Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

Mexico does not have a dedicated cybersecurity statute. Instead, it handles cyber-risk through a collection of rules written for other purposes. Knowing where each requirement lives — and which authority enforces it — is the first step to an effective compliance playbook. At the moment, there are four fundamental pillars that support the majority of the daily operational responsibilities for organizations.

The Federal Penal Code (Articles 210-211 Bis 7, 254 Bis 1 and 424 Bis II) criminalizes unauthorized access, system interference, fraud and data theft, while the National Code of Criminal Procedure authorizes warrants, preservation orders and search powers for electronic evidence.

The data-protection regime comprises two omnibus statutes, the Federal Law on the Protection of Personal Data Held by Private Parties and the General Law on the Protection of Personal Data Held by Obliged Entities, which impose risk-based safeguards and breach-notification duties. Following the December 2024 reform that dissolved the National Institute for Transparency, Access to Information and Personal Data Protection, enforcement is migrating to the new Secretariat of Anti-Corruption and Good Governance and, in some cases, the federal courts.

Sector rules introduce additional layers for organizations. Banks must immediately notify the National Banking and Securities Commission — Comisión Nacional Bancaria y de Valores — of any qualifying information-security incident. The chief information security officer must submit a monthly information-security management report to the CEO and, whenever so required, to the board of directors or the relevant committees (Article 168 Bis 14).

Finally, public-security statutes, specifically the National Guard Law, National Security Law and Federal Telecommunications and Broadcasting Law, authorize investigators to obtain stored telecom data and, with judicial approval, real-time geolocation, and bring law-enforcement demands into many private-sector response plans.

Stalled legislation: 10 years of proposals and still no law

Since 2015, Mexico's Congress has floated a steady stream of stand-alone cybersecurity bills, but none have passed. This year, National Action Party Senator Mauricio Vila Dosal and Citizen's Movement Senator Luis Donaldo Colosio Riojas each introduced competing general-law proposals. Despite their different labels, each draft aims to unify criminal, incident-response and critical-infrastructure rules under a single "Ley de Ciberseguridad."

Nearly all of the bills proposed over the past decade share three features. Foremost, they dedicate an entire chapter to safeguarding critical infrastructure — typically energy, finance, telecoms and health care. The proposed bills also propose the creation of a single national cybersecurity agency to handle incident response and policy coordination. Finally, they mirror international models by adopting Budapest-style definitions and, in later drafts, the 2024 U.N.'s Cybercrime Convention's evidence-preservation timelines.

None of the proposed legislation has reached the finish line largely due to committee turnover, disputes over the scope of surveillance powers, and questions about how a new agency would mesh with Mexico's existing regulator network. For practitioners, these recurring elements act as useful signposts for future legislative developments.

Meanwhile, a separate trio of security bills, which cleared the Chamber of Deputies in June 2025 and is now under Senate review, could reshape data governance. Together, they would simplify National Guard requests for telecom metadata and real-time geolocation, create a National System of Investigation and Intelligence that links public- and private-sector databases, and introduce a biometric Clave Única de Registro de Población, or Unique Population Registry Code, that would combine fingerprints and facial images with Mexico's existing population-registry number.

The precise scope and schedule for these bills will depend on senate amendments and secondary regulations. However, any organization holding large identity datasets should already be planning updates to privacy notices, retention periods and encryption regimes.

International anchors

Mexico's international anchor points are threefold. First, Chapter 19 of the United States-Mexico-Canada Agreement obliges Mexico, Canada and the U.S. to adopt risk-based cybersecurity controls, coordinate incident-response efforts and protect cross-border data flows.

Second, Mexico only remains an observer to the Budapest Convention on Cybercrime. Nevertheless, national criminal law already punishes unauthorized access and data-or-system interference, leaving computer-related fraud to the general fraud provisions; Mexico's procedural tools still fall short of full alignment with the convention.

Third, the U.N. Cybercrime Convention, adopted in December 2024 and expected to open for signature in Hanoi in late 2025, has been welcomed by Mexico's Foreign Ministry, which signaled an intention to sign once the instrument is formally opened. Designing internal data governance programs around ISO 27001, the National Institute of Standards and Technology Cybersecurity Framework and the Budapest preservation model gives organizations a defensible baseline should cross-border cooperation requests arise.

Practical considerations for compliance teams

When a ransomware incident occurs, several statutory clocks start at once. Investigators may issue immediate evidence-preservation orders. The privacy laws require notification within 72 hours; some sector rules — those for banks, for example —mandate a 48-hour report to the supervisor.

Setting aside the investigative and law-enforcement powers exercised by security bodies, such as the Fiscalía General de la República or the National Guard, Mexico still lacks a cross-sector cybersecurity regulator. This remains true even after the creation of a Cybersecurity Directorate within the new Digital Transformation and Telecommunications Agency 24 Jan. 2025. Because the National Institute for Transparency, Access to Information and Personal Data Protection was abolished 19 March 2025, enforcement is handled by sector-specific bodies: the National Banking and Securities Commission in finance and the Federal Consumer Protection Agency in consumer matters. Until the Telecommunications Regulatory Commission is fully constituted under the 16 July 2025 Telecommunications and Broadcasting Law, regulatory authority remains with the Federal Telecommunications Institute.

On the identity front, current bills would turn the biometric CURP into the de facto credential for many public and private transactions. Any system ingesting CURP data should be reviewed for strong encryption, clear segregation of duties and supplier clauses that address biometric processing.

Should the National Guard's disclosure rules be streamlined, telecom and platform teams can expect shorter turnaround times for lawful-access requests. In any case, entities should prepare a validation checklist covering legal basis, scope and judicial review requirements.

Finally, courts and regulators continue to gauge "reasonable security measures" against recognized baselines, such as ISO 27001, the NIST Cybersecurity Framework, and Systems and Organization Controls 2. Documenting risk assessments, control testing and board-level oversight remains the best way to demonstrate compliance.

Outlook

Mexico's cyber rulebook will remain a patchwork until Congress adopts a dedicated law. In the meantime, effective compliance hinges on three disciplines: maintaining an up-to-date map of requirements by data type and regulator, tracking dormant bills that could suddenly revive, and benchmarking controls against recognized international standards to demonstrate "reasonable security."

Organizations that keep those three lenses in focus will be ready for the next breach and for the day Mexico finally turns a decade of draft bills into a unified cybersecurity statute.

Jersain Llamas Covarrubias, CIPP/E, is the co-founder and CEO of OBEX Cybersecurity.