The main players in Mexico's telecommunications market comprises main players are Telcel (América Móvil), AT&T, and Telefónica. 

Other important players include Megacable, Totalplay (Grupo Salinas), and Grupo Televisa, which offer fixed phone, internet, and Pay TV services.

Telcel leads the mobile segment with an estimated 55% market share, followed by AT&T with 15%, Movistar with 14.2%, and various Mobile Virtual Network Operators ("MVNOs") collectively holding 15.9%. In the fixed broadband segment, Telmex has seen a decline in market share, while Megacable, Totalplay, and Izzi  (Grupo Televisa) have gained ground, driven by aggressive promotions and substantial investments in fiber-optic infrastructure. Fiber broadband is experiencing strong growth, with Mexico emerging as a regional leader in expanding access through this technology.

On the mobile front, Mexico continues to show steady growth in mobile broadband penetration and the deployment of 4G and 5G networks, with a strong focus on smartphone-based internet access.

Mexico has begun the rollout of 5G networks, primarily in major urban areas. While progress has been made, full nationwide coverage remains a long-term goal. The deployment has been driven by private operators, and regulatory efforts are underway to support spectrum availability and infrastructure sharing including:

• Fiber-Optic Expansion: There has been significant growth in fiber-optic deployment, particularly in the fixed broadband segment. Operators such as Totalplay, Megacable, and Izzi have aggressively expanded their fiber networks, challenging Telmex's traditional dominance. This expansion has led to faster internet speeds and improved service quality.
• Mobile Penetration and Broadband: Mobile broadband penetration continues to increase steadily. 4G remains the dominant technology nationwide, though 5G is gaining ground. Smartphone usage is the primary means of accessing the internet for a majority of the population, particularly in lower-income segments.
• Satellite Services and IoT: Satellite connectivity is gaining relevance in rural and hard-to-reach areas, particularly through public initiatives and international partnerships. In parallel, the Internet of Things (IoT) is emerging in sectors such as manufacturing, logistics, agriculture, and smart cities, though widespread adoption is still in early stages.
• Infrastructure Investment and Market Consolidation: Continued investment in digital infrastructure is essential, especially in underserved regions. While major players dominate, there is increasing interest from smaller operators and MVNOs, creating a more competitive landscape. However, market consolidation remains a possibility, especially as companies seek economies of scale and improved efficiency.
• Regulatory Challenges: The sector faces challenges in terms of regulatory certainty, spectrum management, and infrastructure deployment permits. Efforts are ongoing to reduce red tape and encourage investment, especially in rural and low-income areas.

In summary, the Mexican ICT sector is advancing in areas like fiber-optic deployment, mobile broadband, and early 5G and IoT implementation. Nonetheless, ensuring equitable access and fostering innovation remain key priorities for both the private and public sectors.

The main bodies of law that regulate telecommunications in Mexico are the Federal Telecommunications and Broadcasting Law, the Federal Constitution, as well as privacy laws.

Additionally, technical regulations are in place to regulate conformity assessments, satellite services, cooperation with law enforcement, and other sector-specific issues.

The main regulators are the Agency for Telecommunications and Digital Transformation, which sets broad public policy, and the Telecommunications Regulatory Commission, which serves as the technical regulator, although it also participates in certain policy initiatives. Both the Agency and the Commission form part of the federal executive branch. In addition, the National Antitrust Commission oversees competition matters in the telecommunications sector.

To obtain a license (concession) for the commercial use of any telecommunications and/or broadcasting service, it is necessary to submit a request to the Telecommunications Regulatory Commission (“TRG”). This request must include: the general information of the interested party (e.g., incorporation deed, legal representative information, tax ID, address, among others); a description of the project to be developed (including the individuals involved); the means of transmission (indicating whether they are owned or leased); documentation evidencing the applicant’s financial, administrative, legal, and technical capacity; a description of any foreign investment involved; and the initial coverage program, among other requirements.

MVNOs require a Reseller Authorization, which is substantially similar to the concession but more limited in scope. 

