Cybersecurity regulation in Mexico (2026)

The Agencia de Transformación Digital y Telecomunicaciones (ATDT) published Mexico's first legally enforceable national cybersecurity policy in the Diario Oficial de la Federación, requiring all federal agencies to appoint an Institutional Cybersecurity Officer within 60 days and establishing a national CSOC and CSIRT under ATDT direction. This supersedes the non-binding 2017 strategy and creates audit obligations for the entire Federal Public Administration.

A wholly revised Federal Law on Protection of Personal Data Held by Private Parties was published in the DOF, repealing the 2010 statute and transferring data-protection enforcement from the dissolved INAI to the Secretariat of Anti-Corruption and Good Governance. The reform expands who counts as a 'data controller,' imposes direct obligations on processors, and mandates security-incident notification — but critics warn the loss of an independent enforcement authority undermines effective oversight.

The constitutional decree extinguishing INAI and six other autonomous bodies was published in the DOF, ending 14 years of independent data-protection supervision and concentrating all enforcement within the executive branch. Privacy advocates warned the reform eliminated the structural independence required to effectively sanction government entities for cybersecurity and data breaches.

In its final full year of operation, INAI reported imposing nearly MXN 47 million in aggregate fines against private-sector entities for data-protection violations, with financial and insurance firms accounting for the largest share (MXN 22 million). These represented the highest enforcement totals under the 2010 LFPDPPP and came just before the authority's budget was slashed ahead of its abolition.

The hacktivist collective Guacamaya exploited a ProxyShell vulnerability to exfiltrate more than 6 TB of classified documents from Mexico's Ministry of National Defence (SEDENA), the largest military data breach in Mexican history. Leaked files revealed army surveillance of journalists, opposition politicians, and activists; a military IT commander was arrested in March 2023 in connection with the breach.

Following the Ley Fintech, Banco de México issued Circular 4/2019 establishing binding operational-security and cybersecurity requirements for financial technology institutions (ITFs), covering virtual-asset custody controls, access management, audit trails, and cyber-incident reporting to Banxico. This was Mexico's first sector-specific cybersecurity rulebook for digital financial services.

Attackers compromised the internal SPEI-gateway software of at least five Mexican banks, injecting fraudulent transfer orders that diverted approximately MXN 300–400 million (≈ USD 15–20 million) to mule accounts; accomplices immediately withdrew cash at branches before transfers could be reversed. The incident was Mexico's first large-scale cyber-enabled bank heist and directly prompted Banxico to issue emergency security circulars and tighten SPEI participant access controls.

The Law to Regulate Financial Technology Institutions was published in the DOF, creating a regulatory framework for fintechs under joint CNBV/Banxico supervision and expressly requiring ITF operators to maintain security standards for electronic-money operations and virtual-asset custody. It was the first Mexican statute to impose technology-specific cybersecurity duties on a non-bank financial sector.

Mexico published its first National Cybersecurity Strategy across five pillars (Society & Rights, Economy & Innovation, Public Institutions, Public Security, National Security), formally establishing CERT-MX as the national cyber-incident response body and adopting a multi-stakeholder governance model. The ENCS was the foundational policy document underpinning all subsequent cybersecurity regulation for nearly eight years, until superseded by the 2025 Política General.

The General Law on Protection of Personal Data Held by Obligated Subjects extended data-protection and minimum-security requirements to all government bodies, requiring agencies to implement technical and administrative safeguards, appoint data-protection officers, and report security incidents to INAI. It created a unified framework with the private-sector LFPDPPP, closing a major gap that left government-held data unprotected.

The Federal Law on Protection of Personal Data Held by Private Parties was published in the DOF, establishing Mexico's first comprehensive data-protection regime: consent requirements, ARCO rights, mandatory security-breach notification, and minimum technical and administrative security measures for private entities processing personal data. For 15 years it was the primary legal basis for cybersecurity obligations on private-sector organisations and the statute enforced by INAI.