Mexico’s Digital Transformation and Telecommunications Agency (ATDT) has formalized the General Cybersecurity Policy for the Federal Public Administration, mandating the adoption of a Zero Trust architecture across federal entities. The new regulatory framework systematizes the protection of critical infrastructure following the registration of 324 billion attempted cyberattacks in 2024.
The shift toward continuous verification reflects the need to mitigate vulnerabilities across essential public services. “The General Cybersecurity Policy establishes the foundations to protect critical infrastructure, ensure the continuity of public services, and safeguard citizens’ digital rights and personal data,” the policy states in the agreement published in the Official Journal of the Federation (DOF)
Mexico’s accelerating digitalization of government processes has significantly expanded the attack surface for advanced persistent threats and ransomware. Past incidents affecting institutions such as Petróleos Mexicanos and the Ministry of Economy underscored the urgency of moving beyond traditional perimeter-based security models in favor of defense-in-depth approaches. The scale of threats recorded in 2024 positions Mexico as a primary target for malicious cyber activity in the region.
The legal framework for the policy is grounded in Articles 6 and 42 Ter of the Organic Law of the Federal Public Administration. Under the regulation, José Antonio Peña Merino, head of the Digital Transformation and Telecommunications Agency, is vested with the authority to define information and communications security protocols. The policy seeks to standardize technical and administrative responses to incidents that threaten technological sovereignty.
Implementation is structured around eight strategic pillars, with a strong emphasis on risk management, supply-chain security, and the principle of cybersecurity by design. This approach requires that all new government technology projects integrate security controls from the planning stage, reducing reliance on reactive measures after deployment.
To execute the policy, the government consolidated two specialized entities:
-
National CSIRT-APF: A coordination center responsible for technical response and recovery from strategic cyber incidents. Federal entities must report critical incidents within 24 hours.
-
Federated National CSOC: A 24/7 security operations center tasked with continuous monitoring and real-time threat detection across federal systems.
The policy also introduces a Cyber Maturity Model comprising five levels, designed as an audit and diagnostic tool to progressively strengthen institutional capabilities. Each federal entity must designate an institutional cybersecurity lead (titular institucional en materia de ciberseguridad), responsible for developing and overseeing an annual cybersecurity plan.
In addition, the regulation extends its scope to third parties and cloud service providers, requiring audit clauses and minimum security standards in software procurement and contracting. Compliance is mandatory across the federal public administration, with specific exemptions for the Ministry of Defense, the Ministry of the Navy, and the National Intelligence Center in matters related to national security.
Following the policy’s entry into force, the ATDT has 180 days to issue the technical guidelines and official formats governing the implementation of this national cybersecurity framework.