Cybersecurity regulation in Nicaragua (2026)

There is no enacted horizontal cybersecurity statute defining 'essential/critical' operators with uniform security and incident-reporting duties. The principal national instruments are a criminal law and a non-binding strategy rather than a regulatory obligations regime.

Law 1042 of 28 Oct 2020 (La Gaceta No. 201, 30 Oct 2020) criminalizes unauthorized system access, illegal interception, malware, e-fraud and spreading of 'false/distorted' information. It is a penal instrument widely criticized as a content-control 'gag law' rather than a corporate security-duties framework.

Law 1219, published in La Gaceta on 12 Sep 2024, reformed and added to Law 1042, increasing maximum imprisonment to up to 15 years for cybercrimes deemed against 'the security of the State'.

The Norma sobre Gestión de Riesgo Tecnológico (Res. CD-SIBOIF-500-1-SEP19-2007) binds all banks and supervised financial entities to minimum standards for IT governance, security and controls, referencing frameworks such as COBIT, ITIL and ISO 17799 — the clearest example of enforceable cyber/IT obligations.

Decree 24-2020 approved a National Cybersecurity Strategy 2020-2025, executed by the Foreign Ministry and telecom regulator TELCOR, with five pillars including resilience of critical infrastructure. It only contemplates creating a future computer-emergency response capability rather than imposing mandatory reporting duties now.

A new General Law on Converged Telecommunications (approved Oct 2024) enters into force on 6 Nov 2025, adding state oversight of telecom networks. There is no general, cross-sector mandatory breach-notification duty toward affected individuals; incident-reporting obligations are confined to supervised sectors.