Mexico Unveils the National Cybersecurity Plan 2025–2030

Mexico’s Digital Transformation and Telecommunications Agency (ATDT) has introduced the National Cybersecurity Plan 2025–2030, a strategic framework designed to establish the first transversal state policy for digital defense in the country. This initiative aims to standardize critical infrastructure protection and position the country as a regional leader in cyber resilience through a centralized, prevention-focused model.

The plan aims to address the urgent need to transition from fragmented defense mechanisms to a unified operational structure, driven by increasingly sophisticated digital threats and high-profile geopolitical events, such as the upcoming World Cup.

"We are not talking about if we are going to be attacked; we all know perfectly well that it is only a matter of when we are going to be attacked," says Heidy Rocha, Director General of Cybersecurity, ATDT. "The global context forces Mexico to stop thinking about cybersecurity as an isolated problem for technical teams and assume it as a structural axis of the state."

The urgency of this initiative stems from a severe technical diagnosis regarding the security posture of the region. According to data presented by the ATDT, cybersecurity incidents in Latin America increased by about 25% compared to the previous year. Mexico ranks as the second most attacked country in the region, surpassed only by Brazil.

Between 2019 and 2025, authorities documented 155 Mexican victims in specialized digital extortion forums. The LockBit ransomware family has been identified as the predominant threat and is responsible for one-quarter of the identified attacks. This attack vector has exerted significant pressure on strategic sectors, with the government and the financial system concentrating a significant proportion of malicious events.

Regarding human capital, the diagnosis acknowledges a global cybersecurity skills gap that limits response capabilities across both the public sector and the general industry. Furthermore, the historical absence of a homogeneous regulatory framework for the Federal Public Administration has led to isolated efforts. The new plan seeks to rectify this situation to face risks associated with geopolitical tensions and the massive adoption of AI.

Institutional Architecture and Implementation Phases

The National Cybersecurity Plan 2025–2030 proposes a complete reengineering of the digital ecosystem of the country. It articulates the 68 existing incident response teams — CSIRTs and CERTs — under a new centralized coordination architecture. Of those, 26 of these teams belong to the international FIRST network. The majority are concentrated in Mexico City and distributed among the academic, financial, energy, telecommunications, and government sectors, to name a few.

To eliminate operations in "islands," the ATDT will establish governing bodies that centralize intelligence and response. These include:

• National Cybersecurity Operations Center (CNSOC): A federated entity responsible for continuous monitoring and operation.

• National Incident Response Center (CSIRT/SESIR-APF): A specialized team for crisis management within the Federal Administration.

• Critical Infrastructure Inventory: A detailed registry to prioritize the defense of strategic national assets.

• Vulnerability Assessment Program: An active alert and notification system to identify and remedy security gaps in public institutions.

"What we seek is to perform a homologation and generally elevate all dependencies, so that we have a constant and growing level of maturity in cybersecurity," says Mario Cortés, Director of Strategy and Cybersecurity Government, ATDT.

Strategic Timeline and Maturity Phases

 The deployment of the plan follows a structure divided into three stages defined by technical objectives. The first stage, named the Foundation Phase, centers on knowing the ecosystem, mapping actors and threats, and designing regulatory instruments. Deployed during 2025, it includes the imminent publication of the General Cybersecurity Policy for the Federal Public Administration in the Official Gazette. This phase will establish mandatory guidelines, required maturity levels, and standardized incident reporting mechanisms for all federal agencies. In parallel, the ATDT already operates a vulnerability alert and notification system to identify specific security gaps.

The second stage, the Strategy Phase, will take place in 2026. During which, the government plans to present a new National Cybersecurity Strategy, updating the last version created in 2017. Cortés indicates that the challenge is to renew this guiding document every two years to maintain technological currency.

Finally, the Consolidation and Leadership Phase, which will take place between 2027 and 2030, projects the creation of a national "cyber range" for advanced training and annual attack simulation exercises. It will integrate machine learning models and AI for automated preventive detection, with the goal of operating 24/7 cyber defense services and exporting technical capabilities to other countries in the region.

General Cybersecurity Law and International Collaboration

A critical component of the plan is the promulgation of the first General Cybersecurity Law. Unlike previous approaches centered on penal typology, this legislation will prioritize risk management, prevention, and coordinated response. The regulatory framework seeks to professionalize public servants, legally define the concept of critical infrastructure, establish a mandatory incident reporting system, and articulate sanctions that incentivize good practices without criminalizing human operational error.

The plan emphasizes that cybersecurity is a shared responsibility that requires the alignment of the government, academia, and private industry. To this end, the administration has constituted a National Cybersecurity Council.

The initiative relies on strategic alliances with international organizations. Ariel Nowersztern, Consultant, Inter-American Development Bank (IDB), and Jorge Mora, Consultant, Inter-American Development Bank (IDB), call this initiative a holistic plan suitable for existing challenges.

The project is backed by representatives from the Organization of American States (OAS), the  Universidad Nacional Autónoma de México (UNAM), the Instituto Politécnico Nacional (IPN), and the National Council of the Maquiladora and Export Manufacturing Industry (Index).

"Cybersecurity is not about competing, about seeing who is more protected or who is less, but about collaborating," says Cortés. "Any plan, law, or strategy that does not go through collaboration is destined for failure."