Cybersecurity · Argentina
Cybersecurity - Argentina
Argentina has no NIS2-style comprehensive cybersecurity law passed by Congress; its obligations are layered across executive instruments and sectoral regulators. Key pillars are the National Cybersecurity Center created by Decree 941/2025, the Second National Cybersecurity Strategy and the 2025-2027 Federal Cybercrime Plan, plus binding incident-reporting duties for the national public sector (via CERT.ar) and for the financial system (BCRA). Breach notification for the private sector at large is not yet mandatory but is a central feature of pending data-protection reform bills before Congress.
Decree 941/2025 created the Centro Nacional de Ciberseguridad as a decentralized body under the Secretariat of Innovation, Science and Technology (Chief of Cabinet), tasked with planning, executing and supervising national cybersecurity policy, protecting the cyberspace of national interest, critical information infrastructure and the National Public Sector's strategic digital assets.
A Second National Cybersecurity Strategy (8 principles, 8 objectives, 42 actions) was approved following public consultation, and the Ministry of Security's Resolution 72/2025 established the Federal Plan for Cybercrime Prevention and Strategic Cybersecurity Management (2025-2027). These are strategic/policy instruments rather than binding cross-sector obligations.
National Public Sector entities and operators of critical information infrastructure must report security incidents to the National Cybersecurity Directorate / CERT.ar, generally within 48 hours of becoming aware, under provisions of the Directorate (e.g., Disposición 1/2021) and related normativa.
Resolution 580/2011 created the National Program on Critical Information Infrastructure and Cybersecurity, and Resolution 1523/2019 defines critical infrastructure; operators are expected to assess cyber risks and implement protective measures, with the new National Cybersecurity Center now assuming the rector role.
The Central Bank (BCRA) imposes sector-specific cyber-resilience and incident-reporting rules on banks, payment service providers and financial market infrastructures; under Comunicación 'A' 8280/2025, critical incidents must be reported within one hour and a final report submitted within five calendar days, with incidents classified as critical, important or non-relevant.
Personal data is governed by Law 25.326 (2000), enforced by the Agencia de Acceso a la Información Pública (AAIP); it lacks a general mandatory breach-notification duty. Reform bills before Congress (inspired by an AAIP draft, aligning with GDPR/Brazil's LGPD) would require notifying AAIP within 72 hours of high-risk breaches and informing affected individuals.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →