MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel
6.2 Cybersecurity and AI As of early 2025, Mexico does not have dedi - cated cybersecurity regulations specifically tar - geting AI. Despite AI technologies significantly transforming a wide range of sectors, from healthcare to finance, the country’s legal frame - work has not yet fully addressed the unique cybersecurity challenges posed by AI systems. However, AI systems that process personal data must still comply with existing data pro - tection regulations – particularly the Mexican DPRs, which primarily focus on safeguarding personal information. This intersection between data protection and AI represents a crucial but limited area of AI governance and cybersecurity in Mexico. To address these emerging challenges, Mexi - co could look to international frameworks and guidelines for AI governance and cybersecurity. By way of example, organisations such as the EU have regulated AI – with the Artificial Intel - ligence Regulations, which includes provisions on high-risk AI systems, specifically address - ing cybersecurity measures. Additionally, global cybersecurity bodies such as the Global Forum on Cyber Expertise (GFCE) are working to devel - op international norms and best practices for securing AI systems, which is a critical compo - nent of their governance. By aligning with such international efforts, Mex - ico could adopt best practices and standards in AI cybersecurity, fostering a stronger regulatory environment for emerging technologies. Partici - pation in international forums would also allow Mexico to collaborate with other nations and share knowledge, risks, and solutions related to securing AI systems – thereby ensuring that the field remains competitive while effectively addressing the cybersecurity challenges inher - ent in AI.
the INAI was responsible for compliance with national data privacy regulations, local authori - ties may also play a role in cybersecurity, par - ticularly when it comes to sector-specific data protection practices. Need for a More Comprehensive Legal Framework The absence of an explicit and comprehensive legal framework addressing cybersecurity within the Mexican DPRs suggests a need for future reforms. Given the increasing frequency and sophistication of cybersecurity threats, it is cru - cial for the legal framework to evolve in tandem with emerging risks. A more detailed and clear articulation of specific cybersecurity obliga - tions would help organisations implement more robust and consistent cybersecurity practices, improving overall data protection and reducing vulnerability to cyber-attacks. In conclusion, even though Mexico’s data pri - vacy regulations provide essential safeguards for personal data protection, they lack clear, specific provisions on cybersecurity obligations. The regulations generally require data controllers to implement security measures but fail to offer detailed guidance on what constitutes adequate cybersecurity. This gap leaves organisations with significant room for interpretation, poten - tially leading to inconsistent practices. As Mexico continues to address the challenges posed by an increasingly digital society, the inte - gration of more specific cybersecurity require - ments into the data privacy regulations will be crucial. Strengthening these provisions will help mitigate the growing risks associated with cybersecurity threats and improve the country’s overall ability to safeguard personal data in an interconnected world.
195 CHAMBERS.COM
Powered by FlippingBook