DORA and Morocco's Bank Al-Maghrib: Building a Cross-Mediterranean Resilience Bridge
The Mediterranean Nexus
Fourteen kilometers of water separate the EU from Africa at the Strait of Gibraltar. In financial services, the distance is even shorter. Morocco's banking sector — anchored by institutions like Attijariwafa Bank, BMCE Bank of Africa, and Banque Centrale Populaire — maintains deep structural connections with Europe through subsidiary networks, correspondent banking relationships, trade finance corridors, and the cross-border flow of remittances that ranks among the largest in the world.
These connections create a regulatory reality that few compliance frameworks address directly: Moroccan financial institutions with EU subsidiaries fall squarely within DORA's scope under Art. 2. Simultaneously, Bank Al-Maghrib (BAM) — Morocco's central bank and prudential supervisor — has developed its own operational resilience framework through the Plan de Continuite d'Activite (PCA) and Plan de Reprise d'Activite (PRA) directives, supplemented by circulars on ICT governance, outsourcing, and cyber risk management.
For the Moroccan banks that operate in both jurisdictions, this creates a dual compliance obligation. But it also creates an opportunity: where BAM and DORA requirements overlap, a unified compliance approach can satisfy both frameworks with a single implementation effort.
The BAM Framework: PCA/PRA and ICT Governance
Bank Al-Maghrib's operational resilience framework has evolved through several regulatory cycles, reflecting both Morocco's own financial sector development and the influence of international standards (Basel Committee, FSB, ISO 22301).
PCA — Plan de Continuite d'Activite
The PCA directive requires Moroccan financial institutions to maintain documented business continuity plans that cover:
- Identification of critical functions and business processes
- Business Impact Analysis (BIA) with RTO and RPO targets
- Continuity strategies for critical functions
- Crisis management and escalation procedures
- Testing and exercise programmes
- Regular review and update cycles
PRA — Plan de Reprise d'Activite
The PRA directive focuses specifically on ICT recovery capabilities:
- IT disaster recovery planning for critical systems
- Backup and restoration procedures
- Recovery testing with documented results
- Secondary site capabilities and failover procedures
ICT Governance Circulars
BAM has issued specific circulars addressing:
- ICT risk governance and management frameworks
- Cybersecurity requirements for financial institutions
- Outsourcing governance, including ICT service providers
- Incident reporting to the central bank
DORA vs. BAM: The Side-by-Side Comparison
| Requirement domain | DORA (EU 2022/2554) | BAM (PCA/PRA/Circulars) | Alignment level |
|---|---|---|---|
| ICT Risk Framework | Art. 5-16: Comprehensive, board-approved, annually reviewed | PCA directive + ICT governance circulars | High — BAM covers core requirements; DORA adds specificity |
| Business Continuity | Art. 11: ICT business continuity policy, tested regularly | PCA: Detailed BCP requirements | High — strongest alignment area |
| Disaster Recovery | Art. 12: Backup policies, recovery methods, tested | PRA: IT recovery planning and testing | High — PRA directly maps to Art. 12 |
| Incident Management | Art. 17-23: Classification, reporting timelines (4h/72h/1m), NCA notification | BAM circular: Incident reporting to central bank | Medium — BAM requires reporting but with less prescriptive timelines |
| Resilience Testing | Art. 24-27: Testing programme, TLPT, advanced testing | PCA: Testing required, no TLPT equivalent | Medium — DORA testing requirements are more extensive |
| Third-Party Risk | Art. 28-44: Register, contractual provisions, exit strategies, concentration risk, CTPP oversight | BAM outsourcing circular: Due diligence, contractual requirements | Medium-Low — DORA's Pillar IV is significantly more detailed |
| Information Sharing | Art. 45-49: Voluntary sharing, TLP framework | Limited — no formal information sharing framework | Low — gap area requiring DORA-specific implementation |
| Board Governance | Art. 5: Direct management body obligations, training | BAM governance standards: Board oversight of risk | Medium — BAM addresses governance but DORA is more prescriptive on ICT |
| Penalties | Art. 50-64: National penalty regimes | BAM enforcement powers: Sanctions, administrative measures | N/A — different jurisdictional regimes |
Where the Frameworks Converge
Business continuity is the strongest alignment zone. BAM's PCA directive and DORA's Art. 11-12 share a common foundation in ISO 22301. Both require BIA, critical function identification, documented continuity plans, recovery procedures, and testing. An institution with a mature PCA implementation has a significant head start on DORA Pillar I compliance.
ICT risk governance requirements align at the principle level. Both frameworks require board oversight, documented risk management frameworks, and regular review cycles. The differences are in specificity: DORA prescribes more detailed requirements for asset identification (Art. 8), protection and prevention (Art. 9), and detection (Art. 10).
Incident management frameworks are compatible. BAM's incident reporting requirements and DORA's Art. 17-23 share the same lifecycle concept (detection, classification, response, reporting, root cause analysis). DORA adds prescriptive timelines (4-hour initial notification, 72-hour intermediate, one-month final) that BAM does not specify at the same granularity.
Where the Gaps Exist
Third-party risk management is the largest gap. DORA's Pillar IV — covering the Register of Information (Art. 28(3)), mandatory contractual provisions (Art. 30), exit strategies (Art. 28(8)), concentration risk assessment (Art. 29), and the CTPP oversight regime (Art. 31-44) — goes significantly beyond BAM's outsourcing requirements. Moroccan institutions with EU operations will need to build Pillar IV capabilities largely from scratch for their EU entities.
TLPT and advanced testing have no BAM equivalent. DORA Art. 26 introduces Threat-Led Penetration Testing for systemically important institutions, a testing methodology that BAM has not adopted. Moroccan banks whose EU entities are identified for TLPT will need to develop this capability.
Information sharing is a DORA-specific requirement. DORA Art. 45-49 establish a framework for voluntary threat intelligence sharing between financial entities. BAM's framework does not include an equivalent, meaning this is an area of new implementation for cross-Mediterranean institutions.
Moroccan Banks in DORA's Scope
The scope question for Moroccan financial institutions is answered by Art. 2 and the entity's EU presence:
Direct scope. A Moroccan bank operating an EU-licensed subsidiary (branch or subsidiary with its own banking license) is directly in DORA's scope for that entity. The subsidiary must comply with all DORA requirements as an EU-regulated financial entity.
Indirect scope via third-party chain. A Moroccan ICT service provider serving EU financial entities may fall within the third-party risk management provisions of Art. 28-30. If the Moroccan provider is designated as a CTPP under Art. 31, it falls under direct ESA oversight.
Indirect scope via group-level requirements. DORA's third-party risk management provisions require EU entities to assess intra-group ICT dependencies. A Moroccan parent bank providing shared ICT services to its EU subsidiary creates a third-party relationship that must be documented in the subsidiary's Register of Information.
| Moroccan entity type | DORA scope | Compliance obligation |
|---|---|---|
| Moroccan bank with EU banking subsidiary | Direct (for the EU entity) | Full DORA compliance for EU subsidiary |
| Moroccan bank with EU branch | Direct (for the branch) | Full DORA compliance for EU branch |
| Moroccan ICT provider to EU financial entities | Indirect (Art. 28-30) | Contractual compliance, potential CTPP designation |
| Moroccan parent providing group ICT services | Indirect (via EU subsidiary's register) | Documented in Register of Information, exit strategy required |
| Moroccan bank with EU correspondent relationships | Limited | Art. 28 applies to the contractual relationship |
The Unified Compliance Framework
For Moroccan financial groups navigating both BAM and DORA, the most efficient approach is a unified compliance framework that satisfies both sets of requirements through a single implementation. The framework leverages BAM compliance as a baseline and adds DORA-specific enhancements where gaps exist.
Tier 1 — Foundation (BAM + DORA aligned requirements)
These areas require minimal additional effort for institutions already compliant with BAM:
- ICT risk governance framework (Art. 5 / BAM governance standards)
- Business continuity planning (Art. 11 / PCA)
- Disaster recovery and backup (Art. 12 / PRA)
- Incident management lifecycle (Art. 17 / BAM incident reporting)
- Asset identification and classification (Art. 8 / BAM ICT governance)
Tier 2 — Enhancement (BAM partially covered, DORA requires additional specificity)
These areas require building on BAM compliance with DORA-specific additions:
- Incident reporting timelines (Art. 19: add 4h/72h/1m notification protocol for EU entity)
- ICT testing programme (Art. 24-25: formalize testing programme beyond BAM requirements)
- Protection and prevention (Art. 9: document specific controls to DORA's prescriptive standard)
- Detection capabilities (Art. 10: enhance monitoring to DORA's Art. 10 requirements)
- Board training (Art. 5(4): implement DORA-specific ICT risk training for management body)
Tier 3 — New Implementation (DORA requirements with no BAM equivalent)
These areas require new capabilities:
- Register of Information (Art. 28(3): build and maintain the full ICT third-party register for EU entities)
- Art. 30 contractual provisions (renegotiate contracts with ICT providers to include all mandatory clauses)
- Exit strategies (Art. 28(8): develop and test exit strategies for critical ICT providers)
- Concentration risk assessment (Art. 29: quantify ICT concentration and manage accordingly)
- Information sharing (Art. 45: establish or join information sharing arrangements)
- TLPT (Art. 26: if designated, build threat-led penetration testing capability)
The Strategic Opportunity
The dual compliance requirement is often framed as a burden. For Moroccan financial groups, it is equally an opportunity.
Competitive differentiation. Moroccan banks that achieve DORA compliance for their EU operations develop operational resilience capabilities that exceed BAM requirements. These capabilities — particularly in third-party risk management, advanced testing, and evidence-based compliance — position them favorably for BAM's own evolving expectations. BAM's framework is likely to move toward greater DORA alignment over time, giving early movers a head start.
Operational resilience beyond compliance. The investments required for DORA — formal testing programmes, concentration risk management, incident reporting automation — produce genuine operational benefits. A Moroccan bank that implements DORA's business continuity requirements across its entire group, not just the EU entity, becomes more resilient globally.
EU market access credibility. DORA compliance signals to EU counterparts, regulators, and potential partners that the Moroccan institution meets the highest operational resilience standard. In a market where financial partnerships are increasingly conditioned on demonstrated resilience, DORA compliance is a market access enabler.
Pan-African influence. Morocco's banks are the largest pan-African banking groups, operating across West and Central Africa. The operational resilience frameworks they develop for DORA compliance can be adapted for other African markets — positioning Moroccan institutions as resilience standard-setters across the continent.
Implementation Roadmap
For Moroccan financial groups initiating DORA compliance alongside existing BAM obligations, a phased approach minimizes disruption while ensuring regulatory timelines are met:
Phase 1 (Months 1-3): Gap Assessment. Map existing BAM compliance against DORA's full requirement set. Identify Tier 1 (aligned), Tier 2 (enhancement needed), and Tier 3 (new implementation) areas. Quantify the resource requirements for each tier.
Phase 2 (Months 3-6): Foundation and Governance. Establish the governance framework for dual compliance. Appoint DORA-responsible individuals within the EU entity. Brief the management body on DORA obligations. Begin Register of Information development.
Phase 3 (Months 6-12): Capability Building. Implement Tier 2 enhancements and begin Tier 3 new capabilities. Prioritize the Register of Information, Art. 30 contractual provisions, and incident reporting automation. Develop exit strategies for critical ICT providers.
Phase 4 (Months 12-18): Testing and Validation. Conduct end-to-end testing of DORA compliance capabilities. Run a mock supervisory examination. Validate incident reporting workflows. Test exit strategies at minimum through tabletop exercises.
Phase 5 (Ongoing): Continuous Improvement. Integrate DORA and BAM compliance into a unified assurance framework. Automate monitoring and reporting. Feed lessons learned into framework updates. Report to the management body on dual compliance posture.
The Cross-Mediterranean Bridge
DORA and BAM are not competing frameworks — they are complementary perspectives on the same fundamental objective: ensuring that financial institutions can withstand, respond to, and recover from ICT disruptions. DORA brings prescription, extraterritorial reach, and a CTPP oversight regime that BAM lacks. BAM brings institutional knowledge of the Moroccan financial sector, established supervisory relationships, and a regulatory culture attuned to the specific risks of the Moroccan market.
For institutions spanning both shores of the Mediterranean, the compliance requirement is to bridge these two frameworks into a coherent operational resilience programme. The institutions that succeed in building this bridge will not merely be compliant with two regulatory regimes — they will be genuinely more resilient.
This analysis reflects DORA Regulation (EU) 2022/2554 and Bank Al-Maghrib's PCA/PRA directives and ICT governance circulars as of Q4 2025. Specific BAM requirements may evolve as the central bank continues to develop its operational resilience framework.