In Mexico, there is no specific cybersecurity law; however, various legal provisions regulate aspects of cybersecurity indirectly, involving multiple regulatory bodies. By way of examplee, there are regulations concerning banking, personal data protection, criminal conduct, and telecommunications. These laws help shape the cybersecurity landscape by providing legal frameworks that institutions and businesses must follow to protect digital assets and personal information.

Additionally, several government agencies have issued their own cybersecurity guidelines. By way of example, the Central Bank of Mexico (Banxico), the country’s central bank, released its cybersecurity strategy for 2024–27 (Estrategia de Ciberseguridad del Banco de México2024–27), outlining its guiding principles and defining the responsibilities of an internal cybersecurity directorate. This initiative highlights the importance of financial cybersecurity and the role of regulatory bodies in ensuring a secure banking environment. Moreover, financial institutions are required to adhere to strict cybersecurity protocols to prevent fraud, data breaches, and cyber-attacks that could compromise national financial stability.

In the past, the Mexican government conducted a multi-stakeholder process to develop a national cybersecurity strategy, which was published in 2017. This initiative aimed to promote concrete actions with social, economic and political impacts by establishing key principles and objectives. However, the administration that took office in 2018 did not continue this strategy and it remains to be seen whether the current administration, which began in 2024, will implement a concrete cybersecurity strategy. The absence of a dedicated national strategy has left a regulatory gap, leading businesses and government agencies to develop their own cybersecurity frameworks to mitigate risks.

A notable recent development is the creation of the Digital Transformation and Telecommunications Agency (Agencia de Transformación Digital y Telecomunicaciones) in November 2024. This agency was granted the status of a Secretariat of State, giving it significant institutional weight in governmental digital policy. The agency includes a General Directorate of Cybersecurity, responsible for designing and executing cybersecurity strategies for the federal government and developing policies to standardise cybersecurity measures across government entities, among other duties. This new agency is expected to play a critical role in shaping the country’s cybersecurity landscape by establishing nationwide policies and ensuring co-ordination among different regulatory bodies. Although the agency has been legally established, its implementation and execution of cybersecurity responsibilities remain to be seen, and its success will depend on its ability to enforce policies and collaborate with industry stakeholders.

There have been several cybersecurity law proposals submitted to Congress for discussion. However, none have been enacted into law, remaining as proposals that could serve as a foundation for future legislative discussions. These proposals generally aim to address cybercrimes related to financial assets, personal freedoms, IP, the financial system, and information systems, among other things. Given the increasing frequency and sophistication of cybersecurity threats, there is a growing need for a comprehensive cybersecurity law that establishes clear regulations and penalties for cyber-related offences. Legislative progress in this area will be crucial for strengthening Mexico’s cybersecurity posture and ensuring that individuals and businesses are adequately protected from cybersecurity threats.

Finally, considering Mexico’s current legal framework, personal data protection regulations (DPRs) are the most directly relevant laws to cybersecurity. The protection of personal data remains a central concern, given that unauthorised access, data breaches, and identity theft continue to pose significant risks. Strengthening data protection regulations and enforcing compliance will be essential in fostering a more secure digital environment and building public trust in cybersecurity measures.

The following legal instruments, albeit not an exhaustive list (see 3.1 Scope of Financial Sector Operational Resilience Regulation for additional regulations in the financial sector), contain provisions relevant to cybersecurity in Mexico.

• The Federal Criminal Code (Código Penal Federal) and state criminal codes – these establish legal consequences for cyber-related crimes, including fraud, identity theft, illicit interception of communications, and unauthorised access to systems. They also criminalise hacking, data breaches, and cyber-enabled financial crimes.
• The Personal Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares)– this governs the collection, processing, and storage of personal data, ensuring organisations implement adequate security measures to protect sensitive information. Until 20 December 2024, this law was enforced by the National Institute for Transparency, Access to Information, and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, or INAI) – see 1.3 Cybersecurity Regulators (Data Protection) for details of its replacement.
• The Transparency Law (Ley Federal de Transparencia y Acceso a la Información Pública) ‒ this law includes provisions on information security in public institutions, ensuring that government entities handle and protect sensitive data responsibly while maintaining accountability in cybersecurity-related incidents.
• The Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) ‒ this law establishes compliance requirements for fintech companies and mandatory measures for secure financial transactions, among other thingss. Given the rapid growth of digital financial services, this law plays a crucial role in mitigating cyber-risks in the financial sector.
• General Provisions Applicable to Credit Institutions (Disposiciones de Carácter General Aplicables a las Instituciones de Crédito) ‒ these impose strict standards on banks, requiring financial institutions to implement risk management frameworks, security controls, and incident response mechanisms to safeguard customer data and financial transactions.
• Circular 8/2019 ‒ issued for participants in the Interbank Electronic Payments System, Mexico’s real-time payment system, this regulation enhances cybersecurity by requiring financial entities to adopt encryption, authentication measures, and real-time monitoring to prevent cyberfraud.
• Principles for Strengthening Cybersecurity to Ensure Financial System Stability (Principios para Reforzar la Seguridad de la Información en el Sistema Financiero) ‒ this is a set of best practices and regulatory guidelines aimed at reinforcing cybersecurity resilience within the financial sector, ensuring institutions implement risk-based approaches to counter cybersecurity threats.
• Mexican Official Standards (Normas Oficiales Mexicanas, or NOMs) ‒ several NOMs provide additional mandatory cybersecurity and information protection requirements. Notable among them are:
1. NOM-151-SCFI-2016 ‒ regulates the conservation of digital data messages, ensuring electronic documents remain authentic, reliable, and unaltered over time, which is essential for cybersecurity, e-commerce, and legal compliance; and
2. NOM-004-SSA3-2012 ‒ establishes criteria for the creation, management and conservation of medical records in Mexico, reinforcing data protection and ensuring confidentiality in healthcare services (see 6.3 Cybersecurity in the Healthcare Sector for further details).

Given the ongoing legal changes, it will be crucial to monitor how these regulations evolve and their impact on Mexico’s cybersecurity landscape. The Mexican government’s current reforms, including the dissolution of certain regulatory agencies and the creation of new entities, may reshape the enforcement and implementation of cybersecurity policies in the coming years.

Cybersecurity regulation in Mexico is fragmented across various government agencies, primarily owing to the absence of a comprehensive legal framework and a central authority with broad oversight responsibilities. As a result, multiple entities assume roles in cybersecurity matters, each focusing on distinct areas such as law enforcement, the financial sector, and data protection. The landscape is continually evolving.

Law Enforcement and Cybercrime Investigation

The Attorney General’s Office (Fiscalía General de la República, or FGR) and local prosecutors’ offices play a central role in investigating cybercrimes. The Federal Criminal Code defines various offences, including unauthorised access to information systems, data breaches, and the illegal disclosure of sensitive information. Cybercrime investigations often involve co-ordination between various state and federal authorities.

In Mexico City, the Cybercrime Investigation Unit within the local prosecutor’s office specialises in investigating digital offences. These include crimes against sexual privacy, such as the unauthorised sharing of intimate content on social media – something that is a growing concern in the digital age.

Financial Sector Cybersecurity Regulation

The National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores, or CNBV) is responsible for overseeing incidents within the financial sector. The CNBV ensures that financial institutions mitigate risks that could compromise the confidentiality, integrity or availability of banking systems. It monitors and supervises the response to security breaches, data loss, and other violations of financial security regulations.

Banxico, as the central bank, also plays a critical role in securing the financial sector against cyberthreats. In response to the growing number of cyber-attacks targeting financial systems globally, Banxico works closely with financial institutions, sector regulators, and law enforcement. In 2018, Banxico spearheaded the formation of a Cybersecurity Incident Response Group, which collaborates with the Attorney General’s Office and other stakeholders to enhance coordinated responses to major security incidents.

Data Protection

The INAI has historically been the primary authority in charge of ensuring data protection and the public’s right to access information. Given that the protection of personal data is closely tied to cybersecurity, the INAI has played a crucial role in safeguarding digital information. Recent government actions saw the INAI abolished and its functions transferred to the Ministry for Anti-Corruption and Good Governance (Secretaría Anticorrupción y Buen Gobierno). This shift has raised concerns about the future of data protection policies and how Mexico will address privacy in the face of evolving cybersecurity threats. The long-term implications of this transition on cybersecurity governance and enforcement remain to be seen.

Cybersecurity in Critical Infrastructure

The National Guard (Guardia Nacional) has a specialised cybersecurity unit dedicated to supporting agencies managing critical infrastructure. This unit’s responsibilities include:

• identifying and assessing cybersecurity threats;
• managing cybersecurity incidents;
• acting as a national point of contact for cybersecurity threats; and
• conducting digital forensics to assist law enforcement agencies in investigating cybercrimes.

In addition, the National Guard provides cybersecurity assistance to state authorities, reinforcing the protection of both federal and regional infrastructure. This co-ordination aims to create a unified response to protect national security and critical systems from cyber-attacks.

Other Governmental Involvement

Although the agencies outlined earlier in this section are among the most prominent players in Mexico’s cybersecurity regulatory environment, other governmental bodies indirectly contribute to cybersecurity efforts. By way of example, the Ministry of Infrastructure, Communications and Transportation (Secretaría de Infraestructura, Comunicaciones y Transporte, or SICT) has a role in regulating digital infrastructure and overseeing the integrity of communication networks.

As the nation continues its efforts to improve institutional and regulatory frameworks, attention must be paid to how changes in governance and legal reforms will influence the overall cybersecurity landscape. These shifts will likely have a profound impact on Mexico’s ability to respond to evolving cybersecurity threats and safeguard its critical infrastructure, financial systems, and personal data.

As mentioned in 1.1 Cybersecurity Regulation Strategy, there is no specific cybersecurity law that regulates critical infrastructure in Mexico. However, the National Security Law (Ley de Seguridad Nacional) contains provisions related to the importance of protecting critical infrastructure – although it does not define in detail what constitutes such infrastructure.

Additionally, during the previous administration, a National Standardised Protocol for Managing Cybersecurity Incidents (Protocolo Nacional Homologado de Gestión de Incidentes Cibernéticos) was implemented. Although this protocol is not a legal document, it serves as a reference for establishing the terms and procedures that enable the strengthening of cybersecurity across government entities as well as the private sector. This initiative aims to ensure the continuous, co-ordinated management of cybersecurity incidents, improving overall resilience and response to emerging threats.

In Mexico, there are no specific obligations related to cybersecurity for the protection of critical infrastructure. While various regulatory frameworks address cybersecurity issues, there is no detailed legislation that comprehensively regulates the measures that entities managing essential infrastructures – such as energy, telecommunications, and transportation – must adopt. The absence of a clear legal framework for the protection of critical infrastructure against cybersecurity threats leaves those institutions responsible for these key sectors with some flexibility but also creates a regulatory gap that could jeopardise the country’s resilience in the face of cyber-incidents.

There are no specific reporting obligations for cybersecurity incidents related to critical infrastructure in Mexico. However, the National Standardised Protocol for Managing Cybersecurity Incidents mentioned in 2.1 Scope of Critical Infrastructure Cybersecurity Regulation does include a series of recommendations on how high-level, critical and impactful cybersecurity incidents should be reported to the National Guard. By way of example, the protocol outlines mechanisms for incident notification, specifying how incidents should be classified and how government entities should carry out the reporting process. Strengthening this protocol through new regulations that grant it mandatory status could significantly enhance the ability to respond to cybersecurity incidents, offering better protection for critical infrastructure sectors in Mexico.

As mentioned in 1.3 Cybersecurity Regulators (Cybersecurity in Critical Infrastructure), there are obligations on the part of the government regarding resilience responsibilities and threat identification, which are contained in protocols or guidelines, such as the protocol mentioned in 2.1 Scope of Critical Infrastructure Cybersecurity Regulation and 2.3 Incident Response and Notification Obligations. However, these obligations are not specifically outlined in a particular law. This fragmented approach can make it difficult to implement effective security measures, as authorities and private entities may interpret the guidelines differently or may not be legally required to adopt them uniformly.

To improve the situation, it would be advisable for Mexico to move towards creating laws that establish obligations related to cybersecurity resilience and threat identification in critical infrastructure. This would enable more coherent and co-ordinated management of cyber-risks, ensuring that all parties involved follow a common set of rules that strengthen protection and response to cybersecurity incidents. The implementation of more formal legislation could also improve co-operation between the public and private sectors, enhancing the ability to respond to cybersecurity challenges.

Operational resilience in Mexico’s financial sector is primarily regulated by:

• the CNBV;
• Banxico; and
• the National Commission for the Protection and Defence of Financial Services Users (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros, or CONDUSEF).

Mexico does not have a standalone operational resilience regulation. Nevertheless, financial institutions such as banks, fintechs, insurance companies and other market participants are required to comply with a combination of laws, regulations and supervisory guidelines aimed at ensuring business continuity, cybersecurity and risk management. These regulatory norms and provisions include:

• the General Provisions Applicable to Credit Institutions issued by the CNVB (see 1.2 Cybersecurity Laws);
• CNBV Guidelines on Cybersecurity and Information Security;
• the Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera);
• the Payment Systems Law (Ley de Sistemas de Pagos)
• Circular 8/2019 ‒ directed at participants of the Interbank Electronic Payments System and issued by Banxico (see 1.2 Cybersecurity Laws);
• Principles for Strengthening Cybersecurity to Ensure Financial System Stability ‒ issued by Banxico (see1.2 Cybersecurity Laws);
• Coordinating Bases for Information Security (Bases de Coordinación en Materia de Seguridad de la Información) – established by the Ministry of Finance (Secretaría de Hacienda y Crédito Público, or SHCP), Banxico, the CNBV, the CONDUSEF and other governmental agencies and market participants; and
• the Cybersecurity Strategy of Banxico 2024–27 (see 1.1 Cybersecurity Regulation Strategy).

Additionally, Mexico is an active participant in several international treaties, agreements, and frameworks that focus on cybersecurity, financial sector resilience, and digital crime prevention. Mexico has not formally ratified the Budapest Convention on Cybercrime, but it has aligned its financial cybersecurity regulations with international standards through frameworks such as the Financial Action Task Force (FATF) (Grupo de Acción Financiera Internacional, or GAFI) (of which it is a member), Basel III guidelines on operational risk and cyber-resilience, and G20 initiatives. Furthermore, regional and bilateral cooperation ‒ particularly with the USA, the Organization of American States, and the Pacific Alliance – enhances its financial sector’s operational and cyber resilience.

Information and communications technology (ICT) service providers in Mexico are obligated to meet specific contractual and regulatory requirements when working with financial institutions. Such requirements focus on cybersecurity, data protection, operational resilience, third-party risk management, and the ability to afford regulatory supervision. These requirements are set by Banxico, the CNBV, the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones, or IFT) and the INAI. Please note that the authority and functions of these two last agencies are in the process of being transferred to other agencies within the federal government as a result of recent constitutional reforms.

ICT service providers working with financial institutions must adhere to outsourcing and cybersecurity regulations issued by Banxico and the CNBV, which include:

• cybersecurity requirements for ICT providers handling banking systems;
• data encryption, access controls and authentication measures;
• service-level agreements;
• audit rights; and
• incident response obligations.

Such providers must also comply with Banxico’s cybersecurity and operational resilience standards and grant Banxico regulatory oversight and audit access.

Under Mexico’s Personal Data Protection Law, ICT contracts must establish data protection obligations, and providers must implement technical and organisational security measures. If an ICT provider processes personal data on behalf of a financial institution, the contact must specify processing purposes and permitted activities, data retention policies, and obligations to notify data breaches.

Mexico is expected to introduce enhanced outsourcing regulations for ICT providers, similar to those set forth in EU’s Digital Operational Resilience Act (DORA).

As pointed out in 3.1 Scope of Financial Sector Operational Resilience Regulation, Mexico does not currently have dedicated digital operation resilience regulation such as that of the EU, but it has multiple regulatory frameworks that collectively govern operational resilience, cybersecurity, and incident reporting for financial institutions and ICT providers. The main objectives of such regulation include:

• ensuring business continuity and system availability;
• bolstering cybersecurity and IT risk management;
• mitigating risks related to third-party providers and cloud computing;
• improving crisis management and incident response;
• safeguarding personal data and financial information, while enhancing consumer protection and data security; and
• following international standards.

Additionally, financial institutions and other participants such as ICT service providers, payment processors and cloud providers in Mexico must comply with incident reporting obligations. Such reporting obligations include cybersecurity breaches, operational disruptions, financial fraud, phishing attacks, and third-party ICT failures. Financial institutions must also keep logs and forensic reports for potential regulatory audits.

Enforcement of operational resilience obligations by regulators in relation to critical ICT services providers in Mexico is done through supervisory audits, compliance inspections, penalty assessments, and mandatory incident reporting. The primary authorities overseeing enforcement include the CNBV, Banxico and, for certain specific matters related to their mandate, the IFT and the INAI.

Mexico does not impose strict data localisation requirements; however, international data transfers must comply with the provisions of the Personal Data Protection Law, financial sector rules, and trade agreements. These rules apply to financial institutions, ICT providers, and businesses in general that process or store personal or sensitive data outside Mexico. Mexican businesses are obligated to implement contractual safeguards, consent mechanisms and cybersecurity measures to ensure compliance. Note that the United States–Mexico–Canada Agreement (USMCA) contains provisions on cross-border data flows and data localisation.

Mexico does not have a formal threat-led penetration testing (TLPT) regulation; however, financial institutions and ICT providers must conduct penetration tests, cyber-resilience assessments and simulated cyber-attacks (“red teaming”) under Banxico, CNBV and IFT regulations, as part of regulatory compliance. Specifically for fintech platforms and banking infrastructure, as well as financial institutions handling electronic payments, the CNBV and Banxico mandate penetration testing and perform cybersecurity assessments to test resilience against cybersecurity threats.

Resilience obligations in Mexico are primarily related to financial services. Please refer to 3. Financial Sector Operational Resilience Regulation.

Resilience obligations in Mexico are primarily related to financial services. Please refer to 3. Financial Sector Operational Resilience Regulation.

In Mexico, there is no law that requires companies or individuals to obtain certification in cybersecurity. Although the country has established some regulations related to data protection, particularly through the Personal Data Protection Law, these do not impose mandatory cybersecurity certification for organisations or professionals. Instead, the regulations generally require businesses to implement appropriate technical security measures to protect personal data from risks such as alteration, destruction, or unauthorised access.

Despite the absence of a legal requirement for certification, many companies in Mexico recognise the importance of cybersecurity and voluntarily pursue various certifications to enhance their security posture. These certifications, such as ISO/IEC 27001, are often seen as best practices to demonstrate companies’ commitment to safeguarding sensitive information and mitigating cybersecurity threats.

Given the growing complexity and frequency of cyber-attacks, Mexico may eventually adopt more stringent regulations that mandate cybersecurity certifications for companies or professionals operating in certain sectors – particularly those responsible for managing critical infrastructure or sensitive data. Until such regulations are enacted, voluntary certification remains an essential tool for organisations aiming to mitigate risks and enhance their cybersecurity measures.

Mexico’s data privacy regulations are closely linked to cybersecurity, primarily owing to the increasingly complex landscape of personal data processing in contemporary society. However, the current legal framework does not explicitly address cybersecurity in a dedicated manner. Instead, it outlines general principles and obligations that require organisations to implement security practices, which implicitly include cybersecurity measures as part of broader data protection strategies.

Security Measures and Obligations Under Mexican DPRs

The Mexican DPRs require data controllers (entities responsible for processing personal data) to adopt technical security measures to safeguard personal data against various threats. These threats include damage, loss, alteration, destruction, and the unauthorised use, access or processing of sensitive information. The regulations specify that these measures should be designed with an understanding of evolving technological developments, reflecting the dynamic nature of cybersecurity challenges.

However, the regulations do not provide clear or specific guidelines on what constitutes “technical security measures” nor do they articulate concrete cybersecurity obligations. The provisions are somewhat vague, leaving room for interpretation, and do not set out explicit requirements or standards for the types of cybersecurity practices that data controllers should adopt. This lack of specificity creates challenges in ensuring comprehensive compliance and uniformity in practices across different sectors and organisations.

Data Breach Notification Requirements

In the event of a data breach, public entities that handle personal data have an obligation to notify affected individuals (data subjects) about the incident. They are also required to inform the INAI, which plays a central role in monitoring compliance with the Mexican DPRs and enforcing regulations. This is a crucial step in ensuring transparency and accountability in cases of data breaches.

Private data controllers, on the other hand, have a more limited obligation. They are only required to notify those data subjects directly affected by the breach, rather than making a broader public notification.

When notifying affected individuals, the data controller must provide detailed information, including:

• a description of the nature of the incident;
• the personal data that was compromised;
• recommendations for the data subjects to protect their interests following the breach;
• an overview of the immediate corrective measures taken upon detecting the breach; and
• information on how individuals can seek further details about the incident.

Despite these requirements, the Mexican DPRs do not offer a detailed, standardised procedure for data breach notification. The absence of clear guidance on the format, timing, and channels for notification can lead to inconsistencies in how organisations manage and communicate data breaches.

INAI’s Role and Best Practices in Data Breach Management

In light of the gaps in the legal framework, the INAI proactively issued recommendations and guidelines to assist organisations in preparing for potential data breaches. These guidelines provide recommendations on how to assess the severity of data incidents, implement appropriate response measures, and manage incidents according to best practices in incident management and data protection.

The INAI’s involvement was critical in guiding organisations through the complex process of breach management and ensuring compliance with Mexico’s data privacy laws. Although the INAI’s recommendations were not legally binding, they helped to establish a more standardised approach to data breach management across sectors.

Differences Between Public and Private Sector Obligations

The Mexican DPRs distinguish between the obligations of public and private sector entities in processing personal data. Public entities face more extensive obligations, including the requirement to report breaches both to affected individuals and the INAI. In contrast, private sector entities have less stringent requirements and are only compelled to notify individuals directly affected by a breach. This differentiation creates a potential imbalance in the level of protection afforded to individuals, depending on whether their data is handled by public or private entities.

Moreover, local legislation may provide additional provisions related to cybersecurity, further complicating the regulatory landscape. Although the INAI was responsible for compliance with national data privacy regulations, local authorities may also play a role in cybersecurity, particularly when it comes to sector-specific data protection practices.

Need for a More Comprehensive Legal Framework

The absence of an explicit and comprehensive legal framework addressing cybersecurity within the Mexican DPRs suggests a need for future reforms. Given the increasing frequency and sophistication of cybersecurity threats, it is crucial for the legal framework to evolve in tandem with emerging risks. A more detailed and clear articulation of specific cybersecurity obligations would help organisations implement more robust and consistent cybersecurity practices, improving overall data protection and reducing vulnerability to cyber-attacks.

In conclusion, even though Mexico’s data privacy regulations provide essential safeguards for personal data protection, they lack clear, specific provisions on cybersecurity obligations. The regulations generally require data controllers to implement security measures but fail to offer detailed guidance on what constitutes adequate cybersecurity. This gap leaves organisations with significant room for interpretation, potentially leading to inconsistent practices.

As Mexico continues to address the challenges posed by an increasingly digital society, the integration of more specific cybersecurity requirements into the data privacy regulations will be crucial. Strengthening these provisions will help mitigate the growing risks associated with cybersecurity threats and improve the country’s overall ability to safeguard personal data in an interconnected world.

As of early 2025, Mexico does not have dedicated cybersecurity regulations specifically targeting AI. Despite AI technologies significantly transforming a wide range of sectors, from healthcare to finance, the country’s legal framework has not yet fully addressed the unique cybersecurity challenges posed by AI systems. However, AI systems that process personal data must still comply with existing data protection regulations ‒ particularly the Mexican DPRs, which primarily focus on safeguarding personal information. This intersection between data protection and AI represents a crucial but limited area of AI governance and cybersecurity in Mexico.

To address these emerging challenges, Mexico could look to international frameworks and guidelines for AI governance and cybersecurity. By way of example, organisations such as the EU have regulated AI – with the Artificial Intelligence Regulations, which includes provisions on high-risk AI systems, specifically addressing cybersecurity measures. Additionally, global cybersecurity bodies such as the Global Forum on Cyber Expertise (GFCE) are working to develop international norms and best practices for securing AI systems, which is a critical component of their governance.

By aligning with such international efforts, Mexico could adopt best practices and standards in AI cybersecurity, fostering a stronger regulatory environment for emerging technologies. Participation in international forums would also allow Mexico to collaborate with other nations and share knowledge, risks, and solutions related to securing AI systems ‒ thereby ensuring that the field remains competitive while effectively addressing the cybersecurity challenges inherent in AI.

Data protection legislation comes into play, given that sensitive personal data related to individuals’ health is processed. Also, there are additional regulations contained in official standards, which are mandatory. In this case, a Mexican Official Standard called NOM-004-SSA3-2012 establishes the criteria for the creation, management and conservation of medical records in Mexico. As mentioned in 1.2 Cybersecurity Laws, the primary objective of NOM-004-SSA3-2012 is to ensure the proper documentation, confidentiality and accessibility of medical information while protecting patients’ rights and improving healthcare quality, as follows.

• Scope and application ‒ NOM-004-SSA3-2012 applies to all healthcare facilities and professionals in public and private sectors. It covers medical records in hospitals, clinics, laboratories, and private practices.
• Medical record content ‒ medical records must include personal patient data, medical history, diagnoses, treatment plans, laboratory tests, and progress notes. Specific documentation is required for hospitalisation, surgeries, emergency care, and specialised treatments.
• Patient rights and confidentiality ‒ medical records are confidential and can only be accessed by authorised personnel or with patient consent, except in cases required by law. Patients have the right to access their records and request corrections.
• Retention and storage ‒ medical records must be kept for at least five years after the last patient interaction. Digital and physical records must follow security and data protection protocols.
• Legal and ethical responsibilities ‒ healthcare professionals are responsible for accurate, complete and timely documentation. Institutions must implement internal policies to ensure compliance with NOM-004-SSA3-2012.