Cybersecurity · Uruguay
Cybersecurity regulation in Uruguay (2026)
Uruguay shaded by its cybersecurity status
Uruguay operates a layered cybersecurity regime anchored by Decree 66/025 (enacted February 20, 2025), which mandates compliance with the AGESIC Cybersecurity Framework for all public entities and private operators of critical services, and by Law 20,327 (August 23, 2024), which codified cybercrime offences aligned with the Budapest Convention. The overarching strategic direction is set by the National Cybersecurity Strategy 2024–2030, approved by the Honorary Advisory Council on Information Security (CAHSI) in December 2024. No single comprehensive cybersecurity act equivalent to NIS2 exists; the regime is instead built from a presidential decree, a criminal-law statute, and sector regulators.
Key points
Enacted February 20, 2025, this decree extends the mandatory AGESIC Cybersecurity Framework (MCU) to all public-sector entities and private entities linked to critical sectors (telecoms, energy, water, financial services, digital infrastructure). Obligations include designating a security officer, maintaining audit logs, and reporting cybersecurity incidents to CERTuy within 24 hours.
Enacted August 23, 2024, Law 20,327 on Prevention and Repression of Cybercrime introduced new Penal Code offences including unauthorised access, computer fraud, computer damage, data breach, identity usurpation, telematic harassment, and abuse of devices, carrying up to 24-month custodial sentences. It is explicitly framed as a step toward ratifying the Budapest Convention.
Approved by CAHSI in December 2024 and published by AGESIC, the strategy sets eight pillars covering governance, regulatory frameworks, critical-infrastructure protection, cybercrime capacity, international cooperation, and cybersecurity culture. Implementation is overseen by a National Cybersecurity Strategy Management Committee established under Law 20,212.
Decree 66/025 requires cybersecurity incidents at covered entities to be reported to CERTuy (AGESIC's national CSIRT) within 24 hours. Separately, data controllers must notify the data-protection authority URCDP within 72 hours of becoming aware of a personal-data security incident, with additional notification to affected individuals if the breach poses significant risk to their rights.
The Central Bank of Uruguay (BCU) issues cybersecurity and operational-resilience rules for the financial sector, while the telecoms regulator URSEC imposes sector-specific security requirements on communications operators. These sit alongside, and are coordinated with, the AGESIC/Decree 66/025 framework.
AGESIC (Agencia de Gobierno Electrónico y Sociedad de la Información y del Conocimiento) leads national cybersecurity policy, develops the MCU framework, operates CERTuy for incident coordination, and advises on the National Data Strategy. It works with the inter-institutional CAHSI advisory council.
Uruguay - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →