Cybersecurity market in Morocco

Economic context

Lying in Northwest Africa, a mere 15 km from Europe, the Kingdom of Morocco ranks as an emerging economy. Morocco’s economy grew at a rate of 2.5 % in 2019 ^{Footnote 1}. Morocco is home to a population of 36 million. The two main drivers of GDP per capita are agricultural sector performance and value added from nonagricultural activities. It grew from $2,000 in 2001 to over $3,400 in 2019.

Morocco maintains free trade agreements with some countries including the European Union, its largest trading partner. Morocco and the European Union signed an association agreement in 1996. Morocco also has free trade agreements (FTAs) with the United States, European Free Trade Association states, Turkey and the United Arab Emirates. Morocco is also a member of the Agadir Group, an Arab free trade area comprising Egypt, Jordan and Tunisia. Canada and Morocco enjoy well-established trade relations. Bilateral trade amounted to CAD 916 million in 2019. In the context of South-South cooperation as heralded by Morocco, some Moroccan firms have successfully established operations in Africa over the past decade. Telecommunications ranks just behind banking and insurance in terms of African investment, with a presence in 10 sub-Saharan countries.

2019 Foreign Direct Investment (FDI) stock to Morocco reached USD 66 billion, a USD 20 billion increase over 2010 levels. Manufacturing accounts for the largest share of FDI flows, along with real estate, telecommunications, tourism, and energy ^{Footnote 2}. In 2018, Quantum Global's research laboratory ranked Morocco as Africa's most attractive country for foreign investment ^{Footnote 3}. In terms of business environment, Morocco ranks 53rd out of 190 countries on the World Bank's Doing Business 2020 report, up seven spots from the previous year.

Information and Communication Technology (ICT) sector overview

With an internet user penetration rate of 74% in 2019, Morocco is the most connected country in Africa. This is according to the International Telecommunication Union's report on global telecommunications development ^{Footnote 4}. Morocco has also embarked on its fourth industrial revolution. It‘s one of only five countries in Africa to host over half of Africa's technology centers, namely South Africa, Kenya, Nigeria and Egypt.

In December 2019, Morocco joined the Smart Africa Alliance, comprising some 30 member-countries, accounting for over 750 million people. The Alliance has a vision of creating a single digital market in Africa by 2030. It brings together heads of state seeking to speed up Africa’s digitalization and to create a common market.

With an estimated CAD 4.6 billion in market size and 60,000 employees, the ICT sector is growing rapidly. Morocco's goal is to increase ICT sector contribution from 3% to 11% of GDP, creating 125,000 new jobs ^{Footnote 5}.

In December 2017, Morocco created the Agency for Digital Development (ADD) to carry out the government's digital development strategy. The ADD introduced the General Guidelines Note for Digital Development by 2025, replacing the Digital Morocco 2020 plan. The new Note defines three main objectives:

improve interaction between citizens and public authorities through end-to-end digitalization of administrative procedures
establish Morocco as Africa's leading digital and technological hub through the creation of 2,500 start-ups
harness digital technology for a more inclusive and egalitarian society by building a "digital generation"

The World Bank (WB) granted Morocco a USD 700 million loan in February 2019 to speed up Morocco's digital transformation. In July 2020, WB approved USD 500 million in funding in support of policy reforms needed to create an enabling environment for digital transformation ^{Footnote 6}.

Morocco's cybersecurity sector

A Kaspersky study ranks Morocco 34th worldwide in terms of countries targeted by cyber threats. The study also ranked Morocco 3rd on attacks against industrial control systems ^{Footnote 7}.

General trends and legal framework

Cybersecurity Maturity Levels in Morocco

The 2018 International Telecommunication Union (ITU) Cybersecurity Index ranks Morocco 97th out of 197 countries. This ranking is based on five key cybersecurity criteria:

legal aspects
technology
governance
capacity building
international cooperation

Morocco's cybersecurity dashboard

Key cybersecurity criteria	Criteria level
Legal	High
Cybercrime legislation	High
Cybersecurity legislation	High
Cybersecurity training	High
Technical	High
CERT/CIRT/CIRT National	High
CERT/CIRT/CIRT Governmental	High
CERT/CIRT/CIRT Sectoral	Low
Standards for organizations	High
Standards for Professionals	High
Online Child Protection	Low
Organizational	Medium
Strategy	Low
Organizational responsibility	High
Cybersecurity indicators	Low
Capacity building	Medium
Standards Development	Medium
Cybersecurity best practices	High
Research and development program	Medium
Public awareness campaigns	High
Vocational Training Courses	Medium
Educational Programs	Medium
Incentive mechanisms	Low
Domestic industry	Low
Cooperation	Medium
Bilateral agreements	Medium
Multilateral agreements	High
International Commitment	High
Public-private partnerships	Low
Inter-organizational partnerships	Low
Global index	Medium

