Skip to content
← All Board Briefs
Operational Frameworks 5 min read

AI Law in Morocco: Legal Framework and Stakes

Morocco has no dedicated AI law yet. Here is the current legal framework, real risks for businesses, and what is coming next.

Naïm Bentaleb

Naïm Bentaleb

AI Strategy & Governance Advisor

AI Law in Morocco: Legal Framework and Stakes

Morocco has no dedicated AI law yet. The current legal framework relies on existing texts: Law 09-08 on personal data protection, Law 53-05 on electronic exchange, and labor code provisions. It is a fragmented framework that leaves significant grey areas for businesses operating in the country.

What Moroccan Law Says Today

Law 09-08 is the central text. It governs the collection, processing, and storage of personal data. The National Commission for the Control of Personal Data Protection (CNDP) is the supervisory authority.

But this law dates from 2009. It was not designed for AI systems that process millions of data points in real time, or that make automated decisions on job candidates, credit applications, or customer profiles.

That is the core problem. The tools exist. The law is catching up.

A recent signal illustrates the scale of the challenge: according to a study cited by cio-mag.com, 42% of AI users in Moroccan companies import complete documents into uncontrolled external tools. Client data, contracts, HR information. Without oversight, without traceability, without a clear legal basis.

This is what we call uncontrolled AI. And it is already inside your teams.

The Texts That Apply, for Lack of Better

In the absence of a dedicated AI law, here are the texts Moroccan lawyers currently rely on:

Law 09-08 on Personal Data

It requires consent, limited purpose, and right of access. Any AI system processing personal data of Moroccan citizens must in principle be declared to the CNDP under the personal data processing regime. In practice, few companies do this for their AI tools.

Law 53-05 on Electronic Exchange

It recognizes the legal value of electronic documents and digital signatures. It applies to contracts concluded through automated platforms.

The Labor Code

It does not mention AI. But questions around employee surveillance by algorithmic tools, or automated decisions in recruitment and dismissal processes, fall within its scope. Moroccan courts have not yet had to rule on these cases. It is only a matter of time.

Law 05-20 on Cybersecurity

Adopted in 2020, it creates a framework for information system security. It applies to operators of vital importance. Indirectly, it touches AI infrastructure deployed in sensitive sectors.

I have built a 6-dimension diagnostic framework to help executives assess their AI regulatory exposure. Download the AI Board Pack 2026.

What Other Countries Are Doing: A Useful Reference

The European Union adopted the AI Act in 2024. It is the world’s first comprehensive AI regulatory framework. It classifies systems by risk level: unacceptable, high, limited, minimal. Moroccan companies that export to Europe or process data of European citizens may be affected depending on the nature of their activities and the territorial scope of their operations.

In Africa, Senegal took a position at the GPAI (Global Partnership on Artificial Intelligence) for AI governance that respects national sovereignties. Morocco participates in these discussions but has not yet translated this position into legislation.

Tunisia and Rwanda are advancing on national AI strategies with regulatory components. Morocco has had a National AI Strategy since 2019, but it remains largely non-binding from a legal standpoint.

What This Means Concretely for Your Business

If you are a CEO or CHRO in Morocco, here are the questions you should be asking your legal team right now.

First: which AI tools are your teams using, and on what data? If you do not know, you already have an AI governance problem.

Second: do your AI vendor contracts include clauses on data localization, confidentiality, and accountability in case of algorithmic error? Most standard SaaS contracts do not.

Third: if you use algorithmic recruitment tools, as I analyzed in my article on AI advantages in recruitment, you must ensure these systems do not create indirect discrimination. This is not just an ethical question. It is real legal exposure.

Fourth: if you process data from European clients or partners, the AI Act may apply to you depending on the type of usage and the scope of your activities. Check with your legal counsel.

What Is Coming: Signals to Watch

Morocco is building its AI ecosystem at speed. Kenyan technology distributor Mitsumi chose Morocco to expand its network in digital infrastructure, cloud computing, cybersecurity, and artificial intelligence. Events like AI:Casablanca, which aims to open the debate on the future of work in the AI era, and the GenZ AI Summit 2026 where Orange Morocco brings together experts, companies, and institutions around AI issues, show that collective reflection is taking shape.

Regulatory pressure will follow. It comes from three directions: European partners imposing their standards, investors demanding compliance guarantees, and citizens starting to ask questions about how their data is used.

Companies waiting for a law to get organized will fall behind. Those who anticipate are building an advantage.

For SMEs looking to integrate AI into operations while managing risk, my guide on AI benefits for SMEs lays the groundwork.

If you want to structure your AI regulatory approach before the law forces you to, request a free diagnostic.

FAQ

Does Morocco have a specific AI law?

No. As of 2026, Morocco does not yet have a dedicated artificial intelligence law. The applicable legal framework rests on Law 09-08 (personal data), Law 53-05 (electronic exchange), and Law 05-20 (cybersecurity).

Are Moroccan companies subject to the European AI Act?

It depends on their activities. The AI Act may apply based on territorial impact: a Moroccan company that processes data of European citizens or exports services to the EU may fall within its scope. Each situation warrants specific legal analysis.

What does a company risk by using AI without oversight in Morocco?

Today, sanctions remain limited due to the absence of a specific text. But exposure exists: violation of Law 09-08, contractual risk with foreign partners, and civil liability in case of harm caused by an algorithmic decision.

Does the CNDP oversee AI tools?

The CNDP oversees personal data processing. An AI system that processes such data falls within its jurisdiction. The CNDP has not yet published a specific doctrine on AI, but it has the capacity to intervene on the basis of existing texts.

Share this brief

Next Step

Ready to structure AI governance in your organization?

Start with an AI Governance Sprint – a 2-3 week diagnostic that gives you a clear action plan.