Mexico's cybersecurity framework in 2025: A practitioner's guide

Mexico does not have a dedicated cybersecurity statute. Instead, it handles cyber-risk through a collection of rules written for other purposes. Knowing where each requirement lives — and which authority enforces it — is the first step to an effective compliance playbook. At the moment, there are four fundamental pillars that support the majority of the daily operational responsibilities for organizations.

The Federal Penal Code (Articles 210-211 Bis 7, 254 Bis 1 and 424 Bis II) criminalizes unauthorized access, system interference, fraud and data theft, while the National Code of Criminal Procedure authorizes warrants, preservation orders and search powers for electronic evidence.

The data-protection regime comprises two omnibus statutes, the Federal Law on the Protection of Personal Data Held by Private Parties and the General Law on the Protection of Personal Data Held by Obliged Entities, which impose risk-based safeguards and breach-notification duties. Following the December 2024 reform that dissolved the National Institute for Transparency, Access to Information and Personal Data Protection, enforcement is migrating to the new Secretariat of Anti-Corruption and Good Governance and, in some cases, the federal courts.

Sector rules introduce additional layers for organizations. Banks must immediately notify the National Banking and Securities Commission — Comisión Nacional Bancaria y de Valores — of any qualifying information-security incident. The chief information security officer must submit a monthly information-security management report to the CEO and, whenever so required, to the board of directors or the relevant committees (Article 168 Bis 14).