The Decree No. 2-24-921 of 18 Rabii II 1446 (22 October 2024) regulates the use of Cloud service providers by entities and critical infrastructures managing sensitive information systems or sensitive data. This text establishes a qualification regime applicable to such providers.

In accordance Article 4 of the said Decree, the qualification regime is based on a framework of requirements set by the present Order. This framework lays down the organizational, technical, legal, and governance criteria that providers must meet in order to obtain the qualification granted by the national authority. Pursuant to Articles 7 and 8 of the Decree, it constitutes the normative basis used by the DGSSI or any designated assessment body to conduct the required evaluations.

The framework is aligned with international best practices and is structured into several chapters covering all dimensions of Cloud services security. It notably addresses information security policies, identity and access management, cryptographic protection of data, physical and environmental security, business continuity, incident management, compliance with applicable regulations, and third-party relations.

The framework also stipulates the obligation to establish service agreements governing the responsibilities between the service provider, and the contracting entity, and third parties, particularly with regard to compliance with national legislation, termination in the event of loss of qualification, data reversibility, and the deletion of client’s data.

Finally, the framework sets out the procedures of the qualification process, from the submission of the application file to the final decision, including an evaluation phase of the provider’s capacities and guarantees.