CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

Law on Personal Data Protection ("RS Official Gazette", No. 87/2018) (the “PDP Law”)

  • Data Protection and Privacy Act No. 78/17 dated 6 January 1978 as amended:
    •  by the Parliament by the Law n°2018-493 of 20 June 2018 implementing the EU General Data Protection Regulation 2016/679 (GDPR) and EU Data Protection Law Enforcement Directive 2016/680,
    • By Ordinance No. 2018-1125 dated 12 December 2018 adopted pursuant to article 32 of Act No. 2018-493 of 20 June 2018 on the protection of personal data (the “DPA”).
  • Application decree 2005-1309 dated 20 October 2005 as modified by Decree 2018-687 dated 1 August 2018  and Decree n° 2019-536 dated 29 May 2019 (the “decree”)
  • Application Decree n° 2019-341 dated 19 April 2019 about processing including social security number and its purposes
  • Law No. 2016/1321 for a Digital Republic of 7 October 2016 (“Law for a Digital Republic”)
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) covers requirements for electronic communications networks and services, including cookies and direct marketing by electronic means. PECR implemented the EU Privacy and Electronic Communications Directive (ePrivacy Directive) in France.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Commissioner for Information of Public Importance and Personal Data Protection (the “Commissioner”)

Commission Nationale de l’Informatique et des Libertés – CNIL

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no anticipated changes.

Proposal for a regulation of the European Parliament and Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (regulation on privacy and electronic communications, “ePrivacy”).

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Monetary fines:

The PDP Law introduces penalties for legal entities and responsible persons in legal entities in case of acting contrary to the provisions of the PDP Law.

It imposes monetary fines for the violations of the legal entity in the range between RSD 50,000 and RSD 2m (EUR 450 to 16,000) and for the responsible person in legal entity in the range between RSD 5,000 and RSD 150,000 (EUR 40 to EUR 1,200).

The legal entity may also have to pay a fine of up to 10% of an undertaking’s income realised in Serbia in the previous year, in case of not applying or infringing the data protection authority’s order of limitation on processing or suspension of data flows.

Criminal liability:

The Serbian Criminal Act prescribes the unauthorised collection of the personal data as a felony. Therefore, it cannot be excluded that natural person who acts contrary to the provisions of the PDP Law, would be subject to potential criminal liability.

  • Reputational risk;
  • Reimbursement of potential damages (material and non-material)

Administrative sanctions:

In case of non-compliance with the DPA, the CNIL may:

  • issue a warning to the data controller;
  • order a financial sanction proportional to the severity of the violation, up to EUR 20m or in the case of a company up to 4% of the worldwide annual turnover (the higher amount being taken into account);
  • seek an injunction to temporarily or permanently cease the processing or withdraw its authorisation to process data;
  • order to comply with requests to exercise the rights of persons;
  • order to bring the processing in compliance;
  • conduct onsite and online inspections (notably by using fake identities);
  • issue public non-compliance warnings.

Criminal sanctions:

Failure to comply with the DPA is punishable by five years’ imprisonment and a fine of up to EUR 300,000 (EUR 1.5m if the data controller is a legal person).

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.


Specific types of data are subject to authorisation:

  • Social security numbers (RNIPP registration numbers): French Law maintains a prior authorisation regime except for the categories of data controllers listed in the Council of State’s (Conseil d’Etat) Decree dated 19 April 2019. However, no authorisation is required for the processing of social security numbers performed solely for public interest related purposes, for scientific or historical research purposes or statistical purposes, or for supplying users with one or more online government services, under certain conditions. These purposes do not in fact require such strict regulation, provided that additional safeguards are in place.
  • Biometric and Health Data: the CNIL, in collaboration with the INDS (French National Health Data Institute) has issued standard rules and reference documents for the processing of health data. The processing may take place if it complies with these requirements, provided however that the data controllers first submit a declaration of compliance to the CNIL. Any non-compliant processing still requires prior authorisation.
  • These same principles apply to automated processing for the purposes of health-related research or studies and for evaluating or analysing healthcare or prevention practices or activities. 

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   
  • Maintaining records of processing activities;
  • Implementing appropriate technical, organisational and human resources measures;
  • Cooperating with the Commissioner;
  • Information requirement;
  • Appropriate legal grounds for processing;
  • Complying with restrictions on transfers of personal data;
  • Appointing a Data Protection Officer, where applicable;
  • Notifying personal data breaches to Data Subject and Commissioner, in accordance with PDP Law;
  • Conducting Data Protection Impact Assessment, where applicable;
  • To enable the Data Subject’s rights in accordance with PDP Law

There are no major derogations from the GDPR.

