Cybersecurity regulation in El Salvador (2026)

El Salvador's Agencia Estatal de Ciberseguridad (ACE) published its inaugural policy on data security measures, setting mandatory technical and organizational standards for public entities and regulated private actors obligated under the November 2024 cybersecurity law. This was the first binding regulatory guidance issued by the new agency.

El Salvador's Legislative Assembly reformed the 2025 General State Budget to transfer $12 million to the Justice and Security portfolio to fund the newly created State Cybersecurity Agency (ACE), with $11.28M designated for national cybersecurity regulation and $714K for agency administration. Without this appropriation ACE could not begin operating.

El Salvador's Legislative Assembly approved its first comprehensive cybersecurity statute, creating the Agencia Estatal de Ciberseguridad (ACE) as the national regulator; both laws were published in the Official Gazette on 15 November and entered into force on 23 November 2024, making El Salvador the first Central American country to enact a dedicated cybersecurity law paired with sector-wide data protection rules.

The Legislative Assembly amended the 2016 Special Computer Crimes Law to raise penalties for computer fraud from 6–10 to 10–12 years imprisonment and added formal legal definitions for Data Owner, Data Controller, Data Processor, and Metadata — signalling a shift toward data-centric criminal liability in advance of the November 2024 framework legislation.

The Salvadoran threat actor group CiberInteligenciaSV published more than ten separate police database dumps on BreachForums — exposing records on disappearances, vehicles, extortions, and weapons — revealing systemic weaknesses in government network security and law-enforcement data handling months before the new cybersecurity law was passed.

CiberInteligenciaSV released source code and VPN access credentials for the state-owned Chivo Bitcoin wallet's ATM network on BreachForums, exposing critical payments infrastructure to potential unauthorized access; the government denied any compromise of user funds but issued no formal investigation statement.

CiberInteligenciaSV published a 144 GB trove containing full names, DUI identity numbers, dates of birth, addresses, phone numbers, and high-definition headshots of approximately 5.1 million Salvadorans — roughly 80% of the population — creating acute identity-theft and biometric-misuse risks and directly accelerating the legislative push for data-protection law.

President Bukele issued Executive Decree 1633 establishing the Política de Ciberseguridad de El Salvador — the country's first formal national cybersecurity policy — mandating cybersecurity goals across the executive branch and encouraging adoption by critical-infrastructure operators, and tasking the government to create a dedicated coordinating body, laying the administrative groundwork for the 2024 legislation.

El Salvador became the world's first country to adopt Bitcoin as legal tender; implementing regulations required all bitcoin service providers to maintain a cybersecurity program tailored to the scale of their services, a physical security program, and a disaster recovery plan — creating the first mandatory sectoral cybersecurity obligations in Salvadoran law.

El Salvador's Legislative Assembly enacted Legislative Decree 260, the Special Law Against Computer and Related Crimes, criminalising unauthorised system access, computer fraud, data manipulation, identity theft, and digital espionage with penalties of 1–12 years imprisonment, and requiring the National Civil Police and Attorney General's Office to maintain specialist cybercrime investigation capacity — the foundational legal framework that remained the sole cybersecurity statute for nearly a decade.