Note: For the authority to review the request and its supporting documentation, an initial fee must be paid.

To address this question, it is important to draw a distinction. Foreign investment is allowed up to 100% in activities related to telecommunications services, including the use of authorized frequencies. However, in broadcasting activities, foreign ownership is limited to a maximum of 49%. Additionally, within this limit, a reciprocity requirement applies: the investor’s country of incorporation—or that of the ultimate controlling economic agent, whether direct or indirect—must grant Mexican investors equivalent rights.

Telecommunications service concessionaires for commercial or social use shall freely set the rates for users of the services they provide, except for the dominant economic agent. However, the rates must be registered before the relevant authority.

Correct. Any intended change of control to be made by the permit, authorization or concession holders must be notified before the TRG.

The notice before TRG must be signed by a legal representative (attorney-in-fact) duly authorized to act on behalf of the holder company. It must include corporate reports, a detailed explanation of the transaction involved pertaining to the change in the corporate structure and supporting documentation, and proof of payment of the applicable government fees.

Each license holder must contribute to the universal service. Each license will contain the specific contributions to be fulfilled. 

These obligations will be determined each year by the Ministry of Communications and Transportation. The main obligations consist of obligation to provide telecommunications and broadcasting services continuously, efficiently, and with quality, as well as to make the necessary investments to expand geographical, population, and social coverage.

All telecommunications concessionaires are obligated to interconnect their networks with those of other concessionaires. Interconnection and access must be provided under non-discriminatory, transparent, and cost-oriented terms. Operators must negotiate in good faith and respond to interconnection requests within statutory deadlines. The dominant operator (America Movil-Telmex-Telcel) is obligated to provide zero-termination rates. 

No, concessionaires and authorized providers offering Internet access services must comply with the general guidelines issued by the TRG for this purpose, which follows the following principles: Free choice, non-discrimination, privacy, transparency and information, traffic management, and quality.

In Mexico, the administration and management of the radio spectrum is the responsibility of the TRG, which is in charge of its planning, regulation, and allocation through public tenders or direct assignment, always seeking efficient use, competition, and the public interest, in accordance with the law and international treaties.

In Mexico, high-demand mobile frequencies are allocated through public tenders conducted by the TRG. The process consists of several stages, beginning with expressions of interest, followed by the evaluation of interested parties, the submission of bids and auction, and finally the issuance of certificates, payment of consideration, and granting of concession titles.

Yes, the applicable law regulates the leasing and assignment of frequency spectrum held under concessions. Please note that prior authorization from the TRG is required for such transactions.

In Mexico, the installation of telecommunications infrastructure requires authorizations and registration at both the national level, which are granted by the TRG and other federal agencies, and at the municipal level, specifically for land use and construction permits. The process can be complex, involving authorization for network use, service concessions, and specific permits from each municipality for the physical installation of structures, as well as compliance with federal and local environmental laws. 

The Federal Telecommunications and Broadcasting Law, in addition to specific rulings issued by the TRG, and specific technical and municipal regulations for each type of structure, addresses urban planning, land use, and building permits.

It is important to mention that if a company intends to make real estate available to concessionaires for the installation of infrastructure, it must request registration in the National Infrastructure Information System before the TRG. 

Regulations include the Federal Telecommunications and Broadcasting Law and the Guidelines for the Deployment, Access, and Shared Use of Telecommunications and Broadcasting Infrastructure issued by the TRG.

These guidelines seek to encourage the efficient sharing of existing infrastructure, such as towers, ducts, and cabling, to promote competition and the deployment of new services in the country.

Yes. In addition to the usual telecommunications concession, submarine cable projects require landing permits issued by the Federal Environment Ministry, in addition to the beachside construction permit required by applicable state and municipal law.

To obtain a satellite services license, you must be a Mexican citizen or company, apply to the TRG in accordance with the requirements of the law, and obtain a concession from the TRG to occupy orbital positions or exploit frequency bands. The specific licensing requirements vary depending on the type of constellation (geostationary or other orbits), the type of service to be offered, such as fixed, mobile, or broadband, and satellite operators only work with those who already have a public network concession or a corresponding permit.

Yes, authorizations from the TRG are required to install and operate transmitting and some receiving ground stations in Mexico. However, there are exceptions, such as receiving stations operating only in the 3.7-4.2 GHz band, which can be voluntarily registered without prior authorization to operate.

Yes, direct satellite communication with devices is regulated through the Federal Telecommunications and Broadcasting Law and the Satellite Communication Regulations, which establish the use and operation of satellite systems through the TRG, which grants the necessary concessions.

Yes, under local telecommunications jurisdiction, certain devices must carry out the Homologation procedure before the TRG prior to any use of the bandwidth. 

As a result of the said homologation process, TRG will issue a Homologation Certificate with the relevant power and bandwidth restrictions.

The Mexican audiovisual market is experiencing an economic and production boom, driven by growing investment, especially in content for streaming platforms. It has established itself as a production hub in Latin America, attracting investment due to its infrastructure, talent, and strategic location. However, traditional broadcast television consumption has declined, while consumption of content on internet platforms continues to rise.

The main players include the following: 

Free-to-air TV: 

• Televisa
• Tv Azteca 
• Streaming platforms: 
• Netflix
• Youtube
• Amazon Prime Video 

Pay TV: 

• Sky 
• Cablevision

Please find below an approximate market share to date: 

• Traditional broadcasting (free-to-air television/broadcast): this remains the dominant mode in terms of viewing hours. Examples: ~32-38% of the television audience in certain months.
• OTT/streaming platforms: these already have a significant share, estimated at around 20-25% of viewing time in the latest data.
• Pay TV: has a smaller share in terms of viewing time (e.g., ~9-11% in certain reports), although in terms of subscription or penetration—such as 62% of households—adoption is higher.
• Media ownership and concentration rules: Mexico maintains restrictions to prevent excessive concentration of media ownership. The Federal Telecommunications and Broadcasting Law ("LFTR") establishes limits on cross-ownership between broadcasting and telecommunications companies, and empowers the TRG to monitor and regulate dominant market players.
• Updates to traditional broadcasting frameworks: Traditional radio and free-to-air television services continue to be regulated under licensing and concession frameworks. Recent reforms have focused on digital transition, spectrum efficiency, and measures to ensure pluralism and competition in content distribution.
  
• Competition and market asymmetries: The TRG continues to address asymmetrical regulation in markets with preponderant agents (e.g., Televisa in broadcasting and América Móvil in telecommunications), imposing obligations related to access, interconnection, and advertising sales to promote fair competition.
• Taxation and local content obligations: Since 2020, foreign digital service providers (including streaming platforms) have been subject to VAT in Mexico. There are ongoing policy discussions about further aligning fiscal and regulatory treatment between digital and traditional services.

The main applicable law is the Law on Telecommunications and Broadcasting. However, secondary laws include the Federal Law on Protection of Personal Data Held by Private Parties, the Official Mexican Standards and the Mexican Constitution. 

The Telecommunications Regulatory Commission (“TRG”) and General Directorate of Radio, Television, and Film ("DGRTC") regulate the sector. 

In Mexico, audiovisual services are regulated under the Federal Telecommunications and Broadcasting Law ("LFTR"). The law establishes two main types of concessions (licenses) for broadcasting services:

• Commercial use concession: granted to private entities for profit-oriented audiovisual broadcasting.
• Public use concession: granted to federal, state, or municipal entities for public communication purposes.
• Social use concession: granted to non-profit organizations, communities, or indigenous groups for cultural, educational, or social objectives.
• Private use concession: granted for internal or restricted purposes (e.g., closed networks).
• Over-the-top (OTT) audiovisual services (such as streaming platforms): do not currently require a license, as they are not considered broadcasting services under Mexican law. However, they are subject to intellectual property limitations. 

Applications for broadcasting concessions must be submitted before the TRG. The general process includes:

• Submission of a formal application detailing technical, financial, and programming information.
• Evaluation by the TRG of technical feasibility, spectrum availability, and compliance with legal requirements.
• In some cases (mainly for commercial concessions), a public bidding process is conducted.
• Once approved, the TRG issues the concession title specifying the terms, conditions, and obligations of the license holder.

Under the LFTR, broadcasting concessions are generally granted for a term of up to 20 years, renewable for additional periods of the same duration, provided that the concessionaire complies with legal and regulatory obligations and requests renewal in a timely manner.

Yes. A notice to be filed with the TRG must be signed by a legal representative (attorney-in-fact) duly authorized to act on behalf of the holder company. It must include corporate reports, a detailed explanation of the changes in the corporate structure, and proof of payment of the applicable government fees.

Foreign investment may participate in broadcasting activities up to a maximum of 49%. Within this limit, a reciprocity requirement applies: the country of incorporation of the investor—or of the ultimate controlling economic agent, whether directly or indirectly—must grant equivalent rights to Mexican investors.

In Mexico, there are incompatibilities and restrictions on cross-ownership of media outlets to promote competition and prevent undue concentration, which is regulated by new legislation effective from 2025.

For radio and television services, a concession is required; the same must be granted by the authority. In this regard, the authority conducts public bidding processes to grant new concessions for the commercial use of radio and television frequencies. The number of concessions available depends on the radio spectrum being auctioned.

In Mexico, the need for registration for audiovisual signals, production companies, and advertising agencies varies depending on the type of activity, its scope, and the applicable legislation. There is no single centralized registry that covers all these aspects in a general way.

The content regulation will depend on the type of services provided. In this regard:

• Restricted television: Must include channels that guarantee access to diverse and timely information, including at least three channels with independent national production financed mainly by Mexican capital.
• Public broadcasting: Concessions for the Mexican State Public Broadcasting System must promote and include the dissemination of national, regional, and local content.
• OTT: In 2020, the Mexican Senate approved a decree to reform the LFTR that would require platforms to offer a minimum of 30% national content. Although the measure is not yet fully implemented, it reflects a political interest in regulation.

In Mexico, there are no specific content requirements directly imposed on audiovisual content service providers such as OTT platforms.

Traditional broadcasters, however, are subject to certain content obligations established under the Federal Telecommunications and Broadcasting Law ("LFTR"), including:

• National content quotas: Free-to-air and pay television licensees must include a minimum percentage of national content in their programming.
• Children’s programming and advertising restrictions: Broadcasters are required to provide educational and cultural programming suitable for children and must comply with restrictions on advertising directed at minors.
• News and public interest content: Broadcasters must guarantee that news and informational programs comply with principles of veracity, impartiality, and pluralism.
• Accessibility requirements: Television broadcasters must include closed captioning, sign language interpretation, or subtitling to ensure accessibility for people with disabilities.

Yes, pursuant to new amendments of the law, there is now the existence of screen quotas for certain sectors.

Yes, in Mexico, Pay TV operators are required to retransmit certain free-to-air television channels free of charge.

Scope: Pay TV licensees must include free-to-air television signals in their channel packages.

Conditions: Retransmission must be free of charge, non-discriminatory, and carried out in full, simultaneously, and without modifications, including original advertising.

Cost: Pay TV operators may not pass on any additional costs for this retransmission to subscribers.

There are no specific requirements mandating that advertising be produced domestically or by Mexican entities. Both domestic and foreign advertising productions are permitted. However, advertisers must comply with Mexican advertising standards, including language requirements (Spanish must be used when directed to the general public) and the obligation to respect consumer protection, intellectual property, and fair competition regulations.

Yes. Mexican regulations impose restrictions on advertising aimed at minors and prohibitions on certain products, such as:

• Tobacco and electronic cigarettes: advertising is strictly prohibited in all media.
• Alcoholic beverages: advertising is limited to certain hours and must include health warnings.
• Food and beverages high in sugar, fat, or sodium: subject to scheduling and content restrictions in children’s programming.
• Children’s advertising: must comply with the principles of truthfulness, non-manipulation, and suitability for minors, as established by the Federal Consumer Protection Law and the General Health Law.

There is no general registry for advertisers and no reciprocity obligations for foreign advertising companies.

However, certain sectors (e.g., political advertising or public service announcements) are subject to registration and authorization procedures before the TRG or the National Electoral Institute ("INE"), depending on the nature of the content.

Taxation and local content obligations: Since 2020, foreign digital service providers (including streaming platforms) have been subject to VAT in Mexico. There are ongoing policy discussions about further aligning fiscal and regulatory treatment between digital and traditional services.

Over-the-top (OTT) platforms such as Netflix, Disney+, and Amazon Prime Video are not yet subject to a specific regulatory framework equivalent to that applicable to traditional broadcasting or Pay TV services.

However, there is ongoing discussion regarding the potential extension of certain obligations—such as local content quotas, tax compliance, and consumer protection standards—to these digital services.

There are no obligations for OTTs to register locally or appoint a legal representative.

Since 2020, foreign digital service providers (including streaming platforms) have been subject to VAT in Mexico. There are ongoing policy discussions about further aligning fiscal and regulatory treatment between digital and traditional services.

No — there is no comprehensive, standalone regulatory framework in Mexico that specifically governs artificial intelligence in all its uses. However, a number of bills have been introduced to establish such a law (for example, a federal AI law was submitted to the Senate in 2024). 

In the meantime, AI systems are regulated indirectly via existing statutes (for example, the 2025 Protection Law) and sector-specific rules.

While Mexico lacks a unified AI law, sector-specific regulations indirectly govern the use of artificial intelligence across several industries:

• Financial Sector: The Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) and its secondary provisions issued by the National Banking and Securities Commission ("CNBV") require that financial institutions document and manage any algorithmic or automated models used for credit scoring, fraud detection, or trading. The “regulatory sandbox” for modelos novedosos allows the controlled testing of AI-based financial innovations under CNBV supervision.
• Health Sector: The Federal Commission for the Protection against Sanitary Risks ("COFEPRIS") recognizes Software as a Medical Device ("SaMD") under the Mexican Pharmacopoeia Supplement 5.0. AI-driven diagnostic or monitoring software must therefore undergo registration and risk-based evaluation similar to other medical devices, including documentation of functionality, accuracy, and validation.
• Education Sector: There are no binding AI-specific rules yet. However, public education programs and the Ministry of Education’s digital transformation policies encourage ethical and transparent use of AI-based tools for assessment and administration, consistent with UNESCO’s 2021 Recommendation on the Ethics of Artificial Intelligence, which Mexico endorsed.
• Public Administration: A 2018 Guide for the Use of Artificial Intelligence in the Federal Public Administration sets principles and procedures for evaluating algorithmic systems, requiring risk assessments and human oversight for government use of AI.

Oversight of artificial intelligence in Mexico is fragmented among several competent authorities, each depending on the sector or legal dimension involved:

• Data Protection and Digital Rights: Following the 2025 institutional reform, the Secretaría Anticorrupción y de Buen Gobierno assumed the responsibilities previously held by the INAI regarding the Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP 2025"). This authority now supervises data-processing activities, including AI systems that collect, analyze, or infer personal information.
• Financial and Fintech Sector: The National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores – CNBV) oversees AI use in regulated financial institutions under the Fintech Law and related provisions. It supervises algorithmic trading, automated credit scoring, and “innovative models” tested through the regulatory sandbox.
• Health Sector: The Federal Commission for the Protection against Sanitary Risks ("COFEPRIS") regulates AI-based medical software and diagnostic systems recognized as Software as a Medical Device ("SaMD"). Developers must comply with safety, efficacy, and validation standards before commercialization.
• Competition and Consumer Protection: The Comisión Nacional Antimonopolio ("CNA") and the Federal Consumer Protection Agency ("PROFECO") may intervene when algorithmic practices distort markets, mislead consumers, or generate discriminatory outcomes.
• Forthcoming Coordination: Draft bills currently