Cybersecurity 2025

MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel

4.2 Key Obligations Under Legislation Resilience obligations in Mexico are primarily related to financial services. Please refer to 3. Financial Sector Operational Resilience Regu- lation . 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation In Mexico, there is no law that requires com - panies or individuals to obtain certification in cybersecurity. Although the country has estab - lished some regulations related to data pro - tection, particularly through the Personal Data Protection Law, these do not impose manda - tory cybersecurity certification for organisations or professionals. Instead, the regulations gener - ally require businesses to implement appropriate technical security measures to protect personal data from risks such as alteration, destruction, or unauthorised access. Despite the absence of a legal requirement for certification, many companies in Mexico recog - nise the importance of cybersecurity and vol - untarily pursue various certifications to enhance their security posture. These certifications, such as ISO/IEC 27001, are often seen as best prac - tices to demonstrate companies’ commitment to safeguarding sensitive information and mitigat - ing cybersecurity threats. Given the growing complexity and frequency of cyber-attacks, Mexico may eventually adopt more stringent regulations that mandate cyber - security certifications for companies or profes - sionals operating in certain sectors – particularly those responsible for managing critical infra - structure or sensitive data. Until such regulations

are enacted, voluntary certification remains an essential tool for organisations aiming to mitigate risks and enhance their cybersecurity measures.

6. Cybersecurity in Other Regulations

6.1 Cybersecurity and Data Protection Mexico’s data privacy regulations are closely linked to cybersecurity, primarily owing to the increasingly complex landscape of personal data processing in contemporary society. However, the current legal framework does not explic - itly address cybersecurity in a dedicated man - ner. Instead, it outlines general principles and obligations that require organisations to imple - ment security practices, which implicitly include cybersecurity measures as part of broader data protection strategies. Security Measures and Obligations Under Mexican DPRs The Mexican DPRs require data controllers (enti - ties responsible for processing personal data) to adopt technical security measures to safeguard personal data against various threats. These threats include damage, loss, alteration, destruc - tion, and the unauthorised use, access or pro - cessing of sensitive information. The regulations specify that these measures should be designed with an understanding of evolving technological developments, reflecting the dynamic nature of cybersecurity challenges. However, the regulations do not provide clear or specific guidelines on what constitutes “tech - nical security measures” nor do they articulate concrete cybersecurity obligations. The provi - sions are somewhat vague, leaving room for interpretation, and do not set out explicit require - ments or standards for the types of cybersecu -

193 CHAMBERS.COM

Powered by