Cybersecurity · Cuba
Cybersecurity - Cuba
Cuba's cybersecurity regime is built on a state-centric, sector-focused architecture anchored in Decreto 360/2019 and Decreto-Ley 35/2021, which together regulate ICT security, national cyberspace defence, and critical infrastructure protection. The Ministry of Communications (MINCOM) and its subordinate Office of Computer Network Security (OSRI) serve as primary authorities, with mandatory incident-reporting obligations for legal persons. No comprehensive horizontal law comparable to NIS2 is in force; the framework prioritises national security and state information control alongside technical cybersecurity obligations.
Enacted 31 March 2019 by the Council of Ministers, Decreto 360 establishes the legal basis for securing ICT systems, protecting Critical ICT Infrastructure, and defending the national cyberspace. It tasks MINCOM, in coordination with the Ministries of Interior and the Revolutionary Armed Forces, with maintaining a National Catalogue of Critical ICT Infrastructure and a corresponding protection plan.
Published in Official Gazette No. 92 on 17 August 2021, Decreto-Ley 35 is the first superior-rank legislative instrument to expressly address cybersecurity. It obliges telecommunications and internet service providers to investigate and shut down malicious activity, restricts the import and sale of networking devices without MINCOM authorisation, and authorises internet and mobile-data service suspensions for security or public-order grounds.
Resolution 105 (complementing Decreto-Ley 35) defines the National Action Model for Cybersecurity Incident Response. It classifies incidents on a four-tier danger scale (low, medium, high, very high) and requires all legal persons to notify OSRI of cybersecurity incidents regardless of whether the entity can resolve the incident internally. Reports are submitted via www.osri.gob.cu or the dedicated hotline/email.
Critical ICT Infrastructure is defined to cover systems underpinning strategic economic sectors, national security and defence, and public administration services, including industry, health, energy, and transportation. MINCOM maintains and updates the National Catalogue of Critical ICT Infrastructure in coordination with security and defence ministries.
OSRI (Oficina de Seguridad para las Redes Informáticas), a body within MINCOM, is Cuba's primary cybersecurity authority. Within OSRI, the CuCERT functions as the national Computer Emergency Response Team, receiving and analysing incident reports and developing threat intelligence, though Cuba's exclusion from certain international CERT cooperation frameworks limits cross-border information sharing.
Cuba submitted a formal National Position on the application of international law in cyberspace to the UN Open-Ended Working Group on ICT security on 28 June 2024, reaffirming state sovereignty over national cyberspace and support for a binding UN cyber convention, consistent with the domestic regulatory emphasis on state control.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →