Cybersecurity and data protection in Mexico

Mexico is considered as the 15th largest economy in the world1. Foreign direct investment in 2022 reached over $35bn, the highest since 20152. Even though the current public policies from the President Andres Manuel Lopez Obrador and its legal system has different windows of opportunity, Mexico is an attractive investment destination. Business in Mexico imply an enormous amount of data processing, specifically international data transfers, including millions of data subjects’ personal data. Those data mean an asset for criminals which has turned Mexico into an attractive target for illicit cyber activities. Cyberattacks are considered crimes under federal criminal law, and, depending on the characteristics of the attack, it may be also considered a menace to national security. According to the American Chamber, from the total of cyberattacks in Latin America in the period between 2021 and 2022, 66% targeted Mexico, which caused losses from $3bn to $5bn per year 3. In the first half of 2022, 85 billion cyberattacks were attempted in the country, an increase of 40% over the same period in 20214. Mexico had the region’s highest ransomware distribution activity in the first semester of 2022, with more than 18,000 detections5.

Mexico does not have a specific cybersecurity law, but there are diverse legal provisions on the matter scattered across sectorial laws, eg, financial, telecommunications, industrial property, and labour legislations. The country has yet a huge gap to fill: National Cybersecurity Index 2022 evaluated Mexico with 37.66 points of 100, the position 88 of 160 countries6. Mexican legislators have issued proposals to draft a specific cybersecurity law. The following are the most relevant provisions of the proposals:

  1. Private enterprises related to cybersecurity must collaborate with the government to address cybersecurity matters.
  2. The creation of a cybersecurity command and control centre with the following attributions: a) monitor constantly the network to avoid threats; b) resolve cybersecurity incidents; c) verify if the systems or data have been compromised and propose countermeasures.
  3. The Directorate General of cyber investigation and technological operations can request the takedown of information, websites that are considered threatful for the citizenship and create databases that identify person, organisations or groups that could be suspicious of committing a felony.
  4. Cybersecurity enterprises can operate in Mexico only when registered in the directory of cybersecurity providers and certified by the Directorate General of cyber investigation and technological operations.

However, to this day, no initiative is currently being discussed for approval. Moreover, in 2017 the Mexican government presented a new national cybersecurity strategy in collaboration with the Organisation of American States (OAS). The strategy aimed to improve Mexico’s cybersecurity capacity, promoting the responsible use of technologies among private and public organisations.

Artificial intelligence (AI) may be useful in defending against cyberattacks. For example, by detecting unusual behavior patterns, but they may be used to develop malware with stronger capabilities. More than half of the Mexican companies are beginning to explore the use of AI to facilitate their procedures7, however, the use of AI tools is not oriented to protect them.

Not everything is that dark. Under Mexican Political Constitution, privacy and personal data protection are fundamental rights and there are also specific laws on protection of personal data held by private parties. Cyberattacks to companies attempt to steal, expose, alter, disable, or destroy information through unauthorised access to computer systems. Attackers seek financial benefits through money theft, data theft or business disruption8. The referred personal data protection laws, as well as specific sectorial laws, consider security and personal data protection measures to avoid such pernicious attempts, eg, that all data controllers must establish and maintain administrative, physical and technical security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorised use, access or processing. The following would be the definition of technical security measures: the combination of activities, controls, and mechanisms with measurable results that use technology to ensure that access to logical databases or to information in logical format is by identified and authorised users; actions to acquire, operate, develop, and maintain secure systems are included, and the management of communications and computerised resources used in the processing of personal data is carried out. To establish and maintain the security of personal data, the data controller must prepare an inventory of personal data and processing systems; determine the duties and obligations of those who process personal data; have a risk analysis of personal data consisting of identifying dangers and estimating the risks to the personal data; analyse the gap between existing security measures and those missing that are necessary for the protection of personal data; prepare a work plan for the implementation of the missing security measures arising from the gap analysis; carry out reviews and audits; train personnel who process personal data, and keep a record of personal data storage media.

Companies have alternatives for securely developing their activities in Mexico. At this point in time, the keys to protect their databases and computational systems from cyberattacks are to develop safety procedures with strict internal controls focusing on complying with Mexican data protection laws, and sectorial laws depending on its line of business.


  1. Taken from Date of consultation 24 March 2023.
  2. Available at Date of consultation 26 March 2023.
  3. Available at Date of consultation 26 March 2023.
  4. Available at Date of consultation 24 March 2023.
  5. Available at Date of consultation 26 March 2023.
  6. Taken from Date of consultation 26 March 2023.
  7. Available at: Date of consultation 26 March 2023.
  8. Available at Date of consultation 24 March 2023.