Cybersecurity regulation in Paraguay (2026)

Cybersecurity obligations are currently spread across multiple instruments: Law 4439/2011 (criminal offences for unauthorized access, data interception, computer sabotage), Law 6207/2018 (creating MITIC as national digital authority), and Law 6822 (trust services/electronic transactions). No single cybersecurity statute governs the field.

Paraguay ratified the Council of Europe Convention on Cybercrime and its Additional Protocol via Law 5994, aligning its cybercrime criminal framework with international standards and enabling mutual legal assistance on cybercrime investigations.

Executive Decree 3900, signed 22 May 2025, formalizes the National Cybersecurity Strategy 2025-2028. MITIC is the lead implementation authority; the strategy prioritizes critical-infrastructure protection, CERT-PY operational capacity, inter-institutional governance, and international cooperation (backed by OAS/CICTE).

Two bills introduced in the Chamber of Deputies in May 2025 — File D-2584479 ('Cybersecurity, Data Protection and Cybercrime Prevention') and File D-2584815 ('Cybersecurity and Protection of Paraguayan Cyberspace') — are under legislative study and not yet enacted. Both would create new regulatory structures including a National Cybersecurity Directorate.

Promulgated November 2025, Law 7593/2025 imposes security, confidentiality, and transparency obligations on any entity processing personal data and creates the Agencia Nacional de Protección de Datos Personales under MITIC. It enters into force 24 months after approval (approximately November 2027), replacing the interim Law 6534/2020.

Under current Law 6534/2020, controllers must notify enforcement authorities (BCP and SEDECO) of personal-data security breaches in a 'complete and timely' manner, but no specific timeframe or format is prescribed and there is no mandatory individual notification requirement. Law 7593/2025 will introduce updated obligations when it takes effect in 2027.