures.