feat(lib): Loi n° 05-20 relative à la cybersécurité (Maroc)

[Qnadia]

• Framework complet avec 53 articles structurés
• Conforme au Bulletin Officiel n°6906
• Couvre entités, IIV et opérateurs
• Inclut le régime de sanctions conformément à la loi

Summary by CodeRabbit

• New Features
  • Added the Moroccan cybersecurity law (Loi n°05‑20) as a French-language risk library with full scoring, chapter/section/article hierarchy, and detailed article texts for compliance assessment.
  • Added a mapping set linking the law to ISO 27001:2022 for alignment and traceability.
  • Added a mapping from DNSSI 2023 to ISO 27001:2022 to support cross-framework comparisons.

[coderabbitai]

Walkthrough

Adds three new YAML library/mapping files: a Moroccan cybersecurity law risk library (loi-05-20), a DNSSI 2023 → ISO 27001:2022 mapping, and a loi-05-20 → ISO 27001:2022 mapping. All changes are data additions (frameworks, requirement nodes, and mapping relationships), no runtime code modified.

Changes

Cohort / File(s)	Summary
Moroccan Cybersecurity Law (loi-05-20) backend/library/libraries/loi05-20-06082020.yml	New YAML risk/library defining "Loi n° 05-20 relative à la cybersécurité" (fr). Includes metadata, framework scoring (0–5 with labels), and a hierarchical requirement_nodes tree covering Chapters I–VI, Sections and Articles 1–53 with French descriptions, URNs, depths, and parent relationships.
DNSSI → ISO 27001 Mapping backend/library/libraries/map-DNSSI_2023-iso27001_2022.yml	New mapping YAML linking DNSSI 2023 requirements to ISO 27001:2022 controls. Contains mapping metadata, dependencies, and a large set of requirement_mappings with relationship/rationale/annotation entries (French).
Loi‑05‑20 → ISO 27001 Mapping backend/library/libraries/map_loi05-20_iso27001-2022_.yaml	New mapping YAML associating loi-05-20 requirement URNs to ISO 27001:2022 controls. Includes metadata, dependencies on iso27001-2022 and loi-05-20, and many requirement_mapping entries with intersect relationships, rationales, and annotations.

Sequence Diagram(s)

(Skipped — changes are data additions; no new runtime/control-flow behavior to diagram.)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Large, heterogeneous YAMLs with dense mappings and hierarchical nodes require careful schema/URIs verification.
• Areas needing extra attention:
  • Consistency of URNs, parent_urn and depth across requirement_nodes and mapping sources.
  • Mapping correctness (source ↔ target URNs) and dependency declarations (iso27001-2022, dnssi-2023-2, loi-05-20).
  • YAML syntax, escaping of multiline French text, and version/publication metadata.

Suggested labels

Mapping

Suggested reviewers

• ab-smith
• eric-intuitem

Poem

🐇
J’ai rangé les lois en branches et en nœuds,
Des mappings, des articles, un festin pour mes pattes;
Je saute, je signe, un petit vers tout doux —
Pour que la cyberveille danse et jamais ne se tâte. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "feat(lib): Loi n° 05-20 relative à la cybersécurité (Maroc)" directly and specifically describes the main change in the pull request, which is the addition of a comprehensive library/framework for the Moroccan cybersecurity law (Loi n° 05-20). The title follows the conventional format with a clear feature type (feat), scope (lib), and explicit subject matter identifying both the law number and jurisdiction. The title is concise, specific, and avoids vague terminology—a teammate reviewing the git history would immediately understand that this PR introduces a new Moroccan legal framework for cybersecurity compliance.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b35c80d and e37a339.

⛔ Files ignored due to path filters (1)

• backend/library/libraries/Loi 05-20-Maroc.xlsx is excluded by !**/*.xlsx

📒 Files selected for processing (3)

• backend/library/libraries/loi-05-20-06082020.yml (1 hunks)
• backend/library/libraries/map-DNSSI_2023-iso27001_2022.yml (1 hunks)
• backend/library/libraries/map_loi05-20_iso27001-2022_.yaml (1 hunks)

🔇 Additional comments (10)

backend/library/libraries/map_loi05-20_iso27001-2022_.yaml (3)

1-5: Fix filename formatting inconsistency.

The filename map_loi05-20_iso27001-2022_.yaml contains a trailing underscore before the extension, which does not match the URN/ref_id pattern (map-loi-05-20-iso27001-2022). Additionally, the file uses .yaml extension while the other framework files in the PR use .yml. Standardize the filename to map_loi05-20_iso27001-2022.yaml or .yml to align with naming conventions and remove the trailing underscore.

---

23-27: Verify intentional omission of Article 1 and 2 from mapping.

The mapping in file map_loi05-20_iso27001-2022_.yaml begins with Article 3 and ends with Article 52, excluding Articles 1 and 2. While these articles define the law's scope and terminology (which may not map directly to ISO 27001 controls), this omission should be explicitly documented or confirmed to be intentional.

---

16-21: Mapping structure and metadata are well-formed.

The requirement mapping set is properly structured with consistent relationship types (intersect), rationale (semantic), and French annotations. All URNs follow the expected pattern for loi-05-20 articles and ISO 27001:2022 controls. Dependencies on both frameworks are correctly declared.

backend/library/libraries/map-DNSSI_2023-iso27001_2022.yml (1)

1-20: Mapping structure and metadata are properly formatted.

The DNSSI 2023-2 to ISO 27001:2022 mapping file follows the same well-structured pattern as the loi-05-20 mapping, with consistent URN formatting, dependency declarations, and chapter-based organization. The use of .yml extension aligns with the loi-05-20 risk library file. All requirement mappings maintain consistent relationship (intersect), rationale (semantic), and annotation structure.

backend/library/libraries/loi-05-20-06082020.yml (6)

1-11: Library metadata is accurate and properly formatted.

The metadata correctly reflects the Moroccan cybersecurity law (Loi n° 05-20) with the official publication date (2020-08-06) and Moroccan state as provider. Single packager attribution ("Nadia QOUDHADH") maintains author consistency per PR objectives.

---

18-38: Clarify empty score descriptions.

The framework defines six score levels (0–5) with names in French but leaves all descriptions empty. Verify whether empty descriptions align with the library schema and project requirements, or if brief descriptions should be added (e.g., for score 3 "Défini" and score 4 "Maîtrisé").

---

40-102: Chapter I structure and articles are properly defined.

Chapter I (Dispositions générales) is correctly structured with two articles (Art. 1: Objet de la loi, Art. 2: Définitions). Article descriptions are comprehensive and in French, capturing the full legal requirements. Assessability flags and URN hierarchy are correct.

---

109-445: Chapter II is properly structured with all three entity types (entities, IIV, operators).

The chapter correctly organizes the security apparatus into three sections: entities (Articles 3–13), critical infrastructure / IIV (Articles 14–25), and operators (Articles 26–34). All 32 articles in Chapter II are present with comprehensive descriptions covering governance, audit, incident management, and compliance obligations consistent with the PR objectives.

---

447-692: Chapters III–VI are complete and properly structured.

The remaining chapters comprehensively cover governance (8 articles on strategic committees and national authority), training/cooperation (5 articles), sanctions regime with tiered penalties (5 articles including 200k–400k DH and 100k–200k DH fines, confiscation, and recidivism provisions), and final provisions. All 53 articles from the Moroccan law are present and properly organized. The sanctions structure aligns with the PR description of the "régime de sanctions."

---

1-15: URN reference to loi-05-20 framework is correctly declared as dependency.

The file properly declares dependency on urn:intuitem:risk:library:loi-05-20 (lines 2-14), which references the loi-05-20 framework defined in loi-05-20-06082020.yml. This establishes the correct cross-file relationship. However, the library must exist in the system before this mapping file can be loaded.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c105c6d and 60563bd.

📒 Files selected for processing (1)

• backend/library/libraries/loi05-20-06082020.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

backend/library/libraries/loi05-20-06082020.yml

[error] 81-81: syntax error: found character '\t' that cannot start any token

(syntax)

🔇 Additional comments (1)

backend/library/libraries/loi05-20-06082020.yml (1)

1-644: YAML file parses successfully; all 53 articles verified and properly nested.

The file has been fixed and validated:

• Tab characters converted to spaces (YAML compliance)
• ART-6/ART-7 indentation boundary corrected
• All 53 articles (ART-1 through ART-53) present and assessable
• Document structure valid and hierarchical

[github-actions]

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

1 out of 2 committers have signed the CLA.
✅ @Qnadia
❌ @root
root seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You can retrigger this bot by commenting recheck in this Pull Request}

[ab-smith]

recheck

[Qnadia]

Ajout de la Loi n° 05-20 relative à la cybersécurité (Maroc) dans la bibliothèque CISO Assistant.

Détails :

Ajout du fichier YAML : backend/library/libraries/loi05-20-06082020.yml
→ Contient l’ensemble des 53 articles de la loi 05-20, structurés par chapitres et sections selon le modèle de la DGSSI.

Ajout du fichier source Excel : Loi 05-20-Maroc.xlsx
→ Version tabulaire permettant la relecture, la vérification et l’enrichissement des métadonnées (articles, descriptions, chapitres).

Contenu :

Chapitres I à VI : Dispositions générales, dispositif de sécurité, gouvernance, formation, infractions et dispositions finales.

53 articles intégrés et vérifiés.

Validation syntaxique effectuée (aucune erreur bloquante).

[ab-smith]

thank you @Qnadia ,
it looks like there is an issue with your PR, because it's authored by two users. Can you please start a fresh one with just one identity (yours) ?