Cybersecurity 2025

MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel

3.5 International Data Transfers Mexico does not impose strict data localisa - tion requirements; however, international data transfers must comply with the provisions of the Personal Data Protection Law, financial sector rules, and trade agreements. These rules apply to financial institutions, ICT providers, and busi - nesses in general that process or store personal or sensitive data outside Mexico. Mexican busi - nesses are obligated to implement contractual safeguards, consent mechanisms and cyberse - curity measures to ensure compliance. Note that the United States–Mexico–Canada Agreement (USMCA) contains provisions on cross-border data flows and data localisation. 3.6 Threat-Led Penetration Testing Mexico does not have a formal threat-led pene - tration testing (TLPT) regulation; however, finan - cial institutions and ICT providers must conduct penetration tests, cyber-resilience assessments and simulated cyber-attacks (“red teaming”) under Banxico, CNBV and IFT regulations, as part of regulatory compliance. Specifically for fintech platforms and banking infrastructure, as well as financial institutions handling electronic payments, the CNBV and Banxico mandate penetration testing and perform cybersecurity assessments to test resilience against cyberse - curity threats.

does not currently have dedicated digital opera - tion resilience regulation such as that of the EU, but it has multiple regulatory frameworks that collectively govern operational resilience, cyber - security, and incident reporting for financial insti - tutions and ICT providers. The main objectives of such regulation include: • ensuring business continuity and system availability; • bolstering cybersecurity and IT risk manage - ment; • mitigating risks related to third-party provid - ers and cloud computing; • improving crisis management and incident response; • safeguarding personal data and financial information, while enhancing consumer pro - tection and data security; and • following international standards. Additionally, financial institutions and other par - ticipants such as ICT service providers, pay - ment processors and cloud providers in Mexico must comply with incident reporting obligations. Such reporting obligations include cybersecu - rity breaches, operational disruptions, financial fraud, phishing attacks, and third-party ICT fail - ures. Financial institutions must also keep logs and forensic reports for potential regulatory audits. 3.4 Operational Resilience Enforcement Enforcement of operational resilience obliga - tions by regulators in relation to critical ICT ser - vices providers in Mexico is done through super - visory audits, compliance inspections, penalty assessments, and mandatory incident reporting. The primary authorities overseeing enforcement include the CNBV, Banxico and, for certain spe - cific matters related to their mandate, the IFT and the INAI.

4. Cyber-Resilience 4.1 Cyber-Resilience Legislation

Resilience obligations in Mexico are primarily related to financial services. Please refer to 3. Financial Sector Operational Resilience Regu- lation .

192 CHAMBERS.COM

Powered by