A global overview of legal frameworks for new cyber challenges

South Africa’s cybersecurity framework is not built around a single consolidated statute. Obligations arise from a layered model in which several Acts address different slices of digital risk: personal-data security and breach notification under the Protection of Personal Information Act, 2013 (POPIA); cyber-offence reporting under the Cybercrimes Act 19 of 2020; communications and interception duties under RICA and the Electronic Communications Act; and heightened controls for entities designated as critical infrastructure under the Critical Infrastructure Protection Act 8 of 2019.(1) For international groups assessing compliance exposure, South Africa is converging toward an accountability-oriented jurisdiction. It does so through this layered regulatory approach. Each statute imposes its own duties, timelines and enforcement track, rather than a single consolidated code. The result is a framework where a SaaS or cloud provider may simultaneously navigate a data-privacy regulator, a police-reporting obligation and an emerging data-sovereignty policy.

1) POPIA sets the baseline

The foundation of South Africa’s cybersecurity regime for most private-sector organisations is POPIA section 19, which requires every responsible party to take ‘appropriate, reasonable technical and organisational measures’ to protect personal information from loss, damage or unauthorised access. (2) The standard is deliberately flexible. There is no prescribed minimum control set, and organisations commonly align their measures with recognised information security frameworks such as ISO 27001 or NIST. Section 19(2) goes further, however, explicitly requiring organisations to identify risks, establish safeguards, verify their implementation and update them continuously.

When a breach occurs, POPIA section 22 activates a dual notification duty. The responsible party must inform both the Information Regulator (via its online portal) and the affected data subjects in writing, (3) once it has reasonable grounds to believe that an unauthorised person has accessed or acquired the personal information. The trigger is a reasonable belief of compromise, not a confirmed forensic finding, and the timeline is ‘as soon as reasonably possible’ after discovery. Notification may be delayed only if a law-enforcement agency or the Regulator itself determines that disclosure would impede a criminal investigation. In practice, organisations that lack a pre-tested incident response plan will struggle to meet this standard. The Information Regulator has since 2023 issued enforcement notices for failures to notify, and the first large-scale administrative fines are anticipated in the near term.

Every organisation must also appoint and register an Information Officer with the Information Regulator under POPIA section 55 before that person takes up their duties. (4) Typically the CEO or equivalent, the Information Officer is responsible for overseeing the compliance programme, conducting risk assessments and serving as the formal channel to the Regulator. This is not a voluntary role. Failing to register the Information Officer constitutes a breach of POPIA section 55.

2) The Cybercrimes Act adds a second reporting track: 72 hours to the police

Separately from POPIA’s privacy-focused notification regime, the Cybercrimes Act 19 of 2020 imposes a distinct reporting obligation on two categories of entity. Under section 54, which is not yet fully in force pending ministerial regulations specifying the categories of reportable offence, any electronic communications service provider (ECSP) or financial institution that becomes aware its network or service has been used to commit a cyber offence must report to the South African Police Service (SAPS) within 72 hours of becoming aware. The provider must contemporaneously preserve any evidence that could assist an investigation. (5) Failure to report in time is itself a criminal offence, carrying a fine of up to R 50 000. The reputational and government-contracting consequences of a conviction are likely to far outweigh the financial penalty for most providers.

The offences that will trigger the reporting duty are those to be specified by the Minister of Police by regulation. Part I offences under the Act, including unlawful access, ransomware, cyber-fraud and cyber-extortion, are the most likely candidates. Once commencement regulations are published, the dual-track structure will become a routine operational consideration for any provider that qualifies as an ECSP or financial institution.

A single incident, for example a ransomware attack that also compromises personal information, may trigger both a POPIA notification to the Information Regulator and affected persons (‘as soon as reasonably possible’) and a Cybercrimes Act report to SAPS (within 72 hours). The two reports go to different recipients and serve different purposes. Managing them in parallel requires care, particularly to avoid disclosures that could prejudice a criminal investigation. Organisations should build a single incident-response workflow that evaluates both tracks simultaneously and involves legal counsel from the outset.

3) Sector-specific and critical-infrastructure obligations layer on top

Entities designated as critical infrastructure under the Critical Infrastructure Protection Act 8 of 2019 (CIPA) face materially heavier duties. Designated persons in control of such infrastructure must register with the Critical Infrastructure Council, implement a government-approved security plan covering both physical and cybersecurity controls, and submit to regular inspections and audits. (6) Most SaaS and cloud providers sit outside this regime unless specifically designated. Designation risk is increasing as cloud and data-centre services become more central to national infrastructure, however, and organisations should assess their exposure on a periodic basis.

Telecommunications and internet service providers face an additional layer under RICA (Regulation of Interception of Communications Act 70 of 2002). Section 30 of RICA requires telecommunication service providers to ensure that their services have interception capability and to store communication-related information for three to five years, as specified by directive. (7) Where a lawful interception warrant is served, the provider must assist in real-time at its own cost. Breaching ICASA licence conditions can attract fines of up to R 5 million or 10 per cent of annual turnover, whichever is higher, and repeated RICA offences can result in licence revocation.

Cryptography providers are separately regulated under ECTA sections 29–30. Any person or company providing encryption services or products in South Africa must register with the DCDT before doing so. (8) Failure to register is a criminal offence carrying up to two years’ imprisonment. A single registration for the entity suffices. The law does not require disclosure of encryption keys or algorithms, and there are no export-control-style restrictions on encryption strength.

4) Cross-border hosting and a data-sovereignty turn

There is no blanket prohibition on offshore hosting of personal information, but POPIA section 72 restricts cross-border personal-data transfers unless the recipient country’s laws or the contractual arrangements provide an adequate level of protection comparable to POPIA. (9) Permissible transfer bases include adequacy, data-subject consent, contractual necessity and the data subject’s benefit. Organisations exporting personal data must document the applicable basis. The absence of documentation is a POPIA violation in its own right, not merely an evidentiary gap.

A significant new policy dimension is the 2024 National Policy on Data and Cloud. It is not yet binding legislation, but it explicitly requires that government data involving national security or sovereignty be stored only in cloud infrastructure located within South Africa. (10) The policy also signals a prospective cloud-service-provider registry and minimum-security-standard certification scheme under the DCDT. Organisations tendering for government cloud services or hosting government data should factor localisation obligations into their infrastructure strategy now, ahead of formal enactment.

For IoT and edge-computing deployments, no dedicated IoT cybersecurity law yet exists. IoT devices that use radio frequency must obtain type-approval from ICASA. Any personal information collected by an IoT solution brings the full weight of POPIA’s security and breach-notification duties. International best practices, including the ETSI EN 303 645 standard for consumer IoT security, are encouraged. In the event of a breach, the absence of secure-by-design controls would weigh heavily in any POPIA enforcement or civil-liability assessment under section 99 of the Act.

Conclusion

In our view, South Africa should be approached as a layered-obligation jurisdiction rather than a single-statute one. The centre of compliance gravity sits with POPIA’s baseline security duty and its open-ended breach-notification timeline. A growing number of organisations will also need to manage the Cybercrimes Act’s 72-hour police-reporting obligation once section 54 comes fully into force. Sector-specific duties under RICA, CIPA and ECTA add further controls that are not always apparent from a POPIA-only analysis.

Three near-term developments warrant particular attention. First, the commencement of section 54 regulations, which will create a hard 72-hour police deadline for ECSPs and financial institutions. Second, the finalisation of the National Cybersecurity Strategy, expected to introduce clearer public-private incident-coordination protocols. Third, the potential enactment of cloud-provider registration requirements under the 2024 Data and Cloud Policy. For compliance teams, the practical recommendation is straightforward: treat incident readiness, evidence preservation and documented transfer bases as governance priorities. In South Africa, as the enforcement picture sharpens, organisations that have tested their response workflows are increasingly the ones that keep a cyber event as a contained compliance matter, rather than allowing it to escalate into compounding regulatory and criminal-law exposure.

*****

(1) Understanding South African cybersecurity law in the context of the SAA cyber incident (Polity.org.za, 2025)

(2) POPIA section 19 – Security measures on integrity and confidentiality of personal information

(3) POPIA section 22 – Notification of security compromises

(4) Information Regulator – Information Officer registration portal; POPIA section 55

(5) Cybercrimes Act section 54 – Obligations of electronic communications service providers and financial institutions

(6) Critical Infrastructure Protection Act 8 of 2019

(7) Regulation of Interception of Communications Act 70 of 2002 (RICA) – section 30

(8) Electronic Communications and Transactions Act 25 of 2002 (ECTA) – sections 29–30, cryptography provider registration

(9) POPIA section 72 – Transfers of personal information outside the Republic

(10) National Policy on Data and Cloud (2024) – Department of Communications and Digital Technologies

(11) South African cybersecurity laws overview – Michalsons

(12) Information Regulator – Fact Sheet: Handling of Security Compromises (August 2025)

DAVID LUYT
southafrica@lexing.network

Brazil’s cybersecurity framework is not built around a single consolidated statute. Obligations arise from a layered model in which national governance instruments set strategic priorities, the data protection regime imposes enforceable security and incident-response duties when personal data is involved, and sector regulators increasingly translate cyber risk into resilience expectations for essential services. For international groups comparing regulatory approaches, Brazil is converging with accountability and resilience-oriented jurisdictions, but it is doing so through regulatory accumulation, concrete deadlines, and sector supervision rather than a single codification effort.

1) Incident response is now deadline-driven and documentation-centred

The baseline duty stems from the Brazilian General Data Protection Law, which requires controllers and processors to adopt technical and administrative measures to protect personal data and establishes the framework for notifying incidents that may create relevant risk or damage to data subjects. The most consequential operational development is ANPD Resolution CD/ANPD No. 15/2024, which sets a three-business-day deadline to notify ANPD and affected data subjects when an incident meets the reporting threshold.

The regime is designed for real-world incidents, including cases where the initial assessment is incomplete. It requires timely notification while allowing relevant details to be supplemented as investigations progress. At the same time, it makes incident documentation a core compliance output. Controllers must keep an incident register, including incidents that are not notified, for at least five years, and the register must cover core elements such as relevant dates, a general description of the circumstances, categories of data, the number of affected individuals, the risk assessment, mitigation measures, and the reasons for not notifying when that decision is taken. In practice, this embeds cybersecurity into governance, because legal exposure is shaped not only by what occurred, but also by whether the organization can demonstrate how it assessed the incident, what it decided, and what it implemented within a short timeframe.

2) National governance is reinforcing a resilience narrative for essential services

Brazil has strengthened the governance layer that informs how public actors and sector regulators frame cybersecurity priorities. Decree No. 11,856/2023 instituted the National Cybersecurity Policy and created the National Cybersecurity Committee, explicitly linking cybersecurity to fundamental rights, prevention of incidents affecting critical infrastructure and essential services, and organizational resilience across public and private entities.

In 2025, Decree No. 12,573/2025 instituted the updated National Cybersecurity Strategy and organized it around thematic axes that include the security and resilience of essential services and critical infrastructure, alongside citizen protection and awareness, public-private cooperation, and governance and sovereignty. For regulated industries, this matters because it reinforces a policy trajectory in which cybersecurity is increasingly framed as service continuity and resilience, rather than solely as the confidentiality of information.

3) The most demanding requirements are sectoral, with finance as the leading indicator

Brazil’s most technical and stringent cybersecurity expectations often arise in regulated sectors, particularly within the financial system and payments infrastructure. A central primary source for this direction is CMN Vote No. 88/2025, published by the Central Bank in December 2025. The document sets out the rationale for tightening requirements considering the growing criticality of digital infrastructures and communication networks supporting the financial system and details minimum expectations aligned with supervision and audit.

The compliance direction is clear. Controls are expected to be demonstrable rather than merely described, and resilience mechanisms are positioned as necessary to protect essential financial services. For global compliance teams, the executive implication is that the highest Brazilian bar is frequently sectoral, and finance often acts as a reference point that influences vendor governance and assurance practices beyond the regulated perimeter, including for organizations that are not directly supervised by the Central Bank.

4) Civil claims are becoming more evidentiary and context-specific

Brazil’s Superior Court of Justice has continued to refine how data exposure disputes translate into moral damages. In 2023, the Second Panel held that the leak of nonsensitive personal data does not, by itself, generate compensable moral damages, and that effective harm must be demonstrated. In February 2026, the Fourth Panel held that the unauthorized availability of non-sensitive personal data in the positive credit registry (cadastro positivo) context does not automatically generate presumed moral damages, requiring proof of a significant impairment to personality rights, and it highlighted the limits on re-examining evidence at the special appeal stage.

For organizations, the key takeaway is that civil exposure will often be decided by the factual record. Where courts require proof of harm and context, incident scope, timing, and documentation become decisive, and they align directly with ANPD’s deadline-driven compliance model.

Conclusion

In our view, Brazil should be treated as a deadline-driven and evidence-driven cybersecurity jurisdiction. The centre of regulatory gravity is shifting away from policy formalism and toward operational credibility. A three-business-day notification requirement, combined with multi-year incident recordkeeping, means that preparedness is no longer a technical preference. It is a legal risk control that must operate under pressure and remain defensible in hindsight.

Brazil is also building resilience expectations through supervision and sectoral instruments rather than waiting for a single codification event, and recent STJ decisions confirm that civil liability outcomes are not uniform and depend on context and proof. This combination makes readiness more, not less, valuable, because incident documentation becomes the core asset for regulatory engagement and dispute strategy. For executives, the recommendation is straightforward: treat incident readiness, traceability, and third-party governance as governance priorities, since in Brazil they increasingly determine whether a cyber event remains a contained compliance matter or escalates into compounding regulatory and litigation exposure.

*****

(1) Brazil, Law No. 13,709 of August 14, 2018, General Data Protection Law (LGPD); Brazil, Presidency of the Republic, Planalto Legislation Portal, accessed at: https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm

(2) Brazil, Resolution CD/ANPD No. 15 of April 24, 2024, Security Incident Communication Regulation; Brazil, Ministry of Justice and Public Security, DSpace Normative Repository, accessed at: https://dspace.mj.gov.br/handle/1/12879

(3) Brazil, Decree No. 11,856 of December 26, 2023, instituting the National Cybersecurity Policy (PNCiber) and the National Cybersecurity Committee (CNCiber); Brazil, Presidency of the Republic, Planalto Legislation Portal, accessed at: https://www.planalto.gov.br/ccivil_03/_ato2023-2026/2023/decreto/d11856.htm

(4) Brazil, Decree No. 12,573 of August 4, 2025, instituting the National Cybersecurity Strategy (E-Ciber); Brazil, Presidency of the Republic, Planalto Legislation Portal, accessed at: https://www.planalto.gov.br/ccivil_03/_ato2023-2026/2025/decreto/d12573.htm

(5) Brazil, National Monetary Council, Vote (Voto) No. 88/2025–CMN of December 18, 2025, proposal on cybersecurity and cloud requirements linked to RSFN/Pix/STR;  Central Bank of Brazil, Normativos    Repository, accessed at: https://normativos.bcb.gov.br/Votos/CMN/202588/Voto_do_CMN_88_2025.pdf

(6) Brazil, Superior Court of Justice (STJ), News Release of March 17, 2023, “Data subject whose data was leaked must prove actual harm to claim damages” (Second Panel); STJ News Portal, accessed         at: https://www.stj.jus.br/sites/portalp/Paginas/Comunicacao/Noticias/2023/17032023Titular-de-dados-vazados-deve-comprovar-dano-efetivo-ao-buscar-indenizacao-decide-Segunda-Turma.aspx

(7) Brazil, Superior Court of Justice (STJ), News Release of February 13, 2026, “Unauthorized availability of non-sensitive personal data in ‘positive credit registry’ does not generate presumed moral damages” (Fourth Panel); STJ News Portal, accessed at: https://www.stj.jus.br/sites/portalp/paginas/comunicacao/noticias/2026/13022026disponibilizacao-nao-autorizada-de-dados-pessoais-nao-sensiveis-em-cadastropositivo-nao-gera-dano-moral-presumido.aspx

FLAVIA M. MURAD SCHAAL
&
DEYSE ALCANTARA DE LIMA

brazil@lexing.network

Cybersecurity regulation in Greece is largely shaped by European Union legislation, most notably Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) (1). Greece implemented the Directive through Law 5160/2024 (2), which establishes a comprehensive national framework for cybersecurity risk management, incident reporting, and supervisory oversight.

The objective of the framework is to enhance the resilience of critical infrastructure and essential services, while strengthening cooperation between public authorities and private operators in preventing and responding to cybersecurity incidents. Cybersecurity obligations in Greece also interact with other areas of regulation, including data protection, digital governance, and sector-specific EU legislation.

The cornerstone of cybersecurity regulation in Greece is Law 5160/2024, which transposes the Directive (EU) 2022/2555 into national law. The law expands the scope of regulated entities and applies to both “essential” and “important” entities operating in sectors such as energy, transport, health, digital infrastructure, and public administration (3).

Entities falling within the scope of the law are required to implement appropriate technical and organisational measures to manage cybersecurity risks affecting their network and information systems (4). These measures include, among others, incident handling procedures, business continuity arrangements such as backup management and disaster recovery, and supply-chain security measures (5).

The law also establishes incident notification obligations, requiring entities to report significant cybersecurity incidents to the competent authorities within specific timelines (6). In addition, management bodies are responsible for approving cybersecurity risk-management measures and overseeing their implementation, and must ensure that adequate cybersecurity governance mechanisms are in place (7).

Non-compliance with these obligations may result in administrative sanctions and supervisory measures imposed by the competent authorities (8).

Further technical and organisational requirements are specified through secondary legislation and implementing acts issued under Law 5160/2024 (9), which define minimum security measures and compliance procedures for regulated entities.

Cybersecurity policy and supervision in Greece are coordinated by the National Cybersecurity Authority (NCSA), operating under the Ministry of Digital Governance. The Authority supervises entities falling within the scope of cybersecurity legislation, coordinates national incident response mechanisms, and participates in European cooperation structures established under the NIS2 framework.

The NCSA also contributes to the development and implementation of the National Cybersecurity Strategy, which sets the strategic priorities for strengthening cyber resilience and protecting critical infrastructure in Greece.

*****

(1) Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive)

(2) Greek Law 5160/2024 implementing Directive (EU) 2022/2555

(3) Art. 3–4 of Law 5160/2024 defining the scope of application and categories of essential and important entities.

(4) Art. 21 of Law 5160/2024 establishing cybersecurity risk-management obligations.

(5) Art. 21(2) of Law 5160/2024 listing indicative cybersecurity risk-management measures.

(6) Art. 23–24 of Law 5160/2024 on incident reporting obligations.

(7) Art. 20 of Law 5160/2024 regarding management body responsibilities for cybersecurity risk management.

(8) Art. 34–36 of Law 5160/2024 on supervisory measures and administrative sanctions.

(9) Implementing acts and ministerial decisions adopted under Law 5160/2024 establishing minimum cybersecurity requirements

GEORGE BALLAS
&
NIKOLAOS PAPADOPOULOS

greece@lexing.network

Cybersecurity in India is governed by a combination of primary legislations, subordinate rules, executive directions, and policy instruments collectively regulated by the Ministry of Electronics and Information Technology, India. The principal obligations arise under the Information Technology Act, 2000 (the “IT Act”). Additionally, obligations also arise under India’s newly notified data protection laws, the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”).

National Cyber Security Policy, 2013

India’s National Cyber Security Policy, 2013 provides the overarching strategic framework for cybersecurity. Although not legally binding, it guides government initiatives and sector-specific regulations. The key objective of this policy is to include protection of critical information infrastructure, development of incident response capabilities, promotion of public-private collaboration, and creation of a secure cyber ecosystem.

Cybersecurity Safeguards to be Instituted

Controllers that process personal data (or delegate to processors such processing) must protect personal data in their possession or under their control by taking reasonable security safeguards to prevent personal data breach. The measures to be taken include encryption, obfuscation or masking, and maintenance of logs as prescribed. (1) The DPDP Act proposes strict compliance with security safeguards and violations could expose data fiduciaries (controllers) and processors to penalties of up to USD 27 million (approximately). (2)

Criminal and Civil Penalties for Cyber Offences

Under the IT Act, carrying out actions impacting computers and computer systems (such as unauthorised access, copying or extraction of data, introduction of malware, denial-of-service attacks, etc.) renders the persons involved liable to pay damages to those affected by such actions. Such persons may also face criminal liability under the IT Act. (3)

Breach of Confidentiality

Section 72-A of the IT Act creates criminal liability for disclosure of information obtained under lawful contract without consent and with intent to cause wrongful loss or gain.

CERT-In as National Agency

Section 70-B establishes the Indian Computer Emergency Response Team (“CERT-In”) as the national nodal agency for cyber security incident response and authorises it to issue directions. CERT-In issues various guidelines and advisories on cybersecurity, from time to time.

Incident Reporting and Other Requirements

CERT-In has, under its directions dated April 28, 2022, mandated a six (6) hour reporting requirement in respect of certain identified cybersecurity incidents. Failure to comply may attract penalties extending up to Rupees One Crore (INR 1,00,00,000/-, or approximately 1,08,200 USD), under the IT Act. (4)

Organisations are also mandatorily required to enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days within India. These should be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.

Sectoral Regulators

The Reserve Bank of India, which regulates the banking sector, has issued a cybersecurity framework (5) mandating banking institutions to adopt a board-approved cybersecurity policy, establish a security operations centre (SOC) for threat monitoring, and to implement a board-approved cyber crisis management plan in addition to CERT-In requirements and BCP/DR requirements.

Similarly, cybersecurity and cyber resilience frameworks have been prescribed by the Securities and Exchange Board of India SEBI (“SEBI”) for listed entities (6) and by the Insurance Regulatory and Development Authority of India (“IRDAI”) for insurers. (7) They generally require regulated entities to establish a board-approved cybersecurity policy and to designate an information security officer or similar, responsible for implementation of the cybersecurity framework, etc.

