Regulation · CNDP · July 2026

The CNDP and Microsoft: how Morocco’s data regulator shapes your cloud — and what remains your job

Microsoft says it works closely with the CNDP. True — and still, the regulator’s file with your name on it is yours to complete. Here’s how the pieces fit.

Article

Morocco’s data protection authority is the CNDP — the Commission Nationale de contrôle de la protection des Données à caractère Personnel. Established under Law 09-08, it registers processing operations, issues binding guidance, maintains the list of countries considered adequately protective for transfers, investigates, and sanctions. Its president has framed data protection as nothing less than a sovereignty issue for the country — and enforcement attention has grown accordingly.

Where Microsoft fits

Microsoft’s own Trusted Cloud material for Morocco states that it works closely with the CNDP and intends to continue doing so, and it addresses the Law 09-08 framework directly: written agreements with cloud providers, technical and organizational safeguards, certified encryption under Morocco’s e-exchange rules, and transfer mechanisms such as binding agreements and standard contractual protections. In other words, the platform side of the compliance equation is well developed — Microsoft can evidence its safeguards, and its contracts are built for regulators like the CNDP.

What stays on your desk

Here is the part that surprises many teams: under Law 09-08, your organization is the data controller, and the controller’s duties cannot be outsourced to a hyperscaler. The declaration or authorization filed with the CNDP is yours. The purpose limitation, the retention schedule, the consent and information duties toward data subjects — yours. The transfer authorization for data hosted abroad — yours to obtain, even when the destination is a Microsoft datacenter with world-class security. Microsoft is your processor; the CNDP’s counterpart is you.

Practically, a CNDP-ready Microsoft cloud file contains: a data inventory and classification; the processing declarations or authorizations covering each purpose; the transfer analysis (which regions, which adequacy status, which safeguards); the processor agreement with Microsoft; and evidence of your security measures — access control, encryption, logging, incident response — that you can produce during a control within a reasonable delay.

One naming note we hear often: the regulator is the CNDP — not CNAP — and it operates alongside, not instead of, the DGSSI, which handles national cybersecurity requirements. Getting the institutions straight is step zero of a credible compliance program.

FutureRoc builds these files with clients as part of our Data Security and AI Governance & Security engagements — including the AI-era questions the CNDP is increasingly focused on. General information, not legal advice; engage Moroccan counsel for filings.

← All articles

Talk to us about this topic

Book a discovery call — in French, Arabic, or English — and we’ll map this to your organization.

Get FutureRoc in