Cybersecurity · Costa Rica
Cybersecurity regulation in Costa Rica (2026)
Costa Rica shaded by its cybersecurity status
Costa Rica currently lacks a comprehensive, enacted cybersecurity law; the primary statutory instrument is the 2012 cybercrime law (Law 9048), supplemented by a non-binding National Cybersecurity Strategy 2023–2027 and sector-level obligations. A dedicated Ley de Ciberseguridad (Exp. 23292) has been under Legislative Assembly debate since 2022 and was under active plenary consideration in 2024–2025, but had not been enacted as of early 2026. The 2022 Conti ransomware emergency—the largest cyberattack in Central American history—catalysed both the strategy and the legislative push.
Key points
Law 9048 (Ley de Delitos Informáticos e Conexos, 2012) is the foundational instrument, criminalising unauthorised access, data interference, system interference, and fraud. It aligns broadly with Council of Europe Budapest Convention principles but does not establish proactive security obligations or a regulatory authority.
Issued by MICITT in 2023, the strategy sets five pillars—governance, legal framework, risk management, cybersecurity culture, and international cooperation—and created the National Cybersecurity Directorate with CSIRT-CR and SOC-CR. It is a policy document, not a binding legislative instrument, and explicitly acknowledges that a legal framework upgrade is still needed.
A standalone Ley de Ciberseguridad (Legislative File 23292) was introduced in 2022 and was advancing through the Legislative Assembly in 2024–2025, including first plenary debate. It would create a National Cybersecurity Agency within MICITT, mandate incident reporting for operators of critical information infrastructure, and establish administrative sanctions. Critics noted it was limited in scope regarding the judiciary's independence.
Under the data protection framework, data controllers must notify affected individuals within five business days of any irregularity in the processing or storage of personal data (loss, destruction, or theft). Controllers must also notify PRODHAB (the data protection authority), though no explicit deadline applies to that notification.
CSIRT-CR, operating under MICITT's National Cybersecurity Directorate, is the national computer security incident response team. Its RFC 2350 document (updated July 2024) defines its constituency as all Costa Rican internet users, with a focus on government and critical infrastructure. Operators of critical information infrastructure are directed under the 2023–2027 strategy to report cyber incidents to CSIRT-CR.
Following the Conti ransomware attack on ~27 government institutions in April–May 2022, President Chaves issued Executive Decree 43542-MP-MICITT declaring a national cyber emergency. The US subsequently committed over $25 million to bolster Costa Rica's cybersecurity capacity, including equipment, training, and support for CSIRT-CR.
Timeline - major decisions & events
A Costa Rican tribunal issued a second ruling affirming the validity of Decree 44196-MSP-MICITT's 5G cybersecurity requirements, rejecting legal challenges mounted by equipment vendors including Huawei. The rulings cement the government's authority to impose supply-chain security conditions on critical telecom infrastructure providers.
TeleSemana ↗MICITT published the successor National Cybersecurity Strategy built on five pillars — governance, legal framework, critical infrastructure protection, capacity-building, and international cooperation — directly incorporating lessons from the 2022 ransomware crisis. The strategy mandates creation of a national Security Operations Centre (SOC-CR) and assigns MICITT as the permanent lead-coordinating authority.
MICITT ↗Executive Decree 44196-MSP-MICITT established mandatory cybersecurity requirements for providers of 5G and next-generation telecommunications services, including supply-chain risk controls and equipment-trustworthiness assessments. This is Costa Rica's first sector-specific cybersecurity regulation and triggered extended litigation by affected vendors.
MICITT ↗The Legislative Assembly approved Expediente 23292 for full plenary debate; the bill would create a National Cybersecurity Agency within MICITT, establish a critical information infrastructure (CII) protection regime, and impose mandatory incident-reporting obligations across public and private sectors. As of 2025 the bill had not yet been finally enacted.
Cámara de Industrias de Costa Rica (Exp. 23292 text) ↗The Hive ransomware group attacked the Costa Rican Social Security Fund (CCSS), taking down the national digital health-record system and hospital payroll across the country; more than 800 servers and 9,000 end-user computers were affected. Occurring just weeks after the Conti crisis, the attack demonstrated that the cyber emergency extended far beyond the initial wave.
TechCrunch ↗Newly inaugurated President Rodrigo Chaves signed Executive Decree 43542-MP-MICITT, declaring a national state of emergency across the entire public sector due to the Conti ransomware attacks — the first cyber-emergency declaration in Costa Rican history and among the first in Latin America. The decree unlocked emergency procurement authority and mandatory inter-agency coordination under MICITT.
BleepingComputer (reporting on Decree 43542-MP-MICITT) ↗Issued four days after the Conti attack began, Directive 133-MP-MICITT obligated all central public administration entities to report cybersecurity incidents affecting service confidentiality, integrity, availability, or institutional identity to CSIRT-CR — even incidents considered internally under control. It established [email protected] as the mandatory reporting channel and required preservation of incident evidence.
Lawfare (citing MICITT Directive 133-MP-MICITT) ↗The Russia-linked Conti group breached the Ministry of Finance, MICITT, the Tax Administration, Customs, RACSA, and approximately 27 other government entities, encrypting systems and exfiltrating taxpayer data; Conti demanded a $10 million ransom and ultimately published 97% of stolen data after Costa Rica refused to pay. The attack paralysed tax and customs services for weeks and catalysed a complete overhaul of Costa Rica's cybersecurity governance.
Wikipedia (citing MICITT, official decrees, and press reporting) ↗President Laura Chinchilla signed Law 9048, amending the Penal Code to criminalise hacking, unauthorised access to computer systems, data interception, and electronic fraud in alignment with the UN Convention on Cybercrime framework. Law 9135 (2013) followed with additional cybercrime provisions, completing the first generation of substantive cyber-criminal law.
Council of Europe Octopus Cybercrime Community ↗Decree 37052-MICIT created the Computer Security Incident Response Team of Costa Rica (CSIRT-CR) within MICITT with authority to coordinate incident response across the three branches of government, autonomous institutions, and state-owned banks. CSIRT-CR became Costa Rica's first dedicated national cyber-defence body and the primary point of contact for international incident coordination.
MICITT / CSIRT-CR RFC-2350 Document ↗Law 8968 (Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales) established Costa Rica's foundational personal-data protection regime, created the enforcement agency PRODHAB, and enshrined informational self-determination as a constitutional right under Article 24. The law imposes data-security obligations on all public and private data controllers and remains the primary privacy-security baseline.
Procuraduría General de la República — SCIJ (Sistema Costarricense de Información Jurídica) ↗Costa Rica - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →