Cybersecurity regulation in Colombia (2026)

MinTIC published the Estrategia Nacional de Seguridad Digital 2025–2027, responding to Colombia's position as Latin America's second-most-attacked country (36 billion attempted intrusions in 2024, ~17 % of regional total). The strategy establishes a National Security Operations Centre, reinforces the ColCERT coordination model, and sets sector-specific resilience targets for finance, health, and energy.

Resolution 2239 replaced Resolution 448 of 2022 and updated the General Policy on Information Security, Privacy, Digital Security, and Operational Continuity for all MinTIC systems. It aligned Colombia's public-sector security baseline with ISO/IEC 27001:2022 and embedded the refreshed Information Security and Privacy Model (MSPI).

A ransomware attack on cloud-hosting provider IFX Networks disrupted more than 762 client organisations across Latin America, including Colombia's Ministries of Justice, Health, and Culture; approximately 2 million judicial proceedings were paralysed and a Ministry of Health database with 50 million records was encrypted. The presidential technology adviser called it the largest cyber-attack on Colombian infrastructure in recent years, and the government announced legal action against the provider.

MinTIC introduced a draft law before Congress to create a specialised Agencia Nacional de Seguridad Digital y Asuntos Especiales, which would centralise national-level cybersecurity planning, risk coordination, and incident response—filling the institutional gap exposed by the IFX Networks and Keralty attacks.

The RansomHouse ransomware group attacked Keralty (operating as EPS Sanitas), one of Colombia's largest private health insurers, encrypting clinical systems and exfiltrating data affecting millions of patients. The incident, alongside a contemporaneous attack on Audifarma, triggered public debate about mandatory cybersecurity standards for critical health infrastructure.

Decree 338 added a new title to the Regulatory Decree 1078 of 2015, establishing the national Digital Security Governance Model, formalising ColCERT's coordinating role, requiring public entities to identify critical cyber infrastructure and essential services, and mandating structured incident response via five governance bodies including a Unified Digital Security Command. This is the principal instrument governing public-sector cybersecurity obligations today.

CONPES 3854 superseded CONPES 3701 and reframed cybersecurity as a socio-economic risk-management challenge rather than purely a defence and criminal-justice matter. It introduced a multi-stakeholder governance structure, embedded risk management in government operations, and aligned Colombia with international frameworks including the NIST Cybersecurity Framework.

Acting on CONPES 3701 mandates, Colombia stood up ColCERT (Grupo de Respuesta a Emergencias Cibernéticas de Colombia) under the Ministry of Defence/Armed Forces and the Centro Cibernético Policial under the National Police. These two institutions became the operational backbone of national incident response and cybercrime investigation.

CONPES 3701 was Colombia's first comprehensive national cybersecurity strategy, defining the concepts of ciberseguridad and ciberdefensa and directing the creation of specialist institutions (ColCERT, CCP) and a regulatory framework. It established the doctrinal and institutional architecture that all subsequent cybersecurity policy has built upon.