However, it is important to note:


Except in limited cases, the CNIL does not recognise the employee’s consent as given freely to the employer acting as a data controller in the context of an employment relationship. Therefore, the employer cannot generally rely on employees’ consent as a basis for the processing or transfer of personal data.

Data subjects’ information

The information to provide to data subjects are the same as those requested under GDPR. Additional information on data subject’s rights on the right to set out guidelines relating to the fate of data after death must be provided.

Information required under French law includes all data subjects’ rights and must be provided whether the processing operation is based on consent or not. 

Records of processing

The CNIL has released a template document detailing the fulfilment process to establish the record of processing obligation. This document is an example and is not binding. 

Data Protection Impact Assessment 

The CNIL has released the lists of treatments for which a DPIA is and is not required. 

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

Data subject has the following rights: 

  • to be informed; 
  • to access; 
  • to rectification and supplement;
  • to erasure of personal data;
  • to restriction of processing;
  • to personal data portability; and
  • to object

Post Mortem right to Privacy (Articles 84 and seq. DPA)

Article 84 DPA provides the data subject with an additional right, that is the possibility for that data subject to define guidelines for the storage, erasure and communication of personal data after his or her death.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

Where the processor engages another sub-processor the same data protection obligations as set out in the PDP Law or Data Protection Agreement signed between the controller and the processor is imposed on that sub-processor by way of an agreement or other legal act signed between processor and sub-processor in particular providing sufficient guarantees to implement appropriate technical, organisational and human resources measures in such a manner that the processing will meet the requirements of the PDP Law. In the situation where the sub-processor fails to fulfil its personal data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor’s obligations.

There are no derogations from the GDPR

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

Data transfer to the countries not specified in the PDP Law or in the “white list”, is allowed only if the controller/processor has ensured appropriate safeguards, prescribed by the PDP Law, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. 

The following are considered to be appropriate safeguards under the PDP Law: 

  • A legally binding and enforceable instrument between public authorities or bodies;
  • Standard Data Protection clauses adopted by the Commissioner that regulate the legal relationship of the Controller and the Processor;
  • Binding corporate rules approved by the Commissioner; 
  • An approved code of conduct with binding and enforceable commitments of the controller/processor in the third country to apply the appropriate safeguards, or an approved certification mechanism.

There are no derogations from the GDPR

Pursuant to Article 39 DPA if the CNIL believes that a data subject’s allegations concerning a personal data breach are founded, it may now ask the Council of State (Conseil d’Etat) to suspend the transfer of data, imposing a fine if necessary, and refer to the ECJ for a preliminary ruling to assess the validity of the European Commission’s decision authorising or approving the necessary appropriate safeguards (adequacy decision or other).

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

The controllers and processors are required to designate a data protection officer (“DPO“), if: (a) the processing is carried out by a public authority, (b) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or the large scale processing of special categories of personal data – e.g. health data or trade union memberships, or criminal convictions/offences data.

There are no derogations from the GDPR.

The appointment of a DPO must be notified via the CNIL website.

The CNIL has adopted a certification referential and an accreditation referential for the DPO’s certifications issued by certification bodies.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

Data controllers and data processors shall take all necessary technical, human resources and organisational measures to protect data in accordance with the established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse, as well as to provide for an obligation of keeping data confidentiality for all persons who work on data processing.

The CNIL has issued a specific guide on security measures to be implemented by data controllers and processors in January 2018. 

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

If data breach may create a risk to rights and freedoms of natural persons, the controller must notify the Commissioner without undue delay and, not later than 72 hours after becoming aware of the breach.

If data breach may create a high risk to the rights and freedoms of natural person, the controller is obliged to notify the affected data subject without undue delay.

Where the reporting of unauthorised disclosure or access is likely to pose a risk to national security, defence or public security, such notification is not required (DPA, art. 58 , III; Decree, art. 91-2-1).

Such exemption only applies where the processing must comply with a legal obligation or where it is necessary to perform a task carried out in the public interest vested in the controller.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

A prior information consent of a data subject (a natural person) is required in case of direct marketing (via mail, email, phone, etc.). The data subject must be able to withdraw consent at any time. If the data subject no longer wants to receive advertising messages, the advertiser must stop direct marketing. 

These rules do not apply to natural persons who perform business activity in relation to such business activity.

The data controller cannot send unsolicited marketing messages without prior consent from the recipient (article L34-5 of Postal and Electronic Communications Code) unless:

  • the consumer is already a customer of the company, the marketing message concerns similar products and services purchased by the consumer, and such products and services are offered by the same person or company;
  • the marketing messages are non-commercial in nature (e.g. a charity).

