MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel
tion security in public institutions, ensuring that government entities handle and protect sensitive data responsibly while maintain - ing accountability in cybersecurity-related incidents. • The Fintech Law ( Ley para Regular las Institu- ciones de Tecnología Financiera ) – this law establishes compliance requirements for fintech companies and mandatory measures for secure financial transactions, among other thingss. Given the rapid growth of digital financial services, this law plays a crucial role in mitigating cyber-risks in the financial sec - tor. • General Provisions Applicable to Credit Insti - tutions ( Disposiciones de Carácter General Aplicables a las Instituciones de Crédito ) – these impose strict standards on banks, requiring financial institutions to implement risk management frameworks, security controls, and incident response mechanisms to safeguard customer data and financial transactions. • Circular 8/2019 – issued for participants in the Interbank Electronic Payments System, Mexi - co’s real-time payment system, this regulation enhances cybersecurity by requiring financial entities to adopt encryption, authentication measures, and real-time monitoring to pre - vent cyberfraud. • Principles for Strengthening Cybersecurity to Ensure Financial System Stability ( Principios para Reforzar la Seguridad de la Información en el Sistema Financiero ) – this is a set of best practices and regulatory guidelines aimed at reinforcing cybersecurity resilience within the financial sector, ensuring institu - tions implement risk-based approaches to counter cybersecurity threats. • Mexican Official Standards ( Normas Oficiales Mexicanas , or NOMs) – several NOMs pro - vide additional mandatory cybersecurity and
information protection requirements. Notable among them are: (a) NOM-151-SCFI-2016 – regulates the conservation of digital data messages, ensuring electronic documents remain authentic, reliable, and unaltered over time, which is essential for cybersecurity, e-commerce, and legal compliance; and (b) NOM-004-SSA3-2012 – establishes crite - ria for the creation, management and con - servation of medical records in Mexico, reinforcing data protection and ensuring confidentiality in healthcare services (see 6.3 Cybersecurity in the Healthcare Sec- tor for further details). Given the ongoing legal changes, it will be cru - cial to monitor how these regulations evolve and their impact on Mexico’s cybersecurity landscape. The Mexican government’s current reforms, including the dissolution of certain reg - ulatory agencies and the creation of new entities, may reshape the enforcement and implemen - tation of cybersecurity policies in the coming years. 1.3 Cybersecurity Regulators Cybersecurity regulation in Mexico is fragmented across various government agencies, primarily owing to the absence of a comprehensive legal framework and a central authority with broad oversight responsibilities. As a result, multiple entities assume roles in cybersecurity matters, each focusing on distinct areas such as law enforcement, the financial sector, and data pro - tection. The landscape is continually evolving. Law Enforcement and Cybercrime Investigation The Attorney General’s Office ( Fiscalía General de la República , or FGR) and local prosecu - tors’ offices play a central role in investigating
187 CHAMBERS.COM
Powered by FlippingBook