Cybersecurity 2025

MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel

3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation Operational resilience in Mexico’s financial sec - tor is primarily regulated by: • the CNBV; • Banxico; and • the National Commission for the Protection and Defence of Financial Services Users ( Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financi- eros , or CONDUSEF). Mexico does not have a standalone operational resilience regulation. Nevertheless, financial institutions such as banks, fintechs, insurance companies and other market participants are required to comply with a combination of laws, regulations and supervisory guidelines aimed at ensuring business continuity, cybersecurity and risk management. These regulatory norms and provisions include: • the General Provisions Applicable to Credit Institutions issued by the CNVB (see 1.2 Cybersecurity Laws ); • CNBV Guidelines on Cybersecurity and Infor - mation Security; • the Fintech Law ( Ley para Regular las Institu- ciones de Tecnología Financiera ); • the Payment Systems Law ( Ley de Sistemas de Pagos ) • Circular 8/2019 – directed at participants of the Interbank Electronic Payments System and issued by Banxico (see 1.2 Cybersecu- rity Laws ); • Principles for Strengthening Cybersecurity to Ensure Financial System Stability – issued by Banxico (see 1.2 Cybersecurity Laws );

ter protection for critical infrastructure sectors in Mexico. 2.4 State Responsibilities and Obligations As mentioned in 1.3 Cybersecurity Regulators (Cybersecurity in Critical Infrastructure), there are obligations on the part of the government regarding resilience responsibilities and threat identification, which are contained in protocols or guidelines, such as the protocol mentioned in 2.1 Scope of Critical Infrastructure Cybersecu- rity Regulation and 2.3 Incident Response and Notification Obligations . However, these obliga - tions are not specifically outlined in a particular law. This fragmented approach can make it dif - ficult to implement effective security measures, as authorities and private entities may interpret the guidelines differently or may not be legally required to adopt them uniformly. To improve the situation, it would be advisable for Mexico to move towards creating laws that establish obligations related to cybersecurity resilience and threat identification in critical infrastructure. This would enable more coherent and co-ordinated management of cyber-risks, ensuring that all parties involved follow a com - mon set of rules that strengthen protection and response to cybersecurity incidents. The imple - mentation of more formal legislation could also improve co-operation between the public and private sectors, enhancing the ability to respond to cybersecurity challenges.

190 CHAMBERS.COM

Powered by