MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel
to cybersecurity efforts. By way of example, the Ministry of Infrastructure, Communications and Transportation ( Secretaría de Infraestructura, Comunicaciones y Transporte , or SICT) has a role in regulating digital infrastructure and over - seeing the integrity of communication networks. As the nation continues its efforts to improve institutional and regulatory frameworks, atten - tion must be paid to how changes in governance and legal reforms will influence the overall cyber - security landscape. These shifts will likely have a profound impact on Mexico’s ability to respond to evolving cybersecurity threats and safeguard its critical infrastructure, financial systems, and personal data. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation As mentioned in 1.1 Cybersecurity Regulation Strategy , there is no specific cybersecurity law that regulates critical infrastructure in Mexico. However, the National Security Law ( Ley de Seg- uridad Nacional ) contains provisions related to the importance of protecting critical infrastruc - ture – although it does not define in detail what constitutes such infrastructure. Additionally, during the previous administration, a National Standardised Protocol for Manag - ing Cybersecurity Incidents ( Protocolo Nacional Homologado de Gestión de Incidentes Ciberné- ticos ) was implemented. Although this protocol is not a legal document, it serves as a reference for establishing the terms and procedures that enable the strengthening of cybersecurity across government entities as well as the private sec - tor. This initiative aims to ensure the continuous,
co-ordinated management of cybersecurity inci - dents, improving overall resilience and response to emerging threats. 2.2 Critical Infrastructure Cybersecurity Requirements In Mexico, there are no specific obligations related to cybersecurity for the protection of critical infrastructure. While various regulatory frameworks address cybersecurity issues, there is no detailed legislation that comprehensively regulates the measures that entities managing essential infrastructures – such as energy, tel - ecommunications, and transportation – must adopt. The absence of a clear legal framework for the protection of critical infrastructure against cybersecurity threats leaves those institutions responsible for these key sectors with some flexibility but also creates a regulatory gap that could jeopardise the country’s resilience in the face of cyber-incidents. 2.3 Incident Response and Notification Obligations There are no specific reporting obligations for cybersecurity incidents related to critical infra - structure in Mexico. However, the National Standardised Protocol for Managing Cybersecu - rity Incidents mentioned in 2.1 Scope of Critical Infrastructure Cybersecurity Regulation does include a series of recommendations on how high-level, critical and impactful cybersecurity incidents should be reported to the National Guard. By way of example, the protocol outlines mechanisms for incident notification, speci - fying how incidents should be classified and how government entities should carry out the reporting process. Strengthening this protocol through new regulations that grant it mandatory status could significantly enhance the ability to respond to cybersecurity incidents, offering bet -
189 CHAMBERS.COM
Powered by FlippingBook