In every case, at the time of collection of their email address, the prospect must be:

  • informed that their personal data will be used for marketing purposes;
  • able to easily and freely object to such use at any time at the original point where their details were collected, and in each subsequent marketing communication.

In the B2B context, there is no need for prior consent provided that the recipient has been informed about the fact that its details will be used for marketing purposes and is given the possibility to object to such use. The marketing messages must be relevant to the role or activity of the professional solicited.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

Not regulated, so general personal data protection rules apply.

15. Risk scale





1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

The Law on Information Security (“Official Gazette of RS", Nos. 6/2016, 94/2017 and 77/2019”) (“Law”)

French Post and Electronic Communications Code.

Act No. 2013-1168 of 18 December 2013 (Military Programming Act 2014-2019) on military programming for the years 2014 to 2019 which contains various provisions concerning national defence and security – articles 21 and seq. - (and its implementing decrees);

Act No. 2018-607 of 13 July 2018 (Military Programming Act 2019-2025) on military programming for the years 2019 to 2025 which contains various provisions concerning national defence and security – articles 34 and 35.

Act No.2018-133 of 26 February 2018 implementing various provisions of European Union law in the field of security and its implementing decrees and orders (“Cybersecurity Act 2018”):

  • Decree No. 2018-384 of 23 May 2018 on the networks and information systems security of essential and digital services providers (“Implementation Decree”);
  • Order (Arrêté) of 13 June 2018 setting the rules of notifications provided in articles 8, 11 and 20 of Decree n° 2018-384 of 23 May 2018 on network and IT system security;
  • Order (Arrêté) of 14 September 2018 setting security rules and deadlines provided in art. 10 of Decree n° 2018-384 of 23 May 2018 on the network and IT system security.

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

There are no anticipated changes.

There are no changes anticipated at the local level, apart from the adoption at the EU level of the NIS2 Directive.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

The Law specifies measures for the protection from security risks in information and communications systems, the liability of legal entities during management and use of information and communications systems and designates competent authorities responsible for the execution of protection measures, coordination between protection factors and monitoring of the proper application of the prescribed protection measures, software and software development tools.

The Military Programming Act 2014-2019 (especially Article 22) sets out several cybersecurity obligations applicable to “vitally important operators” (opérateurs d’importance vitale) – VIOs – as defined in Article L.1332-1 of the French Defence Code.

The Military Programming Act 2019-2025 provides with measures to strengthen the protection against cyberattacks through the use of telecommunications operators.

The Cybersecurity Act 2018 has created two new categories of operators subject to cybersecurity obligations:

Operators of essential services (OES)

The OES are defined as any public or private entity providing an essential service for the maintenance of critical societal and/or economic activities relying on networks and information systems and whose service could be seriously affected in the event of a network security incident. Pursuant to the implementing Decree No. 2018-384 of 23 May 2018 on the security of networks and information systems of essential service operators and digital service providers, the OES are designated by the Prime Minister in various sectors, such as energy, transportation, banking, financial markets infrastructure, health, digital infrastructure etc. In this respect, the Prime Minister notifies operators individually of his intention to appoint them as an OES and from this notification, the operator may submit observations within a month.

Digital service providers (DSPs)

The DSPs are defined as any legal entity providing a digital service. The services concerned are the online search engines, online marketplaces and cloud computing services.  

The French National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information, ANSSI) and the Prime Minister appointed the first OES on 9 November 2018. 

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

  • Adopting an internal by-law on security of information and communication system and implementing security measures
  • Need to appoint a person or organisational unit for security supervision of information and communication system
  • Need to provide a report on internal control of information and communication system
  • Mandatory reporting of incidents related to information and communication system

Under the French Defence Code and Article 22 of the Military Programming Act 2014-2019, the state is responsible for ensuring that VIOs are sufficiently secure. To do this, VIOs must:

  • comply with rules set by the Prime Minister on the protection for the security of the information systems, such as not connecting certain systems to the internet;
  • communicate, any cybersecurity incident, without delay, to the Prime Minister;
  • implement detection systems using government-certified service providers;
  • verify, on the request of the Prime Minister, the security level of critical information systems using an audit system;
  • ensure the ability to impose measures on operators in a major crisis;
  • implement a crisis management procedure in the event of major cyberattacks.

Under Article L33-14 of French Post and Electronic Communications Code telecommunications operators:

  • are allowed to use, on the electronic communications networks they operate, after a prior information of the ANSSI, devices using technical identifiers solely for the purpose of detecting events that may affect the security of their subscribers' information systems;
  • may be requested by the ANSSI to use, where appropriate, identifiers that the ANSSI provides them with, if the ANSSI it is aware of a threat that could affect the security of information systems
  • have to notify the ANSSI without delay when they have detected events that could affect the security of information systems;
  • at the request of the ANSSI, have to notify their subscribers of the vulnerability of their information systems or the breaches they have suffered.

Under Article L.2321-2-1 of the French Defence Code, when the ANSSI becomes aware of a threat that could affect the security of public authorities' information systems, the ANSSI may implement devices with information identifiers on the networks of a telecommunications operator, a host or service providers.

Under the Cybersecurity Act 2018, OES essentially have to:

  • comply with security rules set out in the following areas
    • governance of network and information system security,
    • protecting the security of networks and information systems,
    • defending the security of networks and information systems,
    • resilience of activities;
  • notify any cyber security incident, without delay, to the ANSSI when these incidents have or may have a significant impact on the continuity of services.

Under the Cybersecurity Act 2018 the DSP must:

  • Appoint a representative established on the national territory of the ANSSI if it is established outside the European Union and does not have any representative within the European Union;
  • Guarantee an appropriate level of security according to the existing risks and to do so, identify the risks threatening the security of the information systems and take the technical and organisational measures necessary and proportionate to manage these risks, avoid incidents and minimise their impact so as to guarantee the continuity of their services;
  • Notify any cybersecurity incident, without delay, to the ANSSI when an incident has a significant impact on the provision of these services.

The Cybersecurity Act 2018 implementation decree and orders (arrêtés) have set the rules applicable to the OES and DSP with respect to the notifications and the safety rules of the IT system.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Monetary fines:

Fine of up to RSD 2m (EUR 16,800) for a legal entity and up to RSD 50,000 (approx. EUR 400) for a responsible person within the legal entity.

Criminal sanctions:


  • Reputational risk
  • Reimbursement of the potential damages (material and non-material)

Under the Cybersecurity Act 2018, OES may be subject to the following fines:

  • EUR 100,000 in case of non-compliance with security rules
  • EUR 75,000 in case of failure to communicate a cybersecurity incident 
  • EUR 125,000 in case of obstruction of inspection operations

DSPs may be subject to the following fines:

  • EUR 75,000 in case of non-compliance with security rules
  • EUR 50,000 in case of failure to communicate a cybersecurity incident
  • EUR 100,000 in case of obstruction of inspection operations

The Prime Minister is entitled to control the compliance of the OES and DSPs with their obligations under the Cybersecurity Act 2018. The investigations are carried out by ANSSI or by qualified service providers.

Under Article 22 of the Military Programming Act 2014-2019 and Article L.1332-7 of the French Defence Code, non-compliance by the VIOs with their key obligations listed above incurs a fine of EUR 150,000.

Under Article 34 of 2019-2025 and Article L.2321-2-2 of the French Defence Code, telecommunication operators that prevent the implementation of the measures provided for in Article L2321-2-1 are punishable with a fine of EUR 150,000.

Under Article 226-3 of the French Criminal Code, the use of any technical means or device to intercept and capture data, without ministerial authorisation, is punishable by up to five years of imprisonment and a fine of EUR 300,000 (EUR 1.5m for a legal person – Article 131-38 of the French Criminal Code).

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

Yes. Tasks of the national CERT are assigned to the Regulatory Agency for Electronic Communications and Postal Services (RATEL).

Yes. CERT-FR (Computer Emergency Response Team) formerly called CERTA (

CERT-FR is the contact team on call to receive alerts from ANSSI at all hours in the event of a cyberattack. CERT-FR deals with cyber incidents occurring in France and involving the administration and VIOs. Its main missions are: detecting threats and vulnerabilities in systems, particularly through a technological survey; leading the resolution of cyber incidents; helping to implement measures to future incidents; organising global coordination with other entities.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

The Serbian Government established a body to coordinate work on information security and adopted a Decree on the procedure for Notifying on Incidents relating to Information and Communication System of Particular Importance.

The French National Cybersecurity Agency (ANSSI) is responsible for replying to cybersecurity incidents targeting strategically important institutions.

The Ministry of Defence and the Ministry of the Interior also assume functions of prevention of all forms of cybercrime.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 


PRIS (Incident Response Providers)

Cyber Defence Command Unit (COMCYBER) reporting to the Chief of the Defence Staff.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Jelena Đorđević
Jelena Đorđević
Portrait of Ksenija Ivetić Marlović
Ksenija Ivetić Marlović
Mina Radonjic
Portrait of Anne-Laure Villedieu
Anne-Laure Villedieu
Portrait of Maxime Hanriot
Maxime Hanriot