CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

The law Nr 18-07 dated on 10 June 2018 related to the protection of private persons in the processing of personal data (hereafter the “Law”) has set out the conditions of the collection, recording, organisation, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as locking, encryption, erasure or destruction of any information, whatever its support, concerning an identified or identifiable person, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, biometric, psychic, economic, cultural or social identity.

Despite its publication on 2018, the entry in force of this Law is subject to the actual installation of the authority in charge of protection of personal data which is until now (February 2021) not installed yet.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

The National Authority for the Protection of Personal Data (hereafter the “Authority”) is an independent and autonomous authority composed by magistrates, representatives of parliament, senate, human right council, administrations and other persons designated by the President.

It is in charge of receiving declarations and deliver authorisations, put in place rules for the protection of personal data and to settle litigations.

The National Authority for the Protection of Personal Data is not formally established yet.

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

Notwithstanding the installation of the Authority, it is expected that executive decrees will be published for the entry into force of the Law.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

There are several types of sanctions for each kind of infringement to the rules related to protection of personal data.

Administrative sanctions:

In case of non-respect of the rules related to data protection, the abovementioned authority can decide the following administrative sanctions:

  • the warning;
  • the notice;
  • provisional withdrawal for a period that may not exceed one year, or the definitive withdrawal of the declaration receipt or authorisation;
  • an administrative fine up to DZD 500,000 (EUR 3,100).
Criminal sanctions:

There are various criminal offences under the law among others:

  • unlawful obtaining of personal data;
  • misuse of the collected personal data;
  • transfer of personal data without authorisation;
  • destroying or falsifying information and documents;
  • making false statements in response to an information notice or obstruction to the work of the authority; and
  • altering personal data to prevent disclosure to the data subject.

Sanctions may vary between two months to five years imprisonment and from DZD 20,000 to DZD 500,000 (EUR 120 to EUR 3,100).

In addition to the organisation, individual company directors can face criminal liability (fines and custodial sentences).


The above-mentioned Authority has the following enforcement powers:

  • to impose information notices and publish them;
  • to impose the destruction of the data and/or its removal or closing;
  • to impose encryption of the data;
  • entry and inspection.

A data subject may (in addition to making a complaint to the Authority) also make a claim to the courts for compensation for material or non-material damage (which may include distress).

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

There are two kinds of regimes:

  • The declaration, which is related to data processing that is not likely to infringe the rights and freedoms of the data subjects and their privacy;
  • The authorisation, when the processing can endanger or may disrespect privacy and freedoms and fundamental rights of individuals.

In case the collected data is used to keep a register, which is accessible to the public or to any person proving a legitimate interest, a simple notification of the identity of the data controller is needed.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

Any personal data processing is subject to a prior declaration to the national Authority or its authorisation.

The controller must implement the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, in particular when the processing involves data transmission in a network, as well as against any other form of unlawful processing.

The controller as well as the persons who, in the performance of their duties, have knowledge of personal data, are required to respect professional secrecy even after having ceased to exercise their functions, under criminal sanctions.

Any person acting under the authority of the controller or that of the subcontractor who has access to personal data may only process them on the instruction of the controller, except in the case of execution of a legal obligation.

When the controller is not established on Algerian territory, he or she must notify the national authority of the identity of his or her representative installed in Algeria who, without prejudice to his personal responsibility, replaces him in all his rights and obligations resulting from the provisions of the law.

Interconnection of files containing personal data must obtain prior authorisation of the Authority.

The processing of personal data with a purpose of public interest research, study or evaluation in the field of health is authorised by the national authority, in compliance with

principles defined by this law and according to the public interest that the research, study or evaluation presents.

There is no age limit regarding the data subject. The law has mentioned however that a “child” needs the prior consent of his or her legal guardian or the judge.

Processing of personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or which relates to his health including his genetic data is forbidden except when:

  • the processing is necessary for the safeguard of vital interests of the data subject or of another person and if the data subject is physically or legally unable to give consent;
  • the processing is carried out, with the consent of the data subject, by a foundation, association or non-profit organisation of a political, philosophical, religious or trade union nature, within the framework of its legitimate activities, provided that the processing concerns only the members of this body or the persons who maintain regular contact with it related to its purpose that the data are not communicated to third parties without the consent of the persons concerned.
  • the processing relates to data clearly made public by the data subject, as long as his or her consent to the processing of the data can be inferred from his or her statements;
  • the processing is necessary for the recognition, exercise or defence of legal claims and is carried out exclusively for this purpose;
  • the processing of genetic data, excluding those carried out by doctors or biologists and which are necessary for the practice of preventive medicine, medical diagnostics and the administration of care or treatment.
  • Personal data relating to offences, penalties and security measures can only be processed by the judicial authority, public authorities, legal persons who manage a public service and court officials within the framework of their legal powers.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

The data subject must be expressly and unequivocally informed in advance by the person responsible for the data processing or his or her representative of the following elements :

  • the identity of the controller and, where applicable, his or her representative;
  • the purposes of the processing;
  • the identity of the recipient of the data;
  • the information about the transfer of data abroad;
  • any additional useful information including the obligation to respond and its consequences as well as the rights of the data subject.

The data subject has an access right to his or her data and is entitled to obtain:

  • confirmation of whether his or her personal data is processed or not, the purposes of the processing, the categories of data to which it relates and the recipients;
  • communication, in an intelligible form, of his or her data which is the subject of processing, as well as any available information on the origin of the data.

The data subject has the right of rectification and to obtain:

  • updating, rectification, erasure or blocking of personal data whose processing does not comply with this law, in particular because of the incomplete or inaccurate nature of such data or whose processing is prohibited by the law. The controller is required to make the necessary corrections at no cost to the requester, within ten days of referral.
  • notification to third parties to whom the personal data has been communicated of any updating, rectification, erasure or blocking of personal data carried out in accordance with point above.

The data subject has the objection right, for legitimate reasons, to the processing of his personal data.

He or she has the right to object to use his or her data for prospecting purposes, in particular commercial purposes.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

Any third-party subcontractor must provide sufficient guarantees on the technical security and organisational measures relating to the processing to be carried out and must ensure compliance with these measures.

Any subcontracting must be governed by a contract or a legal act (in writing or under another equivalent form) that binds the subcontractor to the controller and which provides in particular that the subcontractor acts only under the sole instruction of the controller and in compliance with the obligations provided for in the law (mainly those related to confidentiality and security of the data).

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

The controller may transfer personal data to a foreign state with the authorisation of the national authority, only if that state provides a sufficient level of legal protection. It is prohibited, in any case, to communicate or transfer personal data to a foreign country, when such transfer is likely to endanger public security or the vital interests of the State.

It is possible to transfer data abroad when authorised by the data subject, or deemed necessary:

  • to safeguard the life of that person;
  • to preserve the public interest;
  • to comply with obligations to ensure the establishment, exercise or defence of legal claims;
  • to perform a contract between the controller and the data subject;
  • to conclude or perform a contract concluded or to be concluded, in the interest of the data subject, between the controller and a third party;
  • to execute an international legal assistance measure;
  • to prevent, diagnose or treat medical conditions.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

Any natural or legal person, public or private or any other entity which, alone or jointly with others, determines the purposes and means of data processing is the designated data controller.

Data controller is responsible to the data subject regarding all the commitments related to the rights of the latter. He or she is also liable towards the Authority regarding general commitments before and during processing of data.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

The data controller must guarantee that any person working for him or her or on his or her behalf, any subcontractor, any representative and any participant in the data processing will respect the general commitments of confidentiality and security of the data notwithstanding the respect of the rights of the data subject.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

The Law has not defined the conditions for introducing a claim, appeal or complaint relating to the implementation of the processing of personal data. The Law specified that the Authority is in charge of informing the plaintiff about the consequences for a breach notification

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Direct prospecting is forbidden except by email under certain conditions.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

There is no provision related to cookies and adtech in the Law.

15. Risk scale




1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

As regard to the security, please note that there is no particular law related to cybersecurity in Algeria. However, there are general provisions of the regulation in force applicable to different areas, which provide for the concept of the electronic privacy and data protection as well as information security and secrecy, etc. These provisions have a preventive and repressive character in order to fight any criminal acts (e.g. corruption, terrorism, attacks on state security, money laundering and terrorism financing, smuggling, fraudulent use of data, technology and communication offences, discrimination and hate speech, etc).

As an indication, these are some of the provisions:

  • The Criminal Code in its Articles 394bis and following protects the right of protection of the integrity of automated data processing systems;
  • The Law n° 09-04 of 5 August 2009 on the specific rules relating to the prevention and the fight against breaches related to technology and communication (Law 09-04);
  • The Law No. 18-04 of 10 May 2018 establishing the general rules relating to the post and electronic communications (Law 18-04);
  • The Decrees related to licences to operate public telecommunication networks;
  • Decision N° 48/SP/PC/ARPT/17 dated 29 November 2017 approving the specifications defining the conditions and modalities for the establishment and operation of hosting and storage services for computerised content for user benefit in the context of cloud computing services (Decision N° 48/SP/PC/ARPT/17);
  • The Decree n° 02-156 of 9 May 2002 setting the conditions for interconnection of networks and telecommunications services (Decree 02-156).

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

We have no knowledge of the existence of any bills underway that relate to cybersecurity.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

  • Criminal law provides for the prohibition of any fraudulent access to any system, or the collection, processing, storage, transfer of personal data for criminal reasons and considers as an offender:
    • anyone who fraudulently introduces data into an automated processing system or fraudulently deletes or modifies the data it contains;
    • anyone who willfully and fraudulently: designs, researches, collects, makes available, disseminates or markets data that is stored, processed or transmitted by a computer system;
    • anyone who holds, reveals, discloses, or makes any use whatsoever of the data obtained by the above mentioned means.
  • The Law n° 09-04 provides for the measures and rules for offences related to technology and communication, the obligation for service providers to cooperate with judicial police and authorities for this purpose. The principle of access and its details will be described in the request or order of access. It might be the order to provide readable data or more information such as access to a computer system including its encryption codes.
  • The above-mentioned surveillance operations may only be carried out with the written authorisation of the competent judicial authority.It may, in some circumstances, be issued to judicial police officers by the General Attorney at the Court of Algiers, for a period of six months renewable, on the basis of a report indicating the nature of the technical process used and its objectives.In the latter case, the technical devices put in place must focus, exclusively, on the collection and the recording of data relating to the prevention and combating of terrorist acts and attacks on the security of the State.
  • The Law 18-04 consecrates the principle of protection of the privacy and personal data of subscribers and users of internet networks, defines among other provisions the “cybersecurity” and measures to implement in this regard, and also provides for the obligations of electronic communications operators.
  • The Law 18-04 defines cybersecurity as the set of tools, policies, security concepts, security mechanisms, guidelines, risk management methods, actions, training, good practices, guarantees and technologies that can be used to protect electronic communications against any event that could compromise availability, integrity or confidentiality of data stored, processed or transmitted.The authority in charge of the regulation of electronic communications scrutinises and verifies that electronic communications operators respect their commitments to cybersecurity. It is worth mentioning that there are no more details regarding cybersecurity conditions nor sanction in case of infringement.
  • The Decrees related to licences to operate public telecommunication networks provide for some provisions applicable to the contractor holding thd telecom licence on the confidentiality of information and protection of users and personal information, as well as provisions required for national defence and cooperation with governmental authorities, including the applicable sanctions.
  • Decision N° 48/SP/PC/ARPT/17, provides for some rules in connection with data protection and security such as the commitment to:
    • establish infrastructure on the national territory and ensure that this uses equipment integrating the most recent and proven technologies;
    • guarantee that customer data is hosted and stored on national territory;
    • ensure the integrity and confidentiality of customer data except in the cases provided for by the texts in force;
    • guarantee a backup solution for hosted or stored data;
    • establish a customer identification file;
    • do not disclose or use customer data;
    • put in place the necessary mechanisms to ensure the security of data, applications and infrastructure associated with cloud computing, in particular regarding the integrity and confidentiality of data, through the implementation of information security mechanisms against various threats and intrusions;
    • the physical and environmental security of the premises housing the infrastructure, particularly against fires and water damage.  
  • The Decree n° 02-156 states the obligation for operators and service providers to take all necessary measures to ensure compliance, including: network security; maintenance of network integrity; data protection, including personal, protection of privacy and confidentiality of information processed, transmitted and stored.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

Regulatory Authority for Post and Electronic Communications:

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

There is no defined process or steps to follow in case of a data breach.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

In case of any infringement the Regulatory Authority for Post and Electronic Communications may decide administrative sanctions. Criminal sanctions fall within the competence of the judge.

Administrative sanctions:

Withdrawal of any authorisation.

Criminal sanctions:

Sanctions may vary between three months to three years imprisonment, and a fine of DZD 50,000 to DZD 5m (EUR 310 to  EUR 31,000). These penalties are doubled when the offence undermines the national defence of organisations or establishments governed by public rights, without prejudice to the application of more severe penalties. The legal person who has committed the offence is punished by a fine equivalent to five times the maximum of the fine provided for the natural person.


The instruments, programmes and means used in the commission of the offence will be confiscated as well as the closure of sites, subject of one of the offences provided for in this section, and premises and places of operation if the owner is informed.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.


8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

There is no such structure.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 


Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Amine Sator