World Watch/Mexico/Cybersecurity
Language:EnglishSpanishFrenchGermanPortugueseHindi

Cybersecurity · Mexico

Cybersecurity - Mexico

Sectoral rulesNo single comprehensive cybersecurity statute. Obligations are distributed across sectoral and cross-cutting rules: financial-sector information-security/cyber requirements issued by the CNBV and Banco de México; breach/security-vulnerability duties under the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP, 2025); the Penal Code's computer-crime provisions; and the binding National Cybersecurity Plan 2025–2030 / General Cybersecurity Policy for the Federal Public Administration (ATDT). A comprehensive 'Ley General/Federal de Ciberseguridad' is proposed but not yet enacted.

As of mid-2026 Mexico lacks an enacted, economy-wide cybersecurity law; cyber obligations arise from sector-specific regulation (notably banking/fintech rules from the CNBV and Banxico), the 2025 data-protection law's security and breach-notification duties, and a 2025–2030 National Cybersecurity Plan that binds federal agencies. A General Cybersecurity Law creating a national cybersecurity agency and a critical-infrastructure registry was introduced in the Senate in April 2025 and remains under legislative consideration.

No comprehensive law yet

Mexico has no single, in-force comprehensive cybersecurity statute; requirements are spread across sectoral and data-protection rules and a federal-government policy. The last standalone strategy (Estrategia Nacional de Ciberseguridad) dates to 2017.

source 1
Financial-sector cyber rules (CNBV/Banxico)

The CNBV's general provisions for credit institutions include a dedicated information-security section (arts. 168 Bis 11–17) and Anexo 72 information-security indicators, requiring a CISO, risk monitoring, remediation plans and reporting of security incidents; parallel rules apply to fintech (ITF) entities.

source 1source 2source 3
Data-protection security & breach duties (LFPDPPP 2025)

The new Federal Law on Protection of Personal Data Held by Private Parties was published in the DOF on 20 March 2025 and entered into force on 21 March 2025; it mandates risk-based security measures and requires data controllers to immediately notify affected data subjects of security breaches that materially harm their rights.

source 1
National Cybersecurity Plan 2025–2030 (federal government)

Published in late 2025 by the Agencia de Transformación Digital y Telecomunicaciones (ATDT), this first specialized federal cyber policy binds the Federal Public Administration across eight strategic axes, creates a national cyber operations center (CSOC) and CSIRT, and gives the ATDT 180 days (to ~mid-June 2026) to issue technical guidelines and compliance criteria.

source 1
Proposed General Cybersecurity Law

On 30 April 2025, Senators Luis Donaldo Colosio Riojas and Lucía Trasviña Waldenrath introduced a cybersecurity bill (64 articles) that would create a National Cybersecurity Agency and a Critical Information Infrastructure Registry (RICI) and require regulated operators to appoint a formal cybersecurity officer; it remains a pending initiative, not enacted law.

source 1
Computer crime via Penal Code

Absent a dedicated cyber-offenses statute, conduct such as unauthorized access, system damage and data interference is prosecuted under the Federal Criminal Code (Código Penal Federal) provisions on illicit access to computer systems.

source 1

Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →