Cybersecurity - Ecuador

Comprehensive lawLey Orgánica para el Fortalecimiento de la Ciberseguridad (Registro Oficial, Quinto Suplemento No. 290, 22 May 2026); supplemented by the Ley Orgánica de Protección de Datos Personales (LOPDP, 2021) and the National Cybersecurity Strategy (2022). Primary regulator: Ministerio de Telecomunicaciones y de la Sociedad de la Información (MINTEL) / CSIRT Ecuador.

Ecuador enacted its first standalone comprehensive cybersecurity law — the Ley Orgánica para el Fortalecimiento de la Ciberseguridad — approved by the National Assembly with 82 votes on 10 February 2026, cleared a partial executive objection in March 2026, and entered into force upon publication in the Official Registry on 22 May 2026. The law imposes cybersecurity obligations on public entities, digital service providers, and private operators of critical digital infrastructure, establishes a 78-hour incident-reporting duty, and sets tiered financial sanctions up to 1.5% of annual turnover. It complements Ecuador's 2021 personal data protection law (LOPDP) and the 2022 National Cybersecurity Strategy developed with OAS and EU Cyber4Dev support.

Comprehensive law in force (May 2026)

The Ley Orgánica para el Fortalecimiento de la Ciberseguridad was published in the fifth supplement of Registro Oficial No. 290 on 22 May 2026 and entered into force immediately, concluding a legislative process that began with the National Assembly's approval on 10 February 2026 and survived a partial presidential objection.

source 1 ↗source 2 ↗

Scope of obligations

The law applies to public sector entities, digital service providers, and private legal entities responsible for critical digital infrastructure; natural persons are expressly excluded. It covers both domestic operations and cross-border digital services affecting Ecuador.

source 1 ↗source 2 ↗

Incident-reporting duty (78 hours)

Covered entities must report cybersecurity incidents or attacks to competent authorities within 78 hours of becoming aware of them, a timeline broadly comparable to EU NIS2 obligations and significantly shorter than most Latin American peers.

source 1 ↗source 2 ↗

Tiered sanctions regime

Infractions are graded minor (0.1–0.7% of turnover for companies; 1–10 SBU for public officials), serious (0.7–1%; 10–20 SBU), and very serious (1–1.5%; 20–40 SBU), with penalties applicable to both public and private entities.

source 1 ↗source 2 ↗

CSIRT and governance framework

The law formalises the national CSIRT (Equipo de Respuesta a Incidentes de Seguridad Informática) under MINTEL oversight and aligns Ecuador's framework with ISO 27000 standards and the NIST Cybersecurity Framework, building on U.S.–Ecuador cyber-defence cooperation exercises (CIBEREC 2025).

source 1 ↗source 2 ↗

LOPDP personal-data breach notification (pre-existing, complementary)

Separately, the Organic Law for Personal Data Protection (LOPDP, 2021) requires data controllers to notify the Personal Data Protection Authority of a breach within five days of awareness; processors must alert controllers within two days. This data-protection channel operates in parallel with the new cybersecurity incident-reporting regime.

source 1 ↗source 2 ↗

Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →