DORA and Bank Al-Maghrib: Convergence of Operational Resilience Requirements
A Dual Regulatory Reality
Morocco's financial sector occupies a unique position in the global regulatory landscape. Domestically, Bank Al-Maghrib (BAM) has built a comprehensive supervisory framework for IT risk management and business continuity that predates DORA by nearly a decade. Internationally, Moroccan banks with European subsidiaries, correspondent banking relationships, or cross-border operations increasingly encounter DORA requirements — either directly through their EU-regulated entities or indirectly through the expectations of European counterparties and clients.
This dual reality creates both a challenge and an opportunity. The challenge is navigating two regulatory frameworks simultaneously. The opportunity is that BAM and DORA, despite originating from different regulatory traditions, converge substantially on core operational resilience principles. Institutions that recognise this convergence can build a unified compliance programme that satisfies both regulators with a single set of capabilities.
This analysis maps the two frameworks against each other, identifies areas of convergence and divergence, and provides practical guidance for Moroccan institutions managing both sets of requirements.
Bank Al-Maghrib's Supervisory Framework
BAM's approach to IT risk and operational resilience is codified across several directives and circulars:
Directive on IT Risk Management establishes requirements for IT governance, risk assessment, security controls, and incident management. It mandates a formal IT risk management framework, regular risk assessments, security policies, access controls, and change management procedures. The directive requires the governing body to approve the IT risk management strategy and receive regular reporting on IT risk posture.
Directive on Business Continuity (Plan de Continuite d'Activite — PCA) requires institutions to maintain formal business continuity plans covering critical activities. The PCA must include business impact analysis, recovery strategies, recovery plans (Plan de Reprise d'Activite — PRA), and regular testing. BAM expects documented PCA/PRA that are tested at least annually and updated following significant changes.
Directive on Outsourcing governs the use of external service providers, requiring risk assessment, contractual safeguards, monitoring, and exit planning. BAM retains the right to access outsourced operations and requires prior notification for the outsourcing of significant activities.
Circular on Cybersecurity establishes expectations for cyber threat management, including security operations, incident detection and response, vulnerability management, and security awareness.
Together, these directives create a supervisory framework that is comprehensive, principle-based, and deliberately aligned with international standards — particularly Basel Committee guidance on operational risk and IT risk.
Framework Convergence Map
The convergence between BAM directives and DORA is substantial. Both frameworks share the same fundamental premise: financial institutions must govern, test, and prove their operational resilience through structured, evidence-backed programmes.
Governance and Management Body Accountability
| Requirement | BAM | DORA |
|---|---|---|
| Board-level oversight of IT risk | Required (IT Risk Directive) | Required (Art. 5(2)) |
| Approved IT risk management framework | Required | Required (Art. 6(1)) |
| Regular board reporting on IT risk | Required (quarterly minimum) | Required (Art. 5(6)) |
| Management body training on ICT risk | Expected | Mandatory (Art. 5(4)) |
| Dedicated IT risk management function | Required | Required (Art. 6(4)) |
Convergence: High. Both frameworks place unambiguous accountability on the management body. BAM's approach is principle-based, while DORA's is prescriptive with specific article references, but the substantive requirement is identical.
ICT Asset Management and Risk Assessment
| Requirement | BAM | DORA |
|---|---|---|
| ICT asset inventory | Required | Required (Art. 8(1)) |
| Criticality classification | Required (based on BIA) | Required (Art. 8(1), Art. 3(22)) |
| Dependency mapping | Expected | Required (Art. 8(4)) |
| Regular risk assessments | Required (annual minimum) | Required (Art. 9(1)) |
| Risk treatment and monitoring | Required | Required (Art. 9(4)) |
Convergence: High. The core asset management and risk assessment requirements are substantively equivalent. DORA is more specific about dependency mapping and the frequency of risk reassessment, but institutions compliant with BAM's IT Risk Directive will have the foundational capabilities in place.
Business Continuity and Recovery
| Requirement | BAM | DORA |
|---|---|---|
| Business impact analysis | Required (PCA Directive) | Required (Art. 11(1)) |
| Business continuity plans | Required (PCA) | Required (Art. 11(1)) |
| Recovery plans (PRA) | Required | Required (Art. 11(2)) |
| RTO/RPO definition | Required | Required (Art. 11(1)) |
| Annual testing of BC/DR plans | Required | Required (Art. 25(1)) |
| Crisis communication procedures | Required | Required (Art. 14) |
Convergence: High. BAM's PCA/PRA framework maps almost directly to DORA's business continuity requirements under Articles 11-13. Institutions with mature PCA programmes will find DORA's continuity requirements largely satisfied.
Incident Management
| Requirement | BAM | DORA |
|---|---|---|
| Incident classification framework | Required | Required (Art. 18) |
| Incident detection and response | Required | Required (Art. 17) |
| Regulatory notification of major incidents | Required (to BAM) | Required (Art. 19, to NCA) |
| Post-incident review | Expected | Required (Art. 13) |
| Root cause analysis | Expected | Required (Art. 13(2)) |
| Specific reporting timelines | General expectation | Prescriptive (4h/72h/1 month) |
Convergence: Moderate-High. BAM requires incident management and regulatory notification, but DORA's three-phase reporting timeline (initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month) is more prescriptive than BAM's current expectations. Institutions will need to adapt their incident workflows to meet the more demanding DORA timelines if they have EU-regulated entities.
Third-Party Risk Management
| Requirement | BAM | DORA |
|---|---|---|
| Outsourcing risk assessment | Required | Required (Art. 28) |
| Contractual safeguards | Required | Required (Art. 30, 15 provisions) |
| Prior notification for significant outsourcing | Required | Not required (but register must be maintained) |
| Exit strategies | Expected | Required (Art. 30(2)(f)) |
| Concentration risk analysis | Limited | Required (Art. 29) |
| Sub-outsourcing chain visibility | Expected | Required (Art. 29(2)) |
| Register of outsourced arrangements | Required | Required (Art. 28(3)) |
Convergence: Moderate. BAM's outsourcing directive covers the core requirements but with less prescriptive detail than DORA's Pillar IV. The most significant gap is concentration risk analysis — BAM expects diversification but does not require the systematic, quantitative assessment that DORA Art. 29 demands.
Resilience Testing
| Requirement | BAM | DORA |
|---|---|---|
| BC/DR testing programme | Required (annual) | Required (Art. 25(1)) |
| Vulnerability assessments | Required | Required (Art. 25(1)) |
| Penetration testing | Expected | Required (Art. 25(1)) |
| Threat-led penetration testing (TLPT) | Not required | Required for designated entities (Art. 26) |
| Testing evidence retention | Expected | Required |
| NCA involvement in testing | Not structured | Required for TLPT (Art. 26(4)) |
Convergence: Moderate. BAM requires testing, but DORA's testing requirements are broader (Art. 25 lists nine types of tests) and deeper (Art. 26 introduces TLPT, which has no BAM equivalent). This is the area where DORA goes most significantly beyond current BAM expectations.
Where DORA Goes Further
Four areas represent material gaps between BAM's current framework and DORA's requirements:
1. Threat-Led Penetration Testing (TLPT). BAM does not require TLPT. DORA Art. 26 introduces a testing methodology that is substantially more demanding, expensive, and regulated than any testing currently required by BAM. Moroccan institutions with EU subsidiaries designated for TLPT will need to build this capability from scratch.
2. Prescriptive Incident Reporting Timelines. DORA's 4-hour/72-hour/1-month reporting timeline is more demanding than BAM's general expectation of timely notification. The four-hour window for initial notification (Art. 19(4)(a)) requires near-real-time incident classification and automated regulatory reporting capabilities.
3. Concentration Risk Quantification. BAM expects prudent management of outsourcing risk but does not require the quantitative concentration risk analysis that DORA Art. 29 demands — including substitutability assessment, service provider dependency mapping, and systematic evaluation of single points of failure across the ICT supply chain.
4. Information Sharing Framework. DORA Pillar V (Art. 45-49) establishes a structured framework for threat intelligence sharing that has no direct BAM equivalent. While the requirements are less onerous than other pillars, they represent a new regulatory expectation.
Implications for Moroccan Banks
Institutions with EU Subsidiaries
Moroccan banking groups with subsidiaries in the EU (particularly in France, Belgium, the Netherlands, and Luxembourg) face direct DORA obligations through those entities. The group-level challenge is ensuring that the parent's BAM-compliant framework extends to meet DORA requirements at the subsidiary level — or that a unified framework satisfies both.
The practical recommendation: build the governance framework to the higher standard (DORA) and map BAM requirements into it. An institution compliant with DORA will inherently satisfy the vast majority of BAM requirements. The reverse is not true — BAM compliance alone leaves material DORA gaps.
Institutions with EU Correspondent Relationships
Even without EU subsidiaries, Moroccan banks maintaining correspondent banking relationships with EU institutions will face indirect DORA pressure. European counterparties increasingly evaluate their correspondents' operational resilience posture as part of their own third-party risk management obligations under DORA Art. 28-30. Demonstrating BAM compliance supplemented with DORA-aligned capabilities strengthens these relationships.
Institutions Preparing for BAM's Evolving Framework
BAM's regulatory framework is not static. The central bank consistently aligns its supervisory expectations with international standards and best practices. The European regulatory trajectory — from EBA Guidelines through DORA — represents the direction that prudential regulation is moving globally. Moroccan institutions that proactively align with DORA position themselves ahead of likely future BAM requirements rather than perpetually catching up.
Building a Unified Compliance Programme
The convergence between BAM and DORA enables a practical unified approach:
1. Single governance framework that satisfies both Art. 5 of DORA and BAM's IT Risk Directive. The management body oversight, risk management function, and reporting structure serve both regulators.
2. Unified asset inventory with metadata that covers both BAM and DORA requirements. DORA's more prescriptive dependency mapping and criticality classification (Art. 8) subsumes BAM's requirements.
3. Integrated testing programme that meets BAM's annual PCA testing requirement and DORA's broader Art. 25 testing obligations. TLPT is an additive requirement for designated entities.
4. Single third-party register enriched with DORA Art. 28(3) fields (concentration risk, contractual clause mapping, exit strategies) beyond BAM's outsourcing requirements.
5. Evidence management platform that captures, versions, and retains compliance evidence for both regulators. Platforms designed for DORA's evidence requirements — such as Valendir, which natively supports both DORA and BAM compliance frameworks — inherently satisfy BAM's documentation expectations while providing the audit-ready evidence chain that DORA demands.
Conclusion
The convergence between BAM and DORA is not coincidental — both frameworks derive from the same international principles of operational resilience. Moroccan financial institutions that recognise this convergence can avoid the trap of building parallel compliance programmes and instead invest in a unified capability that satisfies both regulators, strengthens operational resilience, and positions the institution for the next evolution of prudential supervision.
The institutions that act now — building DORA-grade capabilities while satisfying BAM requirements — will be the ones that thrive in an increasingly interconnected and regulated financial landscape. Those that treat each regulatory framework as a separate project will pay twice for capabilities they need only once.
This analysis is based on publicly available BAM directives and DORA text as published. See also our framework comparison for a broader regulatory landscape view. Moroccan institutions should consult with their BAM supervisory contacts and qualified legal counsel for institution-specific guidance on dual regulatory compliance.