Conclusion

Cybersecurity in India is governed by a layered regulatory framework combining statutory acts, rules, executive directions, and policies. The IT Act establishes baseline liability and enforcement powers; the SPDI Rules impose privacy-linked security requirements; the DPDP Act will soon enforce a regime for protection of digital personal data with significant penalties for non-compliance; and the CERT-In Directions mandate rapid incident reporting and operational controls.

*****

(1) Rule 6 of the DPDP Rules. Further, under Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which remain in force until May, 2027, when the DPDP Rules will come into full effect, implementation of documented information security programmes incorporating managerial, technical, operational, and physical safeguards is mandatory when processing sensitive personal data or information. Compliance with IS/ISO/IEC 27001 or equivalent standards is recognised as satisfying this requirement.

(2) Schedule to the DPDP Act.

(3) Sections 44 to 66 of the IT Act.

(4) Section 70-B (7) of the IT Act.

(5) RBI Cyber Security Framework in Banks dated June 2, 2016.

(6) Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) dated August 20, 2024.

(7) IRDAI guidelines on Information and Cyber Security for Insurers vide circular no. IRDAI/IT/GDL/MISC/082/04/2017 dated April 7, 2017.

SIDDHARTHA GEORGE
&
HARINI SUDERSAN
&
VIBHUTI TYAGI

india@lexing.network

Mexico has established itself as one of the main targets of cyberthreats in Latin America, occupying the third place in the region in terms of effects from the Lumma Stealer The current landscape reveals significant vulnerability to credential theft, phishing, and nation-state espionage, particularly from China-linked actors.

At the regulatory level, the country is going through a critical transition: from a fragmented legal framework lacking a “Framework Law” on cybersecurity, to a strategic institutionalization projected for 2026. The institutional strengthening, led by the maturation of the CERT-MX and the imminent creation of a National Cybersecurity Agency (ANC), seeks to align Mexico with international standards (USMCA, NIS2) and establish severe sanctions for negligent entities. Cryptography already plays a mature role in tax and judicial sectors, laying the groundwork for a more robust digital modernization.

Mexico aims to become a regional leader in cybersecurity through the implementation of the National Cybersecurity Plan 2025–2030 (1). This strategic roadmap focuses on protecting digital assets, strengthening federal institutions, and fostering international cooperation to transform the country into a reference for digital governance in Latin America and the Caribbean.

1. Threat Landscape and Risk Actors

The Mexican digital ecosystem faces constant challenges due to its strategic position and level of digitalization. The threats are mainly divided into common criminality and state intelligence activities.

Prevailing Threats

• Malware and Infostealers: Mexico is the tenth most affected country worldwide by Lumma Stealer (LummaC2) malware. Between March and May 2025, 9,634 Windows devices were impacted (2).
• Credential Theft: Considered one of today’s biggest concerns, driven by data breaches and specialized malware.
• Ransomware and Phishing: Recurring tactics aimed at both citizens and public and private organizations.

Nation-State Activity: Mexico is under the intelligence radar of foreign state actors, with 9 confirmed activity events. Of note are the operations of Chinese actors, focused on:

• Espionnage.
• Proprietary information collection.
• Search for economic competitive advantages.

2. Legal and Regulatory Framework

Currently, Mexico does not have a single law specialized in cybersecurity. However, the legal structure is supported by various existing legal systems and ongoing reforms.

Related Legislation:

• Mexican Constitution (Art. 6 and 16): it is the basis of the right to privacy and data protection.
• Advanced Electronic Signature Act (2012): it grants legal validity to the digital signature (the same as the autograph).
• LFPDPPP (3) / LGPDPPSO (4): They regulate data protection in the private and public sectors, respectively.
• Commercial Code: It validates electronic transactions and regulates digital certificates.
• Federal Tax Code: Guidelines for digital stamps and collection (SAT).

The Road to General Law: The approval of a Federal Cybersecurity Law is considered imminent due to pressure from the USMCA and European directives.

• Colosio-Trasviña Initiative: Proposes the creation of the National Cybersecurity Agency (ANC) as an autonomous coordinating body.
• 2025 Updates: Data protection laws now impose stricter technical duties and mandatory breach notification within short timeframes.
• Talent and Culture Development: To address the specialist shortage, the plan creates the Federal Virtual Academy and the “APF Cibersegura” program to provide mandatory training and awareness for public servants. It also recommends a National Cybersecurity Scholarship Program and standardizing academic offerings in coordination with the Ministry of Education.
• Critical Infrastructure Protection: Mexico will develop a National Catalog of Critical Infrastructure and Essential Services. This allows the government to assign differentiated protection resources and perform periodic cyber drills to ensure the resilience of vital sectors like electricity, water, and health.

3. Applications of Cryptography in Strategic Sectors

Cryptography is the technological tool with the most robust and widespread regulation in the country.

• Tax Sector (SAT): Pioneer in the use of digital signatures for Digital Tax Receipts and invoices over the Internet (CFDI) and digital stamps.
• Judicial Sector: Use of the Certified Electronic Signature (FIREL) in Federal Courts.
• Social Security: The IMSS and INFONAVIT use the digital signature for benefit procedures and social security actions.
• Advanced Research: Institutions such as CINVESTAV, IPN and INAOE develop lines in quantum and post-quantum cryptography.
• Emerging Trends: Security research for outsourced databases (DaaS) and vehicle networks (VANETs).

4. Punitive Strengthening and Sectoral Regulation

The Mexican State has initiated a “punitive vanguard” through reforms to the Federal Penal Code to discourage cybercrime.

Key Penal Reforms

• Sabotage: Illicit access to or modification of State systems is equivalent to a threat to National Security, with penalties of 5 to 10 years in prison.
• Identity Usurpation: The new Article 430 of the Federal Criminal Code, punishes digital impersonation with 3 to 10 years, aggravated if Artificial Intelligence (deepfakes) is used or if it affects minors and older adults.

Sectoral Progress

• Financial Sector (CNBV) Mexican Banking and Securities Commission: From June 2024, banks must implement two-factor authentication (2FA) and fraud management plans. Non-compliance generates direct financial responsibility for the institution.
• Telecommunications: Implementation of a General Cybersecurity Policy with mandatory standards for critical infrastructures.

5. International Cooperation and Foresight 2026

Mexico has strengthened its international position by adopting the UN Convention against Cybercrime (2024-2025), facilitating mutual legal assistance.

Operational Milestones

• CERT-MX: In September 2025, the National Guard response team certified its maturity under the SIM3 model, guaranteeing the ability to protect critical infrastructure.
• Coordinated Defense: Alliances between Microsoft and local agencies to dismantle infrastructures such as botnets and pirated versions of Cobalt Strike.

The primary foreign entities and international organizations with which Mexico will collaborate are:

Regional Organizations (Latin America and the Caribbean)

• LAC4 (Latin American and Caribbean Cyber Competence Centre): Mexico formalized its adhesion in February 2026 to access advanced technical training and digital forensics laboratories. This center serves as a primary regional forum for knowledge exchange and includes a specialized cyber range.
• CSIRT Américas (OAS/CICTE): Through the Inter-American Committee against Terrorism of the OAS, Mexico plans to fully integrate in 2026 for the 24/7 exchange of alerts regarding cyber threats and exposed credentials.
• Red Ciberlac: A network promoted by the Inter-American Development Bank (IDB) aimed at strengthening regional excellence and cybersecurity capacity.
• EU-LAC Digital Alliance: Participation in high-level policy dialogues and technical cooperation funded by the European Union under the “Global Gateway” strategy, covering areas such as cyber diplomacy and critical infrastructure protection.

Global and Technical Entities

• FIRST (Forum of Incident Response and Security Teams): Mexico aims to join this premier global incident response network in 2027. This will allow the adoption of international standards like the Traffic Light Protocol (TLP) for handling sensitive information and the Common Vulnerability Scoring System (CVSS).
• ITU (International Telecommunication Union): Close collaboration to align with the technical implementation guides and the five pillars of the Global Cybersecurity Index (GCI).
• EU CyberNet: A European Union body that provides technical support and financing for regional initiatives such as LAC4.

Multilateral Organizations (Technical and Financial Support)

• Inter-American Development Bank (IDB): The IDB provided direct technical support in creating the National Cybersecurity Plan. It remains a source for technical assistance and regional strengthening.
• World Bank Group (WBG): A source of technical assistance and economic studies regarding the impact of cybersecurity on emerging markets.

Projection to 2026

It is anticipated that by 2026 the grace periods of the new regulations will end. This will mark the start of the application of real sanctions linked to a percentage of the global turnover of those companies that demonstrate negligence in protecting their digital assets.

FIFA World Cup 2026: Because the tournament is hosted by Canada, the United States, and Mexico, the Digital Transformation and Telecommunications Agency (ATDT) will coordinate cybersecurity protocols with these countries to protect critical infrastructure, hotel services, and digital platforms associated with the event.

*****

(1) National Cybersecurity Plan 2025–2030, Published Dec. 2025. https://www.portal.atdt.gob.mx/wp-content/uploads/2026/01/Plan_Nacional_de_Ciberseguridad-2.pdf

(2) Microsoft Digital Defense Report 2025: Government-Executive-Summary (Oct. 2025)

(3) LFPDPPP: (Ley Federal de Protección de Datos Personales en Posesión de Particulares Federal) Law on the Protection of Personal Data in Possession of Private Parties (2025)

(4) LGPDPPSO: (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), General Law on the Protection of Personal Data in Possession of Obligated Subjects (2025)

RUBÉN G. SOTELO PANIAGUA

mexico@lexing.network

Portugal has recently transposed Directive (EU) 2022/2555 (NIS2 Directive) into national law, thus modernizing its cybersecurity regulatory framework (Decree-Law No. 125/2025 of 4 December). This forms part of the broader European effort to ensure a high common level of cybersecurity across the EU in response to the increasing sophistication of cyber threats and the growing dependence of modern economies on digital infrastructures and information systems.

The Portuguese framework reflects the European shift toward a risk-based and governance-driven cybersecurity model. By expanding the number of entities subject to cybersecurity obligations and strengthening institutional oversight, the framework aims to reinforce the resilience of critical services and promote a more structured approach to cybersecurity risk management across both the public and private sectors.

A broader cybersecurity framework

The newly introduced regime, in force in April 2026, represents a structural evolution in the regulation of cybersecurity in Portugal. The previous legal framework focused primarily on operators of essential services and digital service providers. The new regime significantly expands its scope to include a broader set of entities whose activities are considered relevant to the functioning of society and the economy.

The legislation adopts a preventive approach centered on cybersecurity risk management. Organizations are required to implement appropriate technical, operational and organizational measures designed to protect their information systems, prevent cybersecurity incidents and ensure effective response mechanisms when incidents occur. In practice, cybersecurity is increasingly framed not merely as a technical issue but as an integral component of organizational governance and operational resilience.

Expanded scope

One of the most significant innovations introduced by the new framework is the expansion of the entities covered by cybersecurity obligations, distinguishing between essential entities, important entities, and relevant public entities.

Essential entities include organizations operating in sectors considered critical to the functioning of the economy and society, such as energy, transport, healthcare, banking and financial services, and digital infrastructure. Important entities include organizations operating in sectors such as postal and courier services, waste management, manufacturing industries and various digital services, including online platforms.

The application of the regime generally follows a size-based criterion and therefore primarily targets medium-sized and large companies. However, certain entities may fall within the scope of the regime regardless of their size where the nature of their activities is considered particularly critical. The new framework also extends to a significant portion of the Portuguese public administration, reinforcing cybersecurity obligations across public institutions.

Institutions Responsible for Cybersecurity in Portugal

At the institutional level, the new framework reinforces the national governance structure responsible for cybersecurity oversight. The National Cybersecurity Centre (Centro Nacional de Cibersegurança – CNCS) is confirmed as the national cybersecurity authority and assumes strengthened powers in the areas of regulation, supervision, incident coordination and international cooperation.

Strategic coordination of cybersecurity policy is ensured by the Superior Council for Cyberspace Security (Conselho Superior de Segurança do Ciberespaço – CSSC), which is responsible for coordinating national public policies relating to cyberspace security.

In addition, the Security Assessment Commission (Comissão de Avaliação de Segurança – CAS) plays an important role in assessing equipment and services related to electronic communications networks that may pose risks to national interests. Where technologies are considered to present high security risks, the Government may impose restrictions on their use.

Risk Management and Incident Notification

The new legal framework introduced reinforced cybersecurity obligations for covered entities. Organizations must implement technical, operational and organizational measures proportionate to the risks they face. These measures include incident management procedures, mechanisms to ensure supply chain security, the use of cryptographic solutions where appropriate, access control systems and the adoption of cyber-hygiene practices designed to strengthen organizational resilience against cyber threats.

A particularly important innovation concerns the direct accountability of management bodies. Management and governing bodies are now responsible for approving and overseeing cybersecurity risk management measures within their organizations. Members of these bodies may incur liability for acts or omissions committed with intent or through gross negligence in the performance of their cybersecurity governance responsibilities.

The legislation also establishes a structured incident notification system. Entities must report incidents with significant impact to the CNCS through an initial notification within 24 hours after becoming aware of the incident. This notification must be followed by an update within 72 hours as additional information becomes available. A final report must then be submitted within 30 business days after the end of the incident’s impact, providing a comprehensive description of the incident, its consequences and the measures implemented to mitigate its effects.

Supervisory and Sanctions Regime

The supervisory model follows a dual approach based on the principle of proportionality. Essential entities are subject to a more demanding supervisory regime that may include inspections, audits and preventive oversight measures. Important entities are generally subject to ex post supervision, meaning that supervisory intervention typically occurs following incidents or indications of non-compliance.

To ensure the effectiveness of the regime, the legislation also strengthens the sanctions framework. Failure to comply with cybersecurity obligations, including incident notification requirements or risk management duties, may result in administrative fines. In the case of very serious offences committed by essential entities, penalties may reach up to €10 million or 2% of the entity’s total worldwide annual turnover, whichever is higher.

Conclusions

The adoption of Decree-law No. 125/2025 represents a decisive step in consolidating the legal framework for cybersecurity in Portugal. The new regime adopts a more comprehensive, preventive, and demanding approach, strengthening the obligations of both public and private entities while promoting greater accountability in the management of digital risks.

For organizations operating in Portugal, cybersecurity compliance increasingly requires structured risk management processes, incident preparedness and oversight at the highest levels of management. More broadly, this legislative development contributes to strengthening the resilience of national critical infrastructures while positioning Portugal as an active participant in the construction of a safer, more reliable and more resilient European digital environment.

*****

(1) Decree-Law no. 125/2025 of 4 December, approving the Cybersecurity Legal Framework in Portugal.

(2) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022.

(3) Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (2020).

JOÃO G. GIL FIGUEIRA

portugal@lexing.network

The Cybersecurity Act 2018 (Act) is Singapore’s primary cybersecurity legislation. It establishes the framework for the management of cyber threats, regulates certain cybersecurity services, and designates the Cyber Security Agency of Singapore (CSA) as the national cybersecurity regulator.

Critical Information Infrastructure

The Commissioner of Cybersecurity (i.e., the head of CSA) may designate a computer system as critical information infrastructure (CII) where the system is essential to the continuous delivery of an essential service (such as telecommunications, healthcare, banking and finance, and energy), and its loss or compromise will have a debilitating effect on the availability of such essential service in Singapore. (1)

Importantly, a system can be designated as CII even if it is located outside Singapore, provided it is critical to the delivery of an essential service in Singapore. The designation is effective for 5 years, although it can be withdrawn or extended.

Designated CII systems are subject to heightened cybersecurity oversight. Owners must comply with requirements such as providing technical information to regulators, conducting regular cybersecurity audits and risk assessments, and reporting certain cyber incidents.

Where a CII system is owned by a third party, the provider of the essential service may still be held responsible for ensuring that the system meets regulatory requirements and prescribed cybersecurity standards.

Systems of Temporary Cybersecurity Concern

Where a computer system faces a high but temporary cybersecurity risk, and its loss or compromise would have a serious detrimental impact on Singapore’s national security, defence, foreign relations, economy, public health, public safety, or public order, the Commissioner of Cybersecurity may designate it as a system of temporary cybersecurity concern. Such designation is for 1 year, unless withdrawn or extended. (2)

Systems designated as temporary cybersecurity concerns are subject to similar obligations to those imposed on designated CII systems.

Cybersecurity Service Providers

The provision of managed security operations centre monitoring service and penetration testing service requires a cybersecurity service provider licence (CSP Licence) issued by the Cybersecurity Services Regulation Office. (3)

To obtain a CSP Licence, the applicant must be fit and proper, including having no convictions or adverse civil judgments involving fraud, dishonesty, or breach of fiduciary duty, and not being subject to liquidation or winding up proceedings.

*****

(1) Act, Secs. 7 and 16A.

(2) Act, Sec. 17.

(3) Act, Sec. 24.

WINNIE CHANG

singapore@lexing.network

Sweden has taken a decisive step toward strengthening national digital resilience with the Cybersäkerhetslag (2025:1506), in force since 15 January 2026. Rooted in the EU’s NIS2 Directive, the new law reshapes how public authorities and key private operators manage cyber risk. As digital systems increasingly support critical societal functions, the Act sets a modern baseline to protect the availability, integrity, and confidentiality of essential information systems.

Why the Law Matters

The Cybersecurity Act aims to establish a high and uniform level of cybersecurity across Swedish society. Cyber incidents whether caused by hostile actors, system failures, or supply‑chain vulnerabilities can disrupt public order, erode trust in digital services, and cause economic harm. The law therefore mandates that organizations adopt proactive and strategic security measures rather than relying on reactive responses.

At the core of the Act is the protection of “network and information systems,” defined as electronic communications networks and devices performing automated data processing. The goal is to secure the digital backbone on which both public administration and Sweden’s innovation‑driven economy depend.

A National Implementation of the NIS2 Directive

The new law transposes the EU NIS2 Directive (2022/2555). Like all Member States, Sweden must align its national regulations with the EU vision of a “high common level of cybersecurity.” But Sweden has made several distinct national choices that expand obligations beyond the minimum EU requirements, such as: (i) All state authorities, municipalities, and regions are explicitly included, broadening than NIS2’s baseline scope; (ii) If an organization performs a regulated activity (e.g., producing medical devices), its entire IT environment must comply. Not only the systems linked to the critical service; and (iii) Sweden introduces a clear legal process for banning managers from leadership roles (for one to three years) in cases of gross negligence or intent. Private educational providers are also included, despite not being mandatory under NIS2. These choices reflect Sweden’s ambition to create a more comprehensive national cybersecurity regime.

Who Must Comply?

The Cybersecurity Act applies to a broad group of entities whose failure would affect society or critical services. Covered entities include: National authorities making decisions affecting the movement of goods, services, people, or capital; Municipalities, regions, and their associations & private companies established in Sweden that meet size thresholds (medium‑sized or larger) Certain providers regardless of size, including: public electronic communications networks, qualified trust service providers, cloud computing, data centers, content delivery networks and digital infrastructure.

Essential vs. Important Operators

The law distinguishes between: Essential Operators, which include all state authorities, municipalities, regions, and large companies in NIS2 Annex I sectors (energy, transport, health, digital infrastructure, etc.), and Important Operators, that are entities covered by the Act but not qualifying as essential. This classification determines the level of supervision and potential penalties.

Obligations for Operators

Essential and Important Operators must comply with a number of obligations as Risk Management, Security Measures, Management Accountability and Training. Operators must implement appropriate and proportionate technical, operational, and organizational measures. The Act requires an “all hazards” approach covering cyberattacks, physical incidents, supply‑chain risk, cryptography, and continuity planning. Moreover, Cybersecurity must be embedded at leadership level (including board level). Management teams must undergo mandatory training, and in severe breaches caused by negligence or intent, individuals can be temporarily banned from management roles, especially for Essential Operators. All entities within the scope of the Cybersecurity Act must register with the Myndigheten för civilt försvar (MCF), which opened its central portal on 2 February 2026. Registration includes sector classification and operator status (Essential or Important).

Supervision and Enforcement

A series of sector‑specific Supervisory Authorities enforce compliance, including: Energimyndigheten, for energy; Transportstyrelsen, for transport and vehicle manufacturing; Finansinspektionen, for banking and financial infrastructure; IVO, for healthcare providers; Läkemedelsverket, for medical products and devices; Livsmedelsverket for drinking water, wastewater, food production; Post- och telestyrelsen (PTS), for digital infrastructure, space, postal services; and County Administrative Boards for waste management, research, public administration, manufacturing (chemical, electronics, electrical equipment).

Essential Operators face regular audits, while Important Operators are supervised when there is reason to suspect non‑ Authorities may request documents, conduct inspections, and access premises directly linked to the operator’s activities.

Penalties and Sanctions

The Act introduces substantial administrative fines:

• Essential Operators – up to 2% of global annual turnover or €10M (whichever is higher)
• Important Operators – up to 1.4% of turnover or €7M
• Public authorities – capped at 10 million SEK

Severe cases may result in management prohibitions.

Interaction with DORA

For financial‑sector entities governed by the Digital Operational Resilience Act (DORA), the principle of lex specialis applies: DORA takes precedence for operational resilience, reporting, and security measures. The Cybersecurity Act does not apply to entities exempt under DORA. Financial entities covered by DORA are exempt from security and reporting obligations under the Cybersecurity Act but must still register to ensure sector‑wide oversight. This prevents dual regulation while preserving national situational awareness.

Conclusion

Sweden’s Cybersecurity Act marks a significant evolution in national cyber governance. By combining EU‑level harmonization with ambitious national extensions, it strengthens the resilience of both public institutions and private operators. The message is clear: in a digital society, cybersecurity is a fundamental prerequisite for stability, trust, and continued economic growth.

*****

(1) The Swedish Cybersecurity Act – Cybersäkerhetslag (2025:1506)

(2) The Swedish Cybersecurity Regulation – Cybersäkerhetsförordning (2025:1507)

(3) Digital Operational Resilience Act (DORA)

(4) NIS 2 Directive

KATARINA BOHM HALLKVIST
&
ANDRES ALMA

sweden@lexing.network