Mexico City Proposes Cybersecurity, Data Law

Mexico City presented an initiative for a Cybersecurity and Personal Data Protection Law, establishing mandatory requirements for digital security, risk management, and transparency in the handling of information for companies and public entities.

"The purpose of this regulation is to be a benchmark in the care of personal data and to mark a precedent in cybersecurity regulation," says Laura Enriquez, President Commissioner, Info CDMX. This initiative responds to an increase of 200,000 cyber incidents reported in 2024, according to data from the local Congress.

Mexico faces a complex cybersecurity scenario in both the public and private sectors. As previously reported by MBN, cyberattacks on government institutions could grow by 260% in 2025, facilitated by obsolete technological systems and budget cuts.

Seventy percent of government agencies operate with critical vulnerabilities within their existing infrastructure. Meanwhile, the 2025 economic package reduced national spending by 1.6%, prioritizing austerity over technology investments. According to Victor Ruiz, Founder, SILIKN, the combination of these aspects has created an environment for cybercriminals to expand and strengthen their operations.

"In 2024, 65% of the 5,500 weekly attacks managed to compromise highly sensitive information, and this situation could escalate to unprecedented levels, leaving the Mexican state in a position of extreme vulnerability to increasingly sophisticated malicious actors," says Ruiz.

As Checkpoint points out, these attacks, which range from ransomware to state-sponsored espionage, seek to steal sensitive data, destabilize operations, or demand ransoms. In Mexico, 32% of medium-sized companies lack robust protocols, according to the Mexican Cybersecurity Association (AMECI), and without adequate defenses, the country could see essential services being compromised and the erosion of public confidence.

Mexican businesses saw 31 million cyberattack attempts in 2024, representing 55% of the total in Latin America, as MBN previously reported. Mexico’s cybersecurity market is valued at US$2.80 billion and growing at an annual rate of 11.59%, as reported MBN. However, the adoption of cybersecurity and productivity management solutions is in its early stages.

The Urgency of a Legal Framework

The Global Cybersecurity Outlook 2025 reveals that 47% of Mexican public institutions lack technical capabilities to mitigate threats, a critical vulnerability that Mexico City's cybersecurity initiative seeks to address. However, federal law has stagnated. The last regulatory update was in 2017 and the 2024 proposal by Green Party Senator Alejandra Lagunes, which included the creation of a National Cybersecurity System and a specialized institute, stalled due to legal loopholes and lack of operational clarity.

As Observatorio Ciber warns, countries now need a robust legal framework that combines protection standards, clear sanctions, and international cooperation, following the example of countries such as Brazil and Colombia.

Mexico City’s initiative, which includes concrete measures such as the designation of responsible parties and mandatory incident reporting, represents a first step, but its real impact will depend on its ability to scale nationally.

Details of the Initiative

The regulation, driven by the autonomous body  Info CDMX, will apply to private companies, government agencies, and service providers within Mexico City. Key requirements include the implementation of Information Security Management Systems (ISMS), mandatory data protection training for personnel, and notification of security breaches within 72 hours of detection.

The proposal takes elements from global regulations such as the European Union's General Data Protection Regulation (GDPR), particularly in its focus on transparency and data subjects' rights, as well as from the California Consumer Privacy Act (CCPA) regarding penalties for not reporting incidents, according to Expansión. According to the R3D report (2023), Mexico is among the few countries in the Organization for Economic Cooperation and Development (OECD) that lack a mandatory breach reporting law, a situation that increases the risks for both users and companies.

If approved, Mexico City would become the first state in the country with an autonomous law on cybersecurity and data protection.