Cybersecurity Law in Mexico: Learn about the new Law

It's increasingly common to hear about cyberattacks targeting government institutions, private companies, and individuals alike. In Mexico, this situation is becoming more critical, as our country lacked clear cybersecurity legislation until 2022.

Against this backdrop, a draft law has emerged that seeks to establish unified and clear cybersecurity criteria. Below, we explain everything you need to know about this new law and its implications.

New cybersecurity law in Mexico

Currently, Mexico lacks cybersecurity legislation. This has led to numerous government institutions, private companies, and individuals falling victim to cyberattacks. Although 11 cybersecurity bill initiatives have been proposed since 2018, none have been finalized.

The recent hack of the Ministry of National Defense (Sedena) prompted the creation of the "zero version" of a Federal Cybersecurity Law, prepared by the Senate of the Republic and the Science, Technology, and Innovation Commission of the Chamber of Deputies. To this end, they have researched and analyzed national and international studies to better understand the legal vacuum the country currently faces.

{{body-cta-1}}

Publication Date

The new Federal Cybersecurity Law was expected to be published in December 2022. However, to date, it is not available for public download.

What does the new law entail?

This proposed law consists of 11 titles, divided into 71 articles. These include at least four central proposals:

• Ensure national security through the defense of digital space.
• Create a legal framework that allows for the sanctioning or classification of cyberattacks.
• Conducting penetration tests or pentesting annually for public and private institutions. 
• Establish a National Cybersecurity Agency controlled by the Executive Branch, similar to models adopted by the European Union, the United States, and Brazil.

Inter-Secretariat Commission for ICT and Information Security

Recently, the federal government announced the creation of an Inter-Secretariat Commission for Information and Communication Technologies (ICT), and Information Security to replace the Commission for the Development of Electronic Government created in 2005.

Its purpose is to establish how federal policies regarding ICT and information security should be coordinated and implemented, promoting activities and strategies for their effective use. Therefore, its decisions are likely to impact the precise content of the new cybersecurity law.

New law update in 2026

The new General Cybersecurity Policy for the Federal Public Administrationhas been announced, which is promoted by Mexico's digital transformation and telecommunications agency.

This new policy includes 8 strategic pillars, which are:

1. Governance, regulatory framework, and compliance
2. Risk management and operational resilience
3. Protection of critical infrastructure and technological assets
4. Incident prevention, detection, and response
5. Identity, access, and zero trust
6. Supply chain and trusted third parties
7. Technical capabilities, human talent, and cybersecurity culture
8. Innovation, evidence, and continuous improvement

Cybersecurity Laws in Mexico: Background to the New Policy

Before the creation of this new Federal Cybersecurity Law, there was no law in Mexico specifically dedicated to regulating the preventive, corrective, and punitive measures that could be taken against a cyberattack. Some laws and regulations mention security of information technology (IT), but they leave many legal loopholes and gray areas.

Some of the laws, regulations, and norms currently in force in Mexico that mention cybersecurity are the following:

• Political Constitution of the United Mexican States.
• Federal Law on Telecommunications and Broadcasting.
• Federal Law on Transparency and Access to Public Information.
• Federal Copyright Law.
• Federal Law on the Protection of Personal Data Held by Private Parties.
• General Law on Negotiable Instruments and Credit Operations.
• Federal Criminal Code.
• National Cybersecurity Strategy 2017.
• National Security Program 2014-2018.

{{body-cta-2}}

It is likely that, in order to implement the new Law, these laws and regulations will need to be modified to maintain legislative coherence.

Who is responsible for cybersecurity in Mexico?

Currently, there are three bodies in Mexico with competencies in cybersecurity matters: CERT-MX, the Federal Police, and INAI.

CERT-MX

The Cyber Incident Response Center of the Scientific General Directorate of the National Guard is responsible for "providing support services in response to cyber incidents affecting institutions in the country with critical information infrastructure." 

They also ensure that government institutions comply with the General Administrative Manual for the Application of Information and Communication Technologies and Information Security (MAAGTICSI), which was developed based on international standards such as ISO 27001.

Federal Police

The Scientific Division of Mexico's Federal Police is responsible for investigating and tracking criminal activities committed via the internet. They work in collaboration with CERT-MX.  

INAI

The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) is tasked with ensuring access to public information and the protection of personal data.

{{body-cta-3}}

Cybercrime in Mexico

Mexico is the Latin American country that recorded the most cyberattack attempts in the first six months of 2022. According to a Fortinet report, Latin America experienced 137 billion cyberattack attempts during the aforementioned period, of which 85 billion were directed at Mexico. This represents a 40% increase compared to the same period last year.

Over the past 4 years, multiple Mexican government institutions have been attacked by cybercriminals. These include: the Mexican Social Security Institute (IMSS), Pemex, Bancomext, National Lottery, the Federal Electricity Commission (CFE), and most recently, the Ministry of National Defense on October 25 of this year.

Meanwhile, reports from the Scientific Division of the Federal Police indicate an increase in the proportion of more sophisticated and targeted attacks (such as phishing and ransomware), and a decrease in DDoS attacks.

How to comply with the new law?

To follow the guidelines of the new Federal Cybersecurity Law, government institutions and private companies are obligated to improve their cybersecurity management.

This can be achieved through the use of pentestingservices, which allow for efficient detection of IT vulnerabilities and would need to be contracted periodically (at least once a year) to keep systems secure.

Also, compliance with standards like SOC 2 can help you facilitate compliance, especially if done through expert consultancy.

Cybersecurity providers or cybersecurity consultancies can also help you comply with this law

Another more comprehensive strategy is to hire one of the most useful services for cybersecurity compliance: CISO as a Service, which helps oversee the preventive aspects and response capabilities of systems against cyberattacks, as well as the planning and establishment of strategies that safeguard the security of organizations that use it.

At Delta Protect, we are the AI-Powered Security Command Center your business needs. If you want more information about the implications of the new Law and how we can help you comply with it, contact us today.