Source: ITU, Global Cybersecurity Index 2017 -

Despite indicators, and while specific vulnerabilities stay at sectoral CERT levels and in online child protection, global experts recognize Morocco's excellence in legal and technical matters. Cognizant of its cyber-attack exposure risks, Morocco has in recent years committed to enhancing its information systems security capacities.

Morocco's goal to improve its cybersecurity performance transpires in the February 2014 approval of the Budapest Convention on Cybercrime. Morocco also took part in the March 2018 CyberSouth initiative. This initiative is a European cooperation project to combat cybercrime on its southern flank.

The legal and regulatory environment

The Moroccan penal code was strengthened in November 2003 by Law 07-03 defining computer piracy. In February 2009, legislators tackled privacy protection with Law 09-08. It established a National Commission for the Protection of Personal Data (CNDP). Since then, companies that collect personal data must inform and secure the consent of those involved.

Furthermore, the National Defense Administration set up a General Directorate of Information Systems Security (DGSSI). The DGSSI would draft the National Directive on Information Systems Security (DNSSI). Published in December 2013, this directive outlines relevant organizational and technical security measures for public administrations and organizations, as well as vital infrastructures ^{Footnote 8}.

In July 2020, the House of Representatives passed Law 05-20 on cyber security. Under this law, the government can exercise, via the National Cybersecurity Agency, the power to control and protect computer systems and data of both public and private institutions. Two institutions will be created to this end:

The Strategic Cybersecurity Commission, whose mission is to outline the State's main cybersecurity guidelines.
The National Cybersecurity Authority, empowered to conduct technical investigations to fight cyber-attacks.

The Act directly impacts companies providing digital services or using computer data. These companies must now follow international cybersecurity best practices (develop a cybersecurity plan, classify information assets, conduct regular audits, etc.). They must also appoint an Information Systems Security Officer (ISSO) as the official interlocutor with the National Cybersecurity Authority. Further, companies exposed to a cyber-attack must immediately notify the Authority, failing which sanctions are applicable.

The State is directly involved in the security effort through the Moroccan Center for Alert and Management of Computer Incidents (maCERT). maCERT is overseen by the DGSSI. It’s developed in cooperation with South Korea and started in January 2011. It’s the center for monitoring, detecting and responding to computer attacks. When a critical infrastructure falls victim to an attack, it must report all critical incident data affecting the security or operation of its information systems to maCERT within 48 hours. These new legal responsibilities imposed on businesses are likely to create increased demand for cyber security goods and services.

Key players

The cybersecurity offering in Morocco features strong international presence including:

US companies (Symantec, Fortinet, Palo Alto Networks etc.)
European players (Bitdefender, Kaspersky)
French companies (Orange Morocco, Orange Cyberdefense, Thales, Devoteam as well as Atos)

Global professional services firms are also present, like Deloitte Morocco and KPMG International, which offer their own cybersecurity services.

The Moroccan market also includes medium-sized players, including:

6cure: French anti DDoS solutions publisher. It’s active in Morocco and enabled local businesses and operators to create secure digital spaces. This ensures both the integrity of communication means and the security and availability of IT infrastructure.
Systancia: French virtualization, cybersecurity and digital trust expert. It operates via one representative and a number of integrators.
Cypriot firm Secmentis serves Morocco on an ad hoc basis from its Limassol head office. Secmentis specializes in penetration testing, threat intelligence and proactive IT infrastructure defense.

Foreign software publishers

IT security is a big market segment for leading software publishers present in Morocco. Some fifteen multinationals, in partnership with local companies, share the market. Arbor Networks is also present alongside already stated players such as Fortinet, Symantec, Bitdefender, Kaspersky Lab, Palo Alto Networks. As is Japanese cybersecurity software firm Trend Micro, present via Config Maroc (in French only), its local IT products and services distributor. Swiss cybersecurity publisher Oxial, also set-up an office in Morocco to service the African market. Its software enables to rapidly identify people-related risks.

Kaspersky Lab, for example, has been present in Morocco for 15 years, servicing the North Africa region from there. Kaspersky Lab also works with IT integrators and companies using cybersecurity solutions.

Telecommunication operators

Telecom operators also offer integrated solutions. Two of the three major telecom operators stand out in particular.

INWI has an advanced cyber defense offer garnered in partnership with global cloud computing leaders including Huawei, Dell/EMC and Vmware. INWI launched a Security Operations Center or SOC (Security Operations Center) in 2018, operated in partnership with Symantec. One year into its activity, the INWI Business SOC set up the first National Cybersecurity Observatory. It published a national bulletin that has become the national reference document. The bulleting lists and analyzes Morocco’s main vulnerabilities and cyber-attacks.
Orange Morocco, a subsidiary of the French telecommunications operator, launched its cybersecurity office in 2018. The initiative aims at making Morocco a hub of expertise for the whole of Africa. Experts based in Morocco will have access to Orange Cyberdefense know-how, methodologies and experience.

Moroccan Cybersecurity Firms

Integrators and consulting firms have emerged in recent years. Some are IT firms that have incorporated a cybersecurity component. Most of these firms are however, still tied to their original industry and can hardly be considered full-fledged cybersecurity players. We shall focus here on those that have invested significantly in cybersecurity and acquired specific expertise.

Dataprotect

Founded in 2009, Dataprotect has 150 employees and provides a full range of services from consulting, information management, integration and training to infrastructure monitoring through its 24/7 SOC. Dataprotect is PCI QSA accredited in Morocco by the Payment Card Industry Security Standards Council consortium for PCI DSS and PA DSS certifications. Dataprotect is active throughout French-speaking Africa and operates an office in Paris.

LMPS Group

Founded in 2007, LMPS Group offers cybersecurity services to the industrial sector and automotive in particular. The company strives to be an ISO27001 certified "One-Stop-Cybersecurity Shop", including a CyberSOC (an Intelligent Cybersecurity Supervision Center). The company is present in some fifteen countries across Africa and Europe.

M-Secure IT

M-SecureIT (in French only) is an IT security and infrastructure and application administration specialist. It offers a 24/7 administration center and experts both in France and Morocco. Official representative and silver partner of Fortinet in Morocco.

Nearsecure

Nearsecure is an Audit Service Provider for the Security of Sensitive Information Systems of Critical Infrastructures (PASSI) certified by the DGSSI. Nearsecure signed an agreement in November 2020 with French software publisher Nucleon Security.

The cybersecurity market

A 2018 study of Morocco’s cybersecurity market, by the Association of Moroccan Information Systems Users (AUSIM), indicates that an overwhelming majority of companies recognize the importance of cybersecurity, but that resources allocated remain inadequate. The same study, focusing on large tertiary sector companies, found that:

84% of these companies had developed a cybersecurity program
86% provided employee training and awareness programs
86% adopted one or more security standards (ISO 27001, DNSSI, etc.)
63% of organizations had two or fewer employees assigned to cybersecurity
62% invested under MAD 1 million (CAD 140,000) per year in cybersecurity
only 45% planned to increase this amount in the short term

While over three-quarters of organizations have conducted a cybersecurity audit, the majority have done so only once. However, to be effective, an audit should be regularly repeated. The same goes for cyber-attack simulations. 63% have already carried out a simulation, but only a minority do so on a regular basis. Almost all organizations deployed security solutions (antivirus, firewall etc.), but 39% still fail to protect their data (encryption, anonymization, etc.).

Moreover, only 31% of organizations report having suffered cyber-attacks, compared to 80% in Europe. This is likely the result of weak intrusion detection means. The two most often detected types of incidents are virus attacks and ransom demands.

Cybersecurity is rarely a priority for senior management. As such, a gap exists between top management and those responsible for cybersecurity. Those responsible for cybersecurity face weak IT risk recognition in their organizations.

Business opportunities

Law 05-20 on cybersecurity aims to make large corporations' information systems, telecommunications networks and sensitive data as secure as possible. The Act provides for fines of up to CAD 57,000, with the possibility of harsher penalties in case of repeat offense ^{Footnote 9}.

The Covid-19 pandemic compelled companies to speed up digitization and dematerialization processes, thereby facing increased exposure to cyber-attacks. Pandemic consequences joint with new legal constraints force companies to get the means needed to ensure information systems security.

Furthermore, Law 05-20 says that "sensitive data must be hosted exclusively on the national territory". Thus fostering the expansion of the so far undeveloped Moroccan cloud computing industry. Offers are quickly multiplying, initially by telecom operators (Cloud inwi Business and Maroc Telecom) as well as IT firms such as N+ONE, Medafrica Systems and Cloud VPS. As cloud platforms increase the need for cybersecurity, new Moroccan law opens up broad expansion opportunities for the cybersecurity industry.

Finally, as noted above, the Moroccan government supports private sector involvement in IT training through public-private partnerships (PPP). Industry associations play a key role in the development of PPPs. This is showed by many initiatives launched by the likes of:

the General Confederation of Moroccan Enterprises (CGEM)
the Moroccan Federation of Information Technology, Telecommunications, and Offshoring (APEBI)
the Association of Moroccan Information Systems Users (AUSIM)

Some multinational companies are involved in projects with universities and other higher education institutions. This includes initiatives by IBM, Huawei, Orange, etc.

The financial sector

The financial sector has become both modern and efficient in just a few years. It’s a major market segment for cybersecurity in Morocco. Improved regulatory framework and compliance with international standards have raised Morocco's financial sector to one of the most efficient in Africa. The banking rate thus improved to 78% ^{Footnote 10}.

The two main characteristics of Morocco's banking sector today are:

The presence of large French banks via local subsidiaries as well as minority equity stakes in top Moroccan banks
Diversifying international activities of major Moroccan banks, particularly in Africa. This is done through acquisitions or equity stakes in local banks.

Three banks lead this International diversification drive:

Attijariwafa Bank Group (AWB)
BMCE-Bank of Africa Group
Banque Centrale Populaire Group (BCP)

The three financial institutions cover some 25 African countries, mainly in West and Central Africa.

Market access strategies

Partnerships or strategic alliances with existing firms form one market access avenue. This may be an IT firm looking to merge its security footprint. It may also be a cybersecurity firm looking to gain international reach. In both cases, it’s important to favor win-win solutions based on complementarity.

An important example is the partnership between Romanian cybersecurity publishing multinational Bitdefender and Moroccan firm Disty Technologies. Disty Technologies is a major IT distributor in Morocco with 2,500 sales outlets. By joining forces with Disty Technologies in January 2020, the Romanian publisher now has access to a first-class distribution network in Morocco. Conversely, Disty Technologies gained enhanced credibility for its cybersecurity offer.

Insufficient qualified human resources and the government's determination to increase the number of IT and cybersecurity experts underscores the importance of training, which presents some opportunities. Canadian companies and educational institutions can offer services either directly or with local partners. These services are in professional development and certification programs, as well as continuing education.

Other business opportunities include accelerating the digitization of business processes and to diversifying the banking sector internationally. It also includes the E-Gov project, which aims to process 50% of administrative applications online.

Events in Morocco

Les Assises de l’AUSIM – AUSIM Sessions (in French only)

A three-day event including roundtables, theme-based workshops and networking.

The Cybersecurity Forum

The Cybersecurity Forum taking place annually in Marrakech brings together African IT security decision-makers with interested publishers and manufacturers. Held in the form of B2B meetings, conferences and workshops. The next edition is scheduled for June 2021.

African Security Exhibition & Conference (ASEC EXPO)

Launched in 2019, the ASEC-EXPO exhibition showcases technological solutions across the security spectrum. It includes a platform for meetings, conferences and workshops. There’s no information on upcoming dates.

Africa IT Expo (Aitex)

Hosted by the Federation of Information Technology, Telecommunications and Offshoring (Apebi), AITEX provides clients with a global platform for IT services and products in Africa. It also promotes sectoral development and innovative solutions on the continental level. There’s no information on upcoming dates.