Cybersecurity · Colombia
Cybersecurity - Colombia
Colombia does not yet have a single comprehensive cybersecurity law. Its framework rests on a national policy instrument (CONPES 3995, 2020), a regulatory decree on critical cyber infrastructure and incident management (Decree 338, 2022), and data-protection law (Law 1581, 2012) enforced by the Superintendence of Industry and Commerce (SIC). Draft bills to create a National Digital Security Agency and a standalone cybersecurity statute have been filed in Congress but remain unenacted as of mid-2026, while the government launched a National Digital Security Strategy 2025–2027 as an executive roadmap.
Adopted 1 July 2020, CONPES 3995 sets Colombia's overarching digital-trust and security policy, mandating strengthened capabilities across citizens, the public sector and the private sector, and updating the digital-security governance framework. Implementation is coordinated by MinTIC, the Ministry of National Defence and the National Planning Department.
Decree 338 (8 March 2022) amended Decree 1078/2015 to require public entities and private operators of critical cyber infrastructure or essential services to register with MinTIC through ColCERT, conduct regular risk assessments, and report incidents via the National Platform for Notification and Monitoring of Digital Security Incidents operated by ColCERT.
Under Law 1581 of 2012 and SIC guidelines, data controllers and processors must notify the SIC of any security breach affecting personal data within 15 working days of detection. There is no harm threshold for triggering notification, and the SIC recommends (but does not legally mandate) concurrent notice to affected individuals.
Launched by MinTIC in June 2025 with OAS/CICTE support, the Strategy sets 29 cross-cutting actions to consolidate a resilient digital environment following nearly 36 billion attack attempts against Colombia in 2024 (second most-attacked country in Latin America). It targets the financial, health and energy sectors as priority areas and reports a 48% reduction in cyber incidents during 2025.
Draft bills filed in Congress in 2023 (PL 010-23 Senate; PL 023-2023C House) seek to create a National Digital Security and Space Affairs Agency and enact a standalone cybersecurity statute. As of mid-2026, neither bill has been enacted; the government has indicated intent to re-file legislation in a subsequent congressional period.
The Grupo de Respuesta a Emergencias Cibernéticas de Colombia (ColCERT), under MinTIC, is the national coordination body for cyber incident response. It advises public and private entities, coordinates sectoral CSIRTs, and maintains the national incident notification platform established by Decree 338/2022.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →