Mexico lacks a specific cybersecurity law, but various legal provisions indirectly regulate the area, involving multiple regulatory bodies. For instance, there are regulations concerning banking, personal data protection, criminal conduct, and telecommunications. These laws shape the cybersecurity landscape by providing frameworks that institutions and businesses must follow to protect digital assets and personal information.

Additionally, several government agencies have issued their own cybersecurity guidelines. For example, the Central Bank of Mexico (Banxico), the country’s central bank, released its cybersecurity strategy for 2024–2027 (Estrategia de Ciberseguridad del Banco de México 2024 – 2027), outlining its guiding principles and defining the responsibilities of an internal cybersecurity directorate. This initiative highlights the importance of financial cybersecurity and the role of regulatory bodies in ensuring a secure banking environment. Moreover, financial institutions are required to adhere to strict cybersecurity protocols to prevent fraud, data breaches and cyber-attacks that could compromise national financial stability.

Several cybersecurity law proposals have been submitted to Congress for discussion. However, none have been enacted into law, remaining as proposals that could serve as a foundation for future legislative discussions. These proposals generally aim to address cyber crimes related to financial assets, personal freedoms, intellectual property, the financial system and information systems, among others. Given the increasing frequency and sophistication of cyber threats, there is a growing need for a comprehensive cybersecurity law that establishes clear regulations and penalties for cyber-related offences. Legislative progress in this area will be crucial for strengthening Mexico’s cybersecurity posture and ensuring that individuals and businesses are adequately protected from cyber threats.

Finally, considering Mexico’s current legal framework, personal data protection regulations are the most directly relevant laws to cybersecurity. The protection of personal data remains a central concern, as unauthorised access, data breaches and identity theft continue to pose significant risks. Strengthening data protection regulations and enforcing compliance will be essential in fostering a more secure digital environment and building public trust in cybersecurity measures.

The following legal instruments, though not an exhaustive list (see 3.1 Scope of Financial Sector Operational Resilience Regulation for additional regulations in the financial sector), contain provisions relevant to cybersecurity in Mexico as of early 2026.

• Federal Criminal Code (Código Penal Federal) and state criminal codes. These establish legal consequences for cyber-related crimes, including unauthorised access to systems, fraud, identity theft, illicit interception of communications, hacking, data breaches and cyber-enabled financial crimes.
• Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, DPR). This law, reformed in 2025, governs the collection, processing, storage and protection of personal data by private entities. It mandates adequate security measures to safeguard sensitive information, including risk-based approaches and breach notification obligations. Enforcement has shifted from the now-abolished National Institute for Transparency, Access to Information and Personal Data Protection (dissolved in late as part of broader administrative reforms) to sector-specific bodies.
• General Law on Transparency and Access to Public Information (Ley General de Transparencia y Acceso a la Información Pública) and related reforms (also amended in 2025). These include provisions on information security in public institutions, requiring government entities to handle and protect sensitive data responsibly and to ensure accountability for cybersecurity-related incidents.
• Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera). It establishes compliance requirements for fintech companies, mandating measures to secure financial transactions and mitigate risks in the rapidly growing digital financial services sector.
• General Provisions Applicable to Credit Institutions (Disposiciones de Carácter General Aplicables a las Instituciones de Crédito). Issued by Banxico and the National Banking and Securities Commission (CNBV), these impose strict standards on banks and financial institutions, requiring risk management frameworks, security controls, incident response mechanisms, and safeguards for customer data and transactions.
• Circular 8/2019 (and related updates). Issued for participants in Mexico’s Interbank Electronic Payments System (SPEI), this regulation enhances cybersecurity through requirements for encryption, strong authentication, real-time monitoring and fraud prevention in real-time payments.
• Principles for Strengthening Cybersecurity to Ensure Financial System Stability (Principios para reforzar la seguridad de la información en el sistema financiero). These represent best practices and regulatory guidelines from financial authorities (eg, Banxico and CNBV) to promote risk-based cybersecurity resilience in the financial sector.
• Mexican Official Standards (Normas Oficiales Mexicanas, NOMs). Several NOMs provide mandatory requirements for cybersecurity and information protection, including:
1. NOM-151-SCFI-2016 (Requisitos que deben observarse para la conservación de mensajes de datos y digitalización de documentos), which remains in force (with a proposed modification discussed in 2021 but no major repeal or full replacement noted as of 2026), regulating the preservation of digital data messages and digitisation to ensure electronic documents remain authentic, reliable and unaltered; critical for cybersecurity, e-commerce, and legal compliance; and
2. NOM-004-SSA3-2012. This establishes criteria for the creation, management, and conservation of medical records, reinforcing data protection, confidentiality and security in healthcare services.

The Agency for Digital Transformation and Telecommunications (ATDT), established in 2024, leads federal cybersecurity policy through its General Directorate of Cybersecurity, as provided in its organic structure and regulatory framework.

In 2025, the ATDT published the National Cybersecurity Plan 2025–2030, Mexico’s first unified national cybersecurity policy framework. The Plan aims to strengthen national cyber resilience, coordinate federal incident response, and position Mexico as a regional leader in cybersecurity.

The Plan contemplates, among its strategic components, promoting the presentation of a General Cybersecurity Law to Congress as part of the national framework.

Given these ongoing developments, it will be crucial to monitor how these regulations evolve, particularly the potential enactment of a dedicated cybersecurity law and the full implementation of the 2025–2030 Plan. The government’s reforms and new entities may significantly reshape enforcement, coordination, and sector-wide cybersecurity policies in the coming years.

Cybersecurity regulation in Mexico is fragmented across various government agencies, primarily due to the absence of a comprehensive legal framework and a central authority with broad oversight responsibilities. As a result, multiple entities assume roles in cybersecurity, each focusing on distinct areas such as law enforcement, the financial sector and data protection. The landscape is continually evolving.

Law Enforcement and Cybercrime Investigation

The Attorney General’s Office (Fiscalía General de la República, FGR) and local prosecutors’ offices play a central role in investigating cybercrimes. The Federal Criminal Code defines various offences, including unauthorised access to information systems, data breaches, and the illegal disclosure of sensitive information. Cybercrime investigations often involve coordination between various state and federal authorities.

In Mexico City, the Cybercrime Investigation Unit within the local prosecutor’s office specialises in investigating digital offences. These include crimes against sexual privacy, such as the unauthorised sharing of intimate content on social media, a growing concern in the digital age.

Financial Sector Cybersecurity Regulation

The CNBV is responsible for overseeing incidents within the financial sector. CNBV ensures that financial institutions mitigate risks that could compromise the confidentiality, integrity, or availability of banking systems. It monitors and supervises the response to security breaches, data loss and other violations of financial security regulations.

Banxico, as the central bank, also plays a critical role in securing the financial sector against cyber threats. In response to the growing number of cyber-attacks targeting financial systems globally, Banxico works closely with financial institutions, sector regulators and law enforcement. In 2018, Banxico spearheaded the formation of a Cybersecurity Incident Response Group, which collaborates with the Attorney General’s Office and other stakeholders to enhance coordinated responses to major security incidents.

Data Protection

The National Institute for Transparency, Access to Information, and Personal Data Protection (INAI) historically served as Mexico’s primary autonomous authority responsible for personal data protection and the public’s right of access to information. Because the protection of personal data is closely linked with broader cybersecurity objectives, INAI played a key role in shaping digital privacy safeguards and transparency practices under its autonomous mandate until 2025.

Following a constitutional reform published in 2024 and the enactment of new transparency and data protection laws in 2025, the INAI was dissolved, and its statutory powers and functions were transferred to the Ministry for Anti-Corruption and Good Governance, Secretaría Anticorrupción y Buen Gobierno, MAGG. Under the new legal framework, the Ministry now oversees data protection matters, replacing INAI’s autonomous role. Additionally, a new decentralised administrative body, the People’s Transparency Authority (Transparencia para el Pueblo), was created to act as the federal guarantor of the right to access information, while data protection functions remain within the Ministry’s structure.

This institutional shift has raised concerns among civil society, privacy advocates, and legal commentators about the potential impact on institutional independence, enforcement efficacy and the robustness of data protection policies, especially given the close relationship between privacy rights, accountability mechanisms and evolving cybersecurity threats. The long-term effects of transitioning from an autonomous regulator to a ministry-led model on cybersecurity governance and privacy enforcement are unfolding.

Cybersecurity in Critical Infrastructure

The National Guard (Guardia Nacional) has a specialised cybersecurity unit dedicated to supporting agencies managing critical infrastructure. This unit’s responsibilities include:

• identifying and assessing cybersecurity threats;
• managing cybersecurity incidents;
• acting as a national point of contact for cyber threats; and
• conducting digital forensics to assist law enforcement agencies in investigating cybercrimes.

In addition, the National Guard provides cybersecurity assistance to state authorities, reinforcing the protection of both federal and regional infrastructure. This coordination aims to create a unified response to protect national security and critical systems from cyber-attacks.

Other Governmental Involvement

While the agencies outlined above are among the most prominent players in Mexico’s cybersecurity regulatory environment, other governmental bodies indirectly contribute to cybersecurity efforts. For example, the Ministry of Infrastructure, Communications and Transportation (Secretaría de Infraestructura, Comunicaciones y Transporte) has a role in regulating digital infrastructure and overseeing the integrity of communication networks.

As mentioned, there is no specific cybersecurity law that regulates critical infrastructure in Mexico. However, the National Security Law (Ley de Seguridad Nacional) contains provisions emphasising the importance of protecting critical infrastructure, though it does not define in detail what constitutes such infrastructure. Additionally, during the previous administration, a National Standardised Protocol for Managing Cybersecurity Incidents (Protocolo Nacional Homologado de Gestión de Incidentes Cibernéticos) was implemented. While this protocol is not a legal document, it serves as a reference for establishing the terms and procedures that strengthen cybersecurity across government entities and the private sector. This initiative aims to ensure the continuous, coordinated management of cybersecurity incidents, improving overall resilience and response to emerging threats.

In Mexico, there are no specific cybersecurity obligations for protecting critical infrastructure. While various regulatory frameworks address cybersecurity issues, there is no comprehensive legislation that specifies the measures entities managing essential infrastructure (such as energy, telecommunications, and transportation) must adopt. The absence of a clear legal framework for protecting critical infrastructure against cyber threats leaves institutions responsible for these key sectors with some flexibility but also creates a regulatory gap that could jeopardise the country’s resilience in the face of cyber incidents.

There are no specific reporting obligations for cybersecurity incidents related to critical infrastructure. However, the Protocol, as mentioned in 2.1 Scope of Critical Infrastructure Cybersecurity Regulation, includes a series of recommendations on how high-level, critical, and impactful cybersecurity incidents should be reported to the National Guard (Guardia Nacional). For example, the protocol outlines mechanisms for incident notification, specifying how incidents should be classified and how government entities should carry out the reporting process.

Strengthening this protocol through new regulations that grant it mandatory status could significantly enhance the ability to respond to cybersecurity incidents, offering better protection for critical infrastructure sectors in Mexico.

As mentioned above, the government has obligations regarding resilience and threat identification, which are set out in protocols or guidelines, such as the one mentioned earlier. However, these obligations are not specifically set out in any particular law. This fragmented approach can make it difficult to implement effective security measures, as authorities and private entities may interpret the guidelines differently or may not be legally required to adopt them uniformly.

To improve the situation, it would be advisable for Mexico to move toward enacting laws that establish obligations for cybersecurity resilience and threat identification in critical infrastructure. This would enable more coherent and coordinated management of cyber risks, ensuring that all parties involved follow a common set of rules that strengthen protection and response to cybersecurity incidents. The implementation of more formal legislation could also improve cooperation between the public and private sectors, enhancing the ability to respond to cybersecurity challenges.

Operational resilience in Mexico’s financial sector is primarily regulated by:

• CNBV;
• Banxico; and
• the National Commission for the Protection and Defence of Financial Services Users (CONDUSEF).

Mexico does not have a standalone operational resilience regulation. Nevertheless, financial institutions such as banks, fintechs, insurance companies and other market participants are required to comply with a combination of laws, regulations and supervisory guidelines aimed at ensuring business continuity, cybersecurity and risk management. These regulatory norms and provisions include:

• the General Provisions Applicable to Credit Institutions (Disposiciones de Carácter General Aplicables a las Instituciones de Crédito) issued by CNBV;
• CNBV Guidelines on Cybersecurity and Information Security;
• the Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera);
• the Payment Systems Law (Ley de Sistemas de Pagos);
• Circular 8/2019 directed to participants of the Interbank Electronic Payments System issued by Banxico;
• Principles to reinforce information security within the financial system (Principios para reforzar la seguridad de la información en el sistema financiero) issued by Banxico;
• Coordinating Bases for Information Security (Bases de Coordinación en Materia de Seguridad de la Información) established by the Ministry of Finance (SHCP), Banxico, CNBV, CONDUSEF and other governmental agencies and market participants; and
• the 2024–2027 Cybersecurity Strategy of Banxico (Estrategia de Ciberseguridad del Banco de México 2024-2027).

Additionally, Mexico is an active participant in several international treaties, agreements, and frameworks that focus on cybersecurity, financial sector resilience and digital crime prevention. Mexico has not formally ratified the Budapest Convention on Cybercrime, but it has aligned its financial cybersecurity regulations with international standards through frameworks such as the Financial Action Task Force (FATF or GAFI in Spanish) (of which it is a member), Basel III guidelines on operational risk and cyber resilience and G20 initiatives. Furthermore, regional and bilateral cooperation, particularly with the United States, the Organisation of American States and the Pacific Alliance, enhances its financial sector’s operational and cyber-resilience.

ICT service providers in Mexico are obligated to meet specific contractual and regulatory requirements when working with financial institutions. Such requirements focus on cybersecurity, data protection, operational resilience, third-party risk management and the ability to afford regulatory supervision. Please note that the authority and functions of these two last agencies are in the process of being transferred to other agencies within the Federal Government as a result of recent constitutional reforms.

ICT service providers working with financial institutions must adhere to outsourcing and cybersecurity regulations issued by CNBV and Banxico, which include cybersecurity requirements for ICT providers handling:

• banking systems;
• data encryption;
• access controls and authentication measures;
• service level agreements;
• audit rights; and
• incident response obligations.
• Such providers must also comply with Banxico’s cybersecurity and operational resilience standards and grant Banxico regulatory oversight and audit access.

Under Mexico’s Data Protection Law, ICT contracts must establish data protection obligations, and providers must implement technical and organisational security measures. If an ICT provider processes personal data on behalf of a financial institution, the contract must specify processing purposes and permitted activities, data retention policies and obligations to notify data breaches.

Mexico is expected to introduce enhanced outsourcing regulations for ICT providers, similar to those set forth in the EU’s Digital Operational Resilience Act (DORA).

As previously pointed out, Mexico does not currently have dedicated digital operation resilience regulation like the EU, but it has multiple regulatory frameworks that collectively govern operational resilience, cybersecurity, and incident reporting for financial institutions and ICT providers. The main objectives of such regulation include:

• ensuring business continuity and system availability;
• bolstering cybersecurity and IT risk management;
• mitigating risks related to third-party providers and cloud computing;
• improving crisis management and incident response;
• safeguarding personal data and financial information, while enhancing consumer protection and data security; and
• following international standards.

Additionally, financial institutions and other participants, such as ICT service providers, payment processors, and cloud providers, in Mexico must comply with incident reporting obligations. Such reporting obligations include cybersecurity breaches, operational disruptions, financial fraud and phishing attacks and third-party ICT failures. Financial institutions must also keep logs and forensic reports for potential regulatory audits.

Enforcement of operation resilience obligations by regulators in relation to critical ICT services providers in Mexico is done through supervisory audits, compliance inspections, penalty assessments and mandatory incident reporting. The primary authorities overseeing enforcement include the CNBV, Banxico and the MAGG.

International data transfers must comply with the provisions of the DPR, financial sector rules and trade agreements. These rules apply to financial institutions, ICT providers and businesses in general that process or store personal or sensitive data outside of Mexico. Mexican businesses are obligated to implement contractual safeguards, consent mechanisms and cybersecurity measures to ensure compliance. Note that the United States-Mexico-Canada Agreement (USMCA) contains provisions on cross-border data flows and data localisation.

Mexico does not have a formal TLPT regulation; however, financial institutions and ICT providers must conduct penetration tests, cyber resilience assessments and simulated cyber-attacks (red teaming) under Banxico and CNBV regulations, as part of regulatory compliance. Specifically for financial institutions handling electronic payments, fintech platforms and banking infrastructure, CNBV and Banxico mandate penetration testing and cybersecurity assessments to assess resilience against cyber threats.

Resilience obligations in Mexico are primarily related to financial services. Please refer to 3. Operational Resilience in the Financial Sector.

Resilience obligations in Mexico are primarily related to financial services. Please refer to 3. Operational Resilience in the Financial Sector.

In Mexico, there is no law requiring companies or individuals to obtain a cybersecurity certification. While the country has established some data protection regulations, particularly through the DPR, these do not impose mandatory cybersecurity certification for organisations or professionals. Instead, the regulations generally require businesses to implement appropriate technical security measures to protect personal data from risks such as unauthorised access, alteration, or destruction.

Despite the absence of a legal requirement for certification, many companies in Mexico recognise the importance of cybersecurity and voluntarily pursue various certifications to enhance their security posture. These certifications, such as ISO/IEC 27001, are often seen as best practices to demonstrate their commitment to safeguarding sensitive information and mitigating cyber threats.

Given the growing complexity and frequency of cyber-attacks, Mexico may eventually adopt more stringent regulations that mandate cybersecurity certifications for companies or professionals operating in certain sectors, particularly those responsible for managing critical infrastructure or sensitive data. Until such regulations are enacted, voluntary certification remains an essential tool for organisations aiming to mitigate risks and enhance their cybersecurity measures.

Mexico’s data privacy regulations are closely linked to cybersecurity, primarily due to the increasingly complex landscape of personal data processing in contemporary society. However, the current legal framework does not explicitly address cybersecurity in a dedicated manner. Instead, it outlines general principles and obligations that require organisations to implement security practices, which implicitly include cybersecurity measures as part of broader data protection strategies.

Security Measures and Obligations under the Mexican DPRs

The Mexican DPRs require data controllers (entities responsible for processing personal data) to adopt technical security measures to safeguard personal data against various threats. These threats include damage, loss, alteration, destruction and unauthorised use, access or processing of sensitive information. The regulations specify that these measures should be designed with an understanding of evolving technological developments, reflecting the dynamic nature of cybersecurity challenges.

However, the regulations do not provide clear or specific guidelines on what constitutes “technical security measures”, nor do they articulate concrete cybersecurity obligations. The provisions are somewhat vague, leaving room for interpretation, and do not set out explicit requirements or standards for the types of cybersecurity practices that data controllers should adopt. This lack of specificity creates challenges in ensuring comprehensive compliance and uniformity in practices across different sectors and organisations.

Data Breach Notification Requirements

In the event of a data breach, public entities that handle personal data are obligated to notify affected individuals (data subjects) of the incident. This is a crucial step in ensuring transparency and accountability in cases of data breaches.

Private data controllers, on the other hand, have a more limited obligation. They are only required to notify those data subjects directly affected by the breach, rather than making a broader public notification.

When notifying affected individuals, the data controller must provide detailed information, including:

• a description of the nature of the incident;
• the personal data that was compromised;
• recommendations for the data subjects to protect their interests following the breach;
• an overview of the immediate corrective measures taken upon detecting the breach; and
• information on how individuals can seek further details about the incident.

Despite these requirements, the Mexican DPRs do not offer a detailed, standardised procedure for data breach notification. The absence of clear guidance on the format, timing, and channels for notification can lead to inconsistencies in how organisations manage and communicate data breaches.

Differences Between Public and Private Sector Obligations

The Mexican DPRs distinguish between the obligations of public and private-sector entities in the processing of personal data. Public entities face more extensive obligations. In contrast, private-sector entities have less stringent requirements and are only required to notify individuals directly affected by a breach. This differentiation creates a potential imbalance in the level of protection afforded to individuals depending on whether their data is handled by public or private entities.

The Need for a More Comprehensive Legal Framework

The absence of an explicit, comprehensive legal framework for cybersecurity within the Mexican DPRs suggests a need for future reforms. Given the increasing frequency and sophistication of cyber threats, it is crucial for the legal framework to evolve in tandem with emerging risks. A more detailed and clear articulation of specific cybersecurity obligations would help organisations implement more robust and consistent cybersecurity practices, improving overall data protection and reducing vulnerabilities to cyber-attacks.

In conclusion, while Mexico’s data privacy regulations provide essential safeguards for personal data protection, they lack clear, specific provisions on cybersecurity obligations. The regulations generally require data controllers to implement security measures, but fail to offer detailed guidance on what constitutes adequate cybersecurity. This gap leaves organisations with significant room for interpretation, potentially leading to inconsistent practices.

As Mexico continues to address the challenges posed by an increasingly digital society, integrating more specific cybersecurity requirements into data privacy regulations will be crucial. Strengthening these provisions will help mitigate the growing risks associated with cyber threats and improve the country’s overall ability to safeguard personal data in an interconnected world.

As of now, Mexico does not have dedicated cybersecurity regulations specifically targeting artificial intelligence (AI). Despite AI technologies significantly transforming a wide range of sectors, from healthcare to finance, the country’s legal framework has not yet fully addressed the unique cybersecurity challenges posed by AI systems. However, AI systems that process personal data must still comply with existing data protection regulations, particularly the Mexican DPRs, which primarily focus on safeguarding personal information. This intersection between data protection and AI represents a crucial yet limited area of AI governance and cybersecurity in Mexico.

To address these emerging challenges, Mexico could look to international frameworks and guidelines for AI governance and cybersecurity. For instance, organisations such as the European Union have regulated AI through the Artificial Intelligence Regulations, which include provisions on high-risk AI systems and specifically address cybersecurity measures. Additionally, global cybersecurity bodies like the Global Forum on Cyber Expertise (GFCE) are working to develop international norms and best practices for securing AI systems, a critical component of their governance.

By aligning with such international efforts, Mexico could adopt best practices and standards in AI cybersecurity, fostering a stronger regulatory environment for emerging technologies. Participation in international forums would also allow Mexico to collaborate with other nations, sharing knowledge, risks and solutions for securing AI systems, ensuring it remains competitive while effectively addressing the cybersecurity challenges inherent to AI.

Data protection legislation comes into play since sensitive personal data related to individuals’ health is processed. Also, there are additional mandatory regulations contained in official standards. In this case, there is a Mexican Official Standard, NOM-004-SSA3-2012, that establishes criteria for the creation, management and conservation of medical records in Mexico. Its primary objective is to ensure proper documentation, confidentiality and accessibility of medical information while protecting patients’ rights and improving healthcare quality.

• Scope and application – This standard applies to all healthcare facilities and professionals in public and private sectors. It covers medical records in hospitals, clinics, laboratories, and private practices.
• Medical record content – Medical records must include personal patient data, medical history, diagnoses, treatment plans, laboratory tests, and progress notes. Specific documentation is required for hospitalisation, surgeries, emergency care, and specialised treatments.
• Confidentiality and patient rights – Medical records are confidential and can only be accessed by authorised personnel or with patient consent, except in cases required by law. Patients have the right to access their records and request corrections.
• Retention and storage – Medical records must be kept for at least five years after the last patient interaction. Digital and physical records must follow security and data protection protocols.
• Legal and ethical responsibilities – Healthcare professionals are responsible for accurate, complete, and timely documentation. Institutions must implement internal policies to ensure compliance with the standard.