Africa

Morocco Law 09-08 on Personal Data Protection + National AI Strategy 2030: AI Compliance Requirements

Morocco's Law 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data (2009) and its implementing Decree No. 2-09-165 govern automated processing of personal data including AI systems. The Commission Nationale de contrôle de la Protection des Données à caractère Personnel (CNDP) is the enforcement authority. In 2024, Morocco published its National AI Strategy 2030, which includes a regulatory roadmap for AI governance modeled partly on the EU AI Act. Organizations processing personal data of Moroccan residents through AI must obtain CNDP authorisation for automated processing operations. Morocco is a key hub for EMEA operations and data flows under EU adequacy discussions.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

February 18, 2009

Maximum Penalty

MAD 200,000 (~$20,000 USD) + 3 months to 1 year imprisonment for unauthorized processing.

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

File CNDP Declaration for AI-Powered Automated Processing

High Priority

Morocco Law 09-08 (Article 12) requires organizations to file a declaration with the CNDP before commencing automated processing of personal data, including AI systems. High-risk processing (sensitive data, surveillance, profiling) requires prior CNDP authorization (not just declaration). File at cndp.ma.

Implement AI Transparency for Moroccan Users

Medium Priority

CNDP guidance and Morocco's National AI Strategy 2030 require organizations to disclose when AI is making or significantly influencing decisions affecting individuals. Automated decisions must be explainable and subject to human review on request. Document AI decision pathways for any system affecting Moroccan residents.

Comply with Morocco Cross-Border Transfer Rules

Medium Priority

Morocco Law 09-08 (Articles 43-45) restricts transfers of Moroccan personal data outside Morocco to countries with adequate protection. AI systems that process Moroccan data in cloud infrastructure outside Morocco must document adequacy or obtain CNDP authorization for the transfer. Morocco has bilateral adequacy with EU under EU-Morocco Association Agreement discussions.

Frequently Asked Questions

Does Morocco Law 09-08 on Personal Data Protection + National AI Strategy 2030 apply to my business?

Morocco's Law 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data (2009) and its implementing Decree No. 2-09-165 govern automated processing of personal data including AI systems. The Commission Nationale de contrôl. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under Morocco Law 09-08 on Personal Data Protection + National AI Strategy 2030 is: MAD 200,000 (~$20,000 USD) + 3 months to 1 year imprisonment for unauthorized processing.. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Morocco Law 09-08 on Personal Data Protection + National AI Strategy 2030?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://www.cndp.ma

Last updated: 2026-04-14 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan