Cybersecurity as a Human Right: Mexico’s New Legal Framework for the Digital Age
Executive Summary
This new legal framework proposes the creation of a National Cybersecurity Agency and a National Cybersecurity System to orchestrate a cohesive defense strategy among public and private sectors. For operators, the law introduces a risk-based classification system, defining clear obligations for entities based on their criticality to national security and public welfare. By reading this analysis, cybersecurity leaders, legal professionals, and policymakers will gain a detailed understanding of the law's institutional structure, its progressive recognition of digital rights in Mexico, the specific compliance obligations for businesses, and its potential to serve as a model for digital governance across Latin America. |
In recent years, Mexico has become more vulnerable. In 2024 alone, Mexico recorded 31 million cyberattack attempts, accounting for 55% of all attacks in Latin America, according to Teramind, which targeted both public and private entities. Mexico has become a prime target for cybercriminals, with a 78% increase in cyberattack attempts in 2024. This trend not only disrupts business operations but also erodes consumer trust and increases operational costs. Critical sectors, including government (31%), manufacturing and trade (23%), healthcare (9%), finance (6%), and transport (5%), have been particularly vulnerable to significant weaknesses in the protection of essential services.
Despite this situation, Mexico currently lacks a unified legal framework to regulate cybersecurity in a coordinated manner. Existing regulations are fragmented, limiting the ability to respond effectively to incidents and leaving critical gaps in areas such as the protection of key infrastructure and sensitive data. Without a formalized program or centralized leadership, Mexico has struggled to develop effective prevention and mitigation strategies, increasing the exposure to cyberattacks. The challenges highlight the urgent need for a more efficient and coordinated approach to cybersecurity governance in Mexico.
In response, Senator Luis Donaldo Colosio R. proposed a Cybersecurity Law aimed at establishing a robust national system with a human rights focus. The initiative includes the creation of a National Cybersecurity Agency and a National Cybersecurity System to coordinate efforts among government entities, the private sector, academia, and civil society. For Colosio, cybersecurity is not merely a technical issue but a national priority that demands strategic planning, institutional capacity building, and shared responsibility.
Cybersecurity as a Human Right
At the heart of this law is the principle that cybersecurity is not just a technical necessity — it is a mechanism to protect and extend human rights into the digital space. The legislation affirms that rights such as privacy, freedom of expression, access to information, and non-discrimination must be upheld not only in the physical world but also in online environments.
To that end, the law seeks to:
- Guarantee the exercise of digital rights, ensuring dignity, privacy, access, and fairness.
- Preserve essential services and public safety by strengthening the resilience of critical systems.
- Defend national digital sovereignty, empowering the State to mitigate both internal and external cyber threats.
This rights-based foundation sets the law apart as not only regulatory, but also social in scope, emphasizing the protection of people as much as systems.
Recognizing and Protecting Digital Rights
One of the most progressive aspects of the legislation is its formal recognition of digital rights as an extension of traditional human rights. These include:
- The right to privacy, confidentiality, and protection of personal data.
- The right to a free and open Internet, safeguarded by principles like net neutrality and algorithmic transparency.
- Protections for children and adolescents to safely access and participate in digital environments.
- The right to use secure devices and networks with proper cybersecurity safeguards.
- The protection of intellectual property in the digital space.
These provisions signal a growing global trend toward digital constitutionalism, embedding civil liberties into national cybersecurity strategies.
Institutional Structure: A National Cybersecurity Framework
To implement and oversee this ambitious mandate, the law creates a dual structure:
National Cybersecurity Agency
A decentralized public body responsible for coordinating, implementing, and monitoring cybersecurity policies. Its main responsibilities include:
- Maintaining a national registry of critical information infrastructure.
- Handling cybersecurity incidents in coordination with national and sectoral CERTs
- Notifying affected entities of cyber threats in a timely and proportional manner, as required by the law
- Promoting a national cybersecurity culture through training, innovation, and international collaboration.
National Cybersecurity System
A multisectoral coordination mechanism that brings together:
- Government agencies at the federal, state, and municipal levels.
- The National Agency
- The National Cybersecurity Council
- National and sector-specific CERTs
- Representatives from critical service operators.
Government Agencies at All Levels
Risk-Based Classification and Operator Obligations
The proposed cybersecurity law outlines specific obligations for various entities whose operations, data handling, or services are considered critical to national security, public well-being, or the protection of fundamental rights. Below is a summarized classification of the obligated parties:
Category | Description | ||
|---|---|---|---|
| Operators of Essential Services | Individuals or entities (public or private) whose activities are critical for maintaining social, economic, health, financial, or public security functions. Any disruption could significantly impact national security or societal well-being. | ||
| Administrators of Critical Information Infrastructure | Public or private entities that operate or manage strategic systems or networks whose compromise could affect national stability, public order, or environmental and social security. | ||
| Relevant Digital Service Providers | Platforms such as cloud services, search engines, social networks, and data hosting providers whose operations significantly affect access to fundamental rights, economic stability, or public security. | ||
| Government Agencies at All Levels | Public institutions that operate or safeguard information systems, databases, or essential digital services for public service delivery or human rights protection. | ||
| Private Entities Handling Strategic or High-Risk Data | Companies that, while not essential service operators, process or store sensitive personal or strategic information at volumes or risk levels that could impact fundamental rights or critical service continuity. | ||
Based on this classification, the law outlines graduated obligations depending on the level of risk and criticality:
- High Risk Operators must conduct ongoing risk assessments, implement contingency and recovery plans, undergo annual cybersecurity audits, and notify of incidents immediately.
- Medium Risk Operators are expected to maintain internal cybersecurity policies, perform periodic risk assessments, and report significant incidents within a reasonable timeframe.
- Low Risk Operators must adopt basic cybersecurity hygiene measures and follow simplified notification protocols.
This risk-based model is designed to align oversight with impact, reinforcing security where it matters most, without overburdening lower-risk sectors.
Strengthening National Incident Response: The Role of CERTs
The law formalizes the role of CERTs (Computer Emergency Response Teams), established both at the national and sectoral levels, to ensure coordinated responses tailored to different industries. Their responsibilities include:
- Monitoring for threats and vulnerabilities
- Classifying and analyzing cyber incidents
- Coordinating response efforts and recovery strategies
- Issuing advisories, bulletins, and technical recommendations
- Supporting awareness campaigns and simulation exercises
- Training operators in secure incident handling practices
This institutionalization of CERT functions ensures better coordination across sectors and improves the country's ability to detect, contain, and recover from cyber events.
Addressing Emerging Threats: Expanded Criminal Code
Although the cybersecurity law does not directly criminalize offenses, it recommends updating the Federal Penal Code to address emerging threats, such as:
- Cyberbullying in educational or workplace environments
- Attacks on critical infrastructure systems
- Biometric identity theft
- Unauthorized cryptocurrency mining
- Data ransom through encryption (ransomware)
- Unethical use of artificial intelligence
By updating its penal framework, Mexico is enhancing its capacity to prosecute digital threats that impact individuals, businesses, and national security. Mexico's new Cybersecurity Law represents a significant legal and policy milestone, elevating cybersecurity beyond technical concerns to address national resilience, public trust, and human rights. Its comprehensive approach, combining legal enforcement, institutional reform, risk-based obligations, and civic awareness, provides a model for other Latin American nations to follow. For cybersecurity practitioners, risk managers, and policy professionals beyond Mexico's borders, this law demonstrates how to build digital defense frameworks rooted in democratic values, where privacy, resilience, and cybersecurity are considered basic human rights. |
RESOURCES