Cybersecurity regulation in Cuba (2026)

The government warned that operating Starlink terminals without MINCOM authorization violates Resolution 272/2015, with penalties including fines, equipment confiscation, and criminal proceedings; Cuban Customs seized over 27 terminals between April and May 2025, some hidden inside televisions. The action reinforces state monopoly over satellite spectrum and blocks unfiltered internet access for citizens.

Cuba submitted its formal position to the UN Open-Ended Working Group on ICT security, arguing existing international law can only be applied to cyberspace 'by analogy' and calling for a dedicated binding international cyber treaty under UN auspices. It is Cuba's first structured multilateral engagement on cyber governance norms.

Gaceta Oficial No. 92/2021 published Decree-Law 35 on Telecommunications, ICT and the Radio Spectrum, plus Decrees 42–43 and Resolutions 105, 107, and 108; for the first time Cuban law formally typified cybersecurity incidents in legal categories and empowered ETECSA to suspend service to any user transmitting 'false,' destabilizing, or morally offensive content. Resolution 105 established the national model for cybersecurity incident response across all sectors.

As unprecedented nationwide demonstrations erupted on 11 July 2021, ETECSA cut national internet connectivity for 30 minutes then imposed rolling blocks on WhatsApp, Signal, Telegram, Facebook, and Instagram lasting up to 72 hours — the first simultaneous deployment of all censorship techniques and Cuba's most extensive digital blackout since mobile internet launched in December 2018. The shutdown, attributed to Chinese-supplied Huawei and ZTE infrastructure, triggered the subsequent legislative response in August 2021.

Signed 31 March 2019 and published in Gaceta Oficial No. 31, Decreto 360 established the overarching legal framework requiring all state bodies, enterprises, cooperatives, and natural persons to meet defined ICT security levels and mandated protection of Critical ICT Infrastructures; it designated MINCOM as principal regulatory authority. The decree is the structural backbone on which all subsequent cybersecurity norms were built.

Decree-Law 370, enacted in 2018 and entering force in July 2019, prohibited dissemination of information 'contrary to social interest, morals, good manners and integrity of people' and barred Cubans from hosting content solely on foreign servers. It became the primary legal tool used against activists and independent journalists for online expression prior to the broader 2021 package.

Cuba's 2019 Constitution, approved by referendum, codified personal data protection as a constitutional guarantee (Article 97) and included an international relations chapter explicitly rejecting cyberwarfare and calling for democratization of cyberspace. It created the constitutional foundation for the subsequent wave of cybersecurity legislation.

Cuba created the Ministerio de la Informática y las Comunicaciones, later reorganized as MINCOM, as the sole regulatory authority over internet and telecommunications, and launched the Programa Rector para la Informatización de la Sociedad. MINCOM has served as the apex cybersecurity regulator for all subsequent legislation and enforcement.

The Council of State promulgated Decree-Law 199 in November 1999, regulating the protection of official information for all state organs, entities, and persons in Cuban territory and establishing Cuba's first systemic legal protections for government-held data. It formed the pre-internet-era pillar of information security on which later ICT legislation was layered.