Cybersecurity - El Salvador

Approved 12 November 2024, published in the Official Gazette 15 November 2024, and in force from 23 November 2024. It is the first comprehensive cybersecurity statute in Central America and applies to both public entities and private operators of critical infrastructure.

The law creates the Agencia de Ciberseguridad del Estado (ACE) as an autonomous national body responsible for developing the National Cybersecurity and Information Security Policy (NCISP), issuing binding standards, qualifying critical-infrastructure operators, and imposing sanctions for non-compliance.

All government bodies, autonomous institutions, municipal authorities, and any public or private entity that manages public resources or plays a role in national critical infrastructure must implement permanent cybersecurity management systems aligned with the NCISP and international best practices, including operational-continuity plans.

Regulated entities must notify ACE, the Attorney General's Office, and affected data subjects of any security breach within a maximum of 72 hours of discovery, mirroring the notification model in the companion personal-data-protection law (Decreto No. 144).

Enacted simultaneously, Decreto No. 144 is El Salvador's first dedicated data-protection statute, applying to both public and private sectors. It reinforces the cybersecurity framework by requiring data controllers to maintain appropriate security measures and observe the 72-hour breach-notification obligation.

Before the 2024 law, Executive Order No. 163 of 13 May 2022 established guidelines for cybersecurity risk prevention and management, called for creation of a coordinating cybersecurity entity, and promoted international cooperation — laying the institutional groundwork that ACE now fulfils.