Qualified electronic signature in Morocco — the Law 43-20 guide.

An electronic signature is a cryptographic mechanism that ties a document to its author's identity, guaranteeing that (a) the document has not been altered since signing, (b) the holder of the key actually signed, and (c) they cannot credibly deny doing so. Three combined properties: integrity, authenticity, non-repudiation.

Law 43-20 recognises three levels of electronic signature: simple, advanced, and qualified. The qualified level is the highest: it relies on a certificate issued by a trust service provider (PSCo) approved by the DGSSI, and the private key must be created and used inside a qualified hardware device (QSCD).

Under the Moroccan regime, a qualified signature carries the same legal effect as a handwritten one: it constitutes consent and a binding commitment by its author, and it is admissible in court without case-by-case proof of reliability.

Law 43-20 on trust services for electronic transactions was promulgated by dahir 1-20-100 of 31 December 2020 and published in Bulletin Officiel n° 6970 of 18 March 2021. It repeals and replaces Law 53-05 on the electronic exchange of legal data, under which ANRT was the certification authority.

Decree 2-22-687 of 21 rabii II 1444 (16 November 2022), issued for the implementation of Law 43-20, was published in Bulletin Officiel n° 7162 of 19 January 2023. It sets the rules for each trust service, the regime for PSCo approval and declaration, and the data that qualified certificates must contain.

Under this new regime, the DGSSI (Direction Générale de la Sécurité des Systèmes d'Information) is designated as the national authority for trust services. It establishes the requirement frameworks, approves PSCos, publishes the list of approved PSCos (article 53 of the law), and may audit their compliance (article 55).

The simple level covers any electronic signature linked to an identifiable signer, created using data the signer keeps under their control, and bound to the document such that any subsequent modification is detectable. Admissible as evidence, but with no special probative weight.

The advanced level adds technical requirements: the signature must be created using means the signer can keep under sole control, must rely on a cryptographic certificate, and must be linked to the signed data so that any alteration is detectable. This is the equivalent of the European eIDAS "advanced electronic signature" — the model Law 43-20 is closely inspired by.

The qualified level additionally requires the use of a qualified device (QSCD) and a qualified certificate issued by a PSCo approved by the DGSSI. It is the only level that benefits from a presumed legal effect equivalent to a handwritten signature. For an e-invoice under Article 145-IX of the Moroccan Tax Code, this is the level required: no other is accepted by the national platform.

The DGSSI plays the role of national authority. It publishes the requirement frameworks applicable to PSCos (the general framework Ref_PSCo_AG, the qualified certificate delivery framework Ref_Deliv_Cert_Qual, the QSCD framework Ref_QSCD, the validation framework Ref_Valid_Qual, the registered envelope framework Ref_Env_reco_Qual). It processes approval requests and publishes the list of approved PSCos.

A PSCo (Prestataire de Services de Confiance) is a — typically private, specialised — entity that obtains DGSSI approval to deliver qualified trust services. As of this guide, Africtrust has been announced as the first PSCo approved by the DGSSI. The official list, updated as approvals are granted, is published on the DGSSI website.

The QSCD (Qualified Signature Creation Device) is the hardware device that holds the private key. Its defining property: the private key never leaves it in plaintext. Several forms: HSM hosted at a PSCo, smart card with reader, signing USB token, or the secure enclave of a phone (Secure Enclave on iOS, TEE on Android) when the PSCo offers a remote qualified mobile signing service.

First, verify that the provider is actually approved by the DGSSI for the trust service you need. Approval is not blanket: a PSCo may be approved to issue qualified signature certificates without being approved for electronic seals, timestamping, or registered delivery. The DGSSI list specifies the scope of each PSCo's approval.

Compare delivery modalities: some PSCos require an in-person identity check (visit to an enrolment centre), others accept remote verification via videoconference with an agent. Qualified mobile signing — where the key is created in your phone's secure element via biometric enrolment — reduces user friction but depends on the PSCo's offering.

Check the annual cost (an individual certificate is around MAD 1,200 per year), the validity period (typically 1 to 3 years), renewal terms, and available technical support. For an accounting firm managing several client portfolios, check whether the PSCo offers organisational certificates (electronic seal of the firm) alongside the individual certificates of signing staff.

The QSCD is the technical guarantee that only its holder can produce a signature with the key it stores. The founding principle: the private key is generated inside the device, never leaves it, and each signing operation requires authentication (PIN, biometrics). Without that, any copy of the key could produce signatures indistinguishable from the original.

Several form factors coexist. The HSM (Hardware Security Module) is a dedicated certified appliance, typically hosted at a PSCo and accessible remotely for server-side signing — practical for systems issuing many invoices. The smart card with USB reader and the signing USB token are the classic individual formats. The mobile secure enclave, introduced by PSCos offering qualified mobile signing, holds the key in the secure component of your smartphone.

The Ref_QSCD framework published by DGSSI specifies the technical requirements a device must meet to be recognised as qualified. In practice you won't choose the QSCD yourself: your PSCo provides the device compatible with their offering.

For UBL 2.1 e-invoicing, the qualified signature is applied to the XML document itself via a signature profile called XAdES (XML Advanced Electronic Signatures), standardised by ETSI. The mechanism: the UBL document is canonicalised, its hash is computed, that hash is signed with the holder's private key, and the result (signature + certificate + validation metadata) is embedded in a dedicated XML node inside or around the UBL document.

Several XAdES profiles coexist: XAdES-B (basic, signature only), XAdES-T (with timestamp), XAdES-LT (long-term, embedding validation evidence), XAdES-LTA (long-term archive, with archive timestamp). The exact profile required for DGI e-invoicing will be specified by the technical reference framework published by the DGI or xHub. As a reasonable hypothesis, an XAdES-LT or XAdES-LTA profile is compatible with the 10-year archival requirement.

In practice, your invoicing software or your dematerialisation operator orchestrates the signing: it prepares the UBL document, requests the signing operation from your PSCo (sending the hash to be signed and receiving the signature), wraps the result in XAdES, and transmits to the DGI platform. You don't write XAdES code yourself.