Morocco’s ‘Digital X.0’ Law: North Africa’s Most Ambitious AI and Data Governance Framework Explained

By Policy & Regulation Reporter | 11 March 2026 | 8-minute read

Morocco has introduced a draft law that goes further than any African state has yet attempted: a single comprehensive framework governing artificial intelligence, data governance, and digital identity simultaneously. For fintechs, healthtech companies, and AI startups operating in North Africa, the clock on compliance is already ticking.

Presented by Amal El Fallah Seghrouchni, Morocco’s Minister Delegate for Digital Transition and Administrative Reform, the Digital X.0 framework law is the legal centrepiece of the Maroc Digital 2030 strategy — the country’s five-year plan to position itself as a technology hub for Africa and the Arab world. The draft is currently under review by the General Secretariat of the Government and is expected to be submitted to Parliament in the first half of 2026.

It is, in scope and ambition, unlike anything else on the continent.

What Digital X.0 Actually Does

The law is built on three interlocking pillars, each addressing a gap in Morocco’s existing digital regulatory landscape.

1. Data Governance

Morocco’s existing data protection law, Law 09-08, was enacted in 2009 — before cloud computing, algorithmic systems, and large-scale data brokers were features of the economy. Digital X.0 does not replace Law 09-08 but updates and operationalises it for the AI era. The framework introduces:

• A traceable consent mechanism requiring explicit user authorisation for all data exchanges between government agencies and between public and private actors
• Standards for cross-border data transfers, bringing Morocco into alignment with GDPR adequacy criteria — a priority given Morocco’s deep trade and technology ties with the European Union
• Mandatory data impact assessments for organisations processing personal data at scale

The Bank Al-Maghrib and Morocco’s capital markets authority (AMMC) are developing complementary frameworks for AI use in fintech and algorithmic trading, focusing on operational resilience and market manipulation prevention. Those sectoral rules will sit beneath Digital X.0’s overarching data governance provisions.

2. Digital Identity

The law establishes a national digital identity system designed to give citizens granular control over their personal information across both public administration and private-sector interactions. The system would enable citizens to authenticate their identity digitally, grant or withdraw consent for specific data uses, and receive notifications when their data is accessed by third parties.

Morocco signed eight interoperability agreements in February 2026 — including with French digital identity providers and Gulf state government technology platforms — to support the parallel launch of the Idarati X.0 super-app, an AI-powered government services platform that will use the Digital X.0 identity infrastructure as its authentication backbone.

3. AI Governance

This is the section that will most directly affect technology businesses. Digital X.0 establishes ethical and accountability principles for algorithmic systems in both public administration and the private sector. Key provisions include:

• Algorithmic impact assessments for AI systems used in high-stakes decisions (credit scoring, hiring, healthcare triage, facial recognition)
• Accountability requirements obliging organisations to designate responsible officers for AI system oversight — analogous to a data protection officer but for algorithmic decisions
• Prohibition of certain high-risk AI applications, though the specific categories are still being defined in technical rulemaking
• Content moderation standards for AI-generated content, including labelling requirements
• Copyright provisions for AI-generated intellectual property — a globally contested area where Morocco would be among the first African nations to legislate

A National Agency for AI Governance is expected to be formally established by late 2026 to supervise compliance across these provisions.

The Implementation Timeline Businesses Need to Track

Digital X.0 is not yet in force, but the compliance clock is already running for companies that want to avoid rushed retrofits. The official rollout schedule is:

• 2025 (complete): Parliamentary proposal + public stakeholder consultation
• 2025–2026 (ongoing): Technical rulemaking — standards bodies developing certification schemes, data impact assessment templates, and AI governance audit frameworks
• 2026 (planned): Pilot deployments of shared government platforms + voluntary compliance certifications open
• 2027–2028: Mandatory compliance deadlines for key provisions

Companies operating in Morocco now have a window of roughly 12 to 18 months to begin aligning their data architectures and AI governance practices before enforcement becomes mandatory. Those that treat the 2026 pilot phase as a rehearsal — rather than waiting for the 2027–2028 deadlines — will be better positioned.

Where Morocco Sits in the Continental AI Regulation Race

Africa’s AI regulation landscape is fracturing into three tiers, and Morocco is clearly in the first.

Tier 1 — Active legislative frameworks: Morocco (Digital X.0, under parliamentary review), Nigeria (National Digital Economy and E-Governance Bill, expected Q1 2026 passage), South Africa (Draft National AI Policy, public consultation open). These three economies account for approximately 40% of Africa’s GDP and are shaping what continental AI governance will look like in practice.

Tier 2 — Strategy documents without binding legislation: Kenya (Draft National AI Strategy 2025–2030, consultation complete), Egypt (National AI Strategy 2022, no enforcement framework yet), Rwanda (AI mentioned in Digital Plan, no dedicated legislation). These markets have signal intent but not yet legal teeth.

Tier 3 — No formal AI policy: The majority of African nations, where AI governance happens, if at all, through existing data protection or sector-specific financial regulation.

Morocco’s distinction from Nigeria and South Africa — the other Tier 1 players — lies in the breadth of Digital X.0. Nigeria’s AI bill is primarily a licensing and enforcement mechanism for high-risk AI systems, modelled loosely on the EU AI Act’s risk-based approach. South Africa’s consultation is still gathering input and has no timetable for binding legislation. Morocco’s framework is the only one that combines AI governance, data governance, and digital identity into a single statutory instrument, with a companion government service delivery platform (Idarati X.0) that will stress-test the framework at scale from day one.

The EU Angle: Why This Matters for Trade

Morocco’s most significant trading partner is the European Union — the country handles over 60% of its trade with EU member states, and tens of thousands of Moroccan firms participate in EU supply chains or provide services to EU-based companies. The EU AI Act entered force in August 2024, with obligations for high-risk AI systems taking effect progressively through 2025–2027.

Digital X.0 is partly a strategic alignment play. If Morocco’s AI governance framework achieves de facto adequacy with EU AI Act requirements — as Law 09-08 is already partially aligned with GDPR — Moroccan technology companies could gain a material advantage in EU procurement and partnership processes. EU customers will increasingly require their AI vendors and data processors to operate under auditable AI governance frameworks; Morocco is building one.

“This is about trade infrastructure, not just national policy,” said one European technology law practitioner who advises Moroccan firms. “Morocco is trying to ensure its tech sector doesn’t face the same access barriers that unregulated AI vendors from other emerging markets are starting to encounter in European contracts.”

What Fintechs and AI Startups Need to Do Now

The compliance posture for Morocco-operating businesses depends on where they are in the product lifecycle.

Fintechs using credit scoring or risk-assessment algorithms: Begin documenting AI model governance now. Algorithmic impact assessments will be required — building the internal processes before the templates are mandated is significantly cheaper than retrofitting. The Bank Al-Maghrib and AMMC’s forthcoming sectoral rules will add specificity to these requirements.

Healthtech and insurtech companies: High-stakes AI applications in health and insurance are likely to fall in any prohibited or heavily regulated category. Engage with the National Agency for AI Governance once it launches (expected late 2026) and monitor the technical rulemaking process closely.

Data brokers and aggregators: The consent framework is the most disruptive provision for data-intensive businesses. Traceable, user-controlled consent for cross-entity data sharing will require significant changes to current data architectures. 2026 is the time to redesign — not 2027.

AI content platforms: The combination of AI content labelling requirements and IP provisions for AI-generated work is unprecedented in Africa. If Morocco’s approach mirrors the EU’s AI Act labelling rules, all AI-generated content published in Morocco will need to be disclosed as such. Content businesses should assess their Morocco exposure now.

The Mistral Partnership: A Signal About Sovereignty

One strategic indicator of Morocco’s direction sits beneath the legal text: the country has partnered with French AI startup Mistral AI to build multilingual AI models in Arabic, Amazigh (Tamazight), and other languages — a direct investment in AI sovereignty. The models will be built under the Digital X.0 governance framework and trained on Moroccan public data, not scraped from global datasets.

This is not incidental. Morocco is making a bet that the most durable form of AI competitiveness is linguistic and cultural specificity — AI systems that serve Moroccan users better than generic global models because they understand Darija, classical Arabic, and Amazigh. Digital X.0 is the legal container for that bet.

Outlook

Digital X.0’s parliamentary passage is the next major milestone to watch. El Fallah Seghrouchni has positioned the law as urgent national infrastructure — comparable, in her framing, to building motorways or ports in the twentieth century. That framing suggests political will for rapid passage.

If enacted on the current schedule, Morocco will have a comprehensive AI and data governance law in force before the end of 2026 — ahead of every other African nation and ahead of most developing-world peers globally. For companies operating in or considering entry to North Africa’s largest technology market, that regulatory clarity is worth mapping now.

Policy & Regulation Reporter covers digital governance, fintech law, and technology regulation across Africa’s 54 nations. Coverage of BETA-448.