Cybersecurity - Costa Rica

Law 9048 (Ley de Delitos Informáticos e Conexos, 2012) is the foundational instrument, criminalising unauthorised access, data interference, system interference, and fraud. It aligns broadly with Council of Europe Budapest Convention principles but does not establish proactive security obligations or a regulatory authority.

Issued by MICITT in 2023, the strategy sets five pillars—governance, legal framework, risk management, cybersecurity culture, and international cooperation—and created the National Cybersecurity Directorate with CSIRT-CR and SOC-CR. It is a policy document, not a binding legislative instrument, and explicitly acknowledges that a legal framework upgrade is still needed.

A standalone Ley de Ciberseguridad (Legislative File 23292) was introduced in 2022 and was advancing through the Legislative Assembly in 2024–2025, including first plenary debate. It would create a National Cybersecurity Agency within MICITT, mandate incident reporting for operators of critical information infrastructure, and establish administrative sanctions. Critics noted it was limited in scope regarding the judiciary's independence.

Under the data protection framework, data controllers must notify affected individuals within five business days of any irregularity in the processing or storage of personal data (loss, destruction, or theft). Controllers must also notify PRODHAB (the data protection authority), though no explicit deadline applies to that notification.

CSIRT-CR, operating under MICITT's National Cybersecurity Directorate, is the national computer security incident response team. Its RFC 2350 document (updated July 2024) defines its constituency as all Costa Rican internet users, with a focus on government and critical infrastructure. Operators of critical information infrastructure are directed under the 2023–2027 strategy to report cyber incidents to CSIRT-CR.

Following the Conti ransomware attack on ~27 government institutions in April–May 2022, President Chaves issued Executive Decree 43542-MP-MICITT declaring a national cyber emergency. The US subsequently committed over $25 million to bolster Costa Rica's cybersecurity capacity, including equipment, training, and support for CSIRT-CR.