What Is AI Law in Morocco? Legal Framework and Key Issues
Morocco does not yet have a specific artificial intelligence law. The current legal framework relies on existing legislation: Law 09-08 on personal data protection, Law 53-05 on electronic exchange, and sector-specific regulations. Legislative work is underway, driven in part by a 2025 white paper outlining an inclusive and sovereign Moroccan AI model.
A Legal Gap, But Not a Total Void
When a CHRO asks me whether their company faces legal exposure by deploying an AI tool in Morocco, my answer is always the same: the risk exists, but it comes less from an AI-specific law than from existing legislation already in force.
Law 09-08 governs personal data processing. It imposes declaration obligations to the CNDP (Commission Nationale de contrôle de la Protection des Données à caractère Personnel), requires consent from data subjects, and sets strict rules on cross-border data transfers. An AI system processing data from Moroccan employees or customers falls under this law, whether it was built in Casablanca or hosted in Amsterdam.
Law 53-05 governs electronic exchanges and digital signatures. It establishes the legal value of dematerialized acts, which becomes relevant as soon as a decision-making process is automated.
Both texts were designed long before the era of large language models. They apply, but with obvious gaps.
What the 2025 White Paper Changes in Practice
In 2025, Morocco published an AI white paper charting the path toward an inclusive and sovereign model. This document is not a law. But it signals a clear political direction.
For Moroccan companies exporting to Europe or working with European partners, the strategic dialogue launched between Morocco and the EU on digital sovereignty and AI creates real alignment pressure. The EU AI Act becomes an indirect constraint for companies exposed to the European market, even without a local equivalent.
I built a 6-dimension diagnostic framework to help executives assess their AI regulatory exposure, between Casablanca and Brussels. Download the AI Board Pack 2026.
Real Risks for Companies Today
A recent signal deserves board-level attention: according to data published by Kaspersky and reported by Medias24, 42% of AI users in Moroccan companies upload complete documents into uncontrolled external tools.
This behavior creates direct exposure under Law 09-08. Where personal data is involved, the CNDP may intervene within the scope of its legal mandate. And beyond the legal risk, it is a confidentiality risk that most boards have not yet formally placed on their agenda.
Devoteam Morocco and Inteqy recently formalized a partnership to deploy human-controlled AI solutions in large enterprises. This is a market signal: demand for operational guardrails exists, and it often precedes formal regulation.
As I explained in my analysis of AI in business for SMEs, the risks are not theoretical. They materialize in daily processes that no one has yet mapped.
What Happens in the Next 18 to 24 Months
Morocco is working on several fronts simultaneously.
First front: infrastructure. The Nexus AI Factory project, with a 12 billion dirham envelope, is a structuring investment signal. Separately, according to Yabiladi, a data center project in Morocco has cleared the land acquisition stage. Two distinct signals showing that digital sovereignty is being built physically.
Second front: sector-specific regulation. Before a general AI law, expect sector-specific texts: finance, healthcare, public administration. This is the path most countries followed before adopting a horizontal framework.
Third front: EU alignment. The Morocco-EU strategic dialogue on AI creates harmonization pressure. Companies that anticipate EU AI Act requirements today will have a head start tomorrow.
For executives who want to understand how the best AI tools available in 2026 fit into this regulatory landscape, the question is no longer “am I allowed to?” but “how do I document my compliance?”
What a Leader Should Do Now
Three concrete actions, in order.
First, map the AI use cases already active in your organization. Not the ones you officially deployed. The ones your teams are using without your knowledge. Uncontrolled AI is your first legal risk.
Second, review your compliance with Law 09-08 for every data processing operation involving an automated system. If you have not done this review in two years, it is probably outdated.
Third, designate an internal AI governance owner. Not an honorary title. A person with a mandate, a budget, and a direct line to the board.
If you are a CEO or CHRO and want to structure your approach to Morocco’s AI regulatory landscape, request a free diagnostic.
FAQ
Does Morocco have a specific AI law?
No. As of Q1 2026, Morocco does not yet have a dedicated artificial intelligence law. The applicable legal framework rests on Law 09-08 (data protection), Law 53-05 (electronic exchanges), and sector-specific regulations. A white paper published in 2025 lays the groundwork for future regulation, oriented toward an inclusive and sovereign model.
Can the CNDP sanction the use of AI tools?
Indirectly, yes. If an AI tool processes personal data from Moroccan citizens or residents without complying with Law 09-08 obligations (declaration, consent, data security), the CNDP may intervene within the scope of its legal mandate.
Does the EU AI Act apply to Moroccan companies?
Not directly. But if a Moroccan company provides services or products to clients or partners in the European Union, the AI Act can create real alignment pressure. The ongoing Morocco-EU strategic dialogue reinforces this progressive convergence.
What is uncontrolled AI and why is it a legal risk?
Uncontrolled AI refers to the use of artificial intelligence tools by employees without internal policy, without control over transmitted data, and without traceability. In Morocco, this creates direct exposure under Law 09-08 whenever personal data is involved. It is currently the most immediate legal risk for the majority of companies.