Cybersecurity regulation in Peru (2026)

Emergency Decree 007-2020 established the Marco de Confianza Digital and created the National Center for Digital Security. It obliges public entities and private operators of financial digital services, basic utilities (electricity, water, gas), health, transport, internet, and education to notify the Center of any digital-security incident.

Law 30999 (Ley de Ciberdefensa, 2019) authorises military cyber operations to protect national sovereignty and critical assets. Its implementing Regulation, Decreto Supremo 017-2024-PCM (published February 14, 2024), assigns the Ministry of Defense responsibility for planning and conducting operations in and through cyberspace.

Supreme Decree 016-2024-JUS (effective March 30, 2025) implements Law 29733 and introduces an obligation to notify the National Authority for Personal Data Protection (ANPDP) within 48 hours of becoming aware of a security incident that causes significant harm or exposes large volumes of personal data.

The Computer Security Incident Response Team (CSIRT-PeCERT), established in 2009 and attached to the Prime Minister's Office, coordinates incident management, prevention, and information sharing across public-administration entities and supports the private sector on cybersecurity matters.

Under DS 016-2024-JUS, organisations processing personal data must appoint a Data Protection Officer on a staggered timeline: large companies (revenue above ~USD 3.28 M) by November 2025, medium companies by November 2026, and small companies by November 2027.

As of mid-2026, Peru has no enacted NIS2-equivalent law covering all critical-infrastructure sectors under one instrument. Cybersecurity obligations are distributed across the 2020 digital-trust decree, the cyberdefense law, the personal-data regulation, and sector-specific rules (e.g. SBS guidelines for banking), leaving gaps in coverage and enforcement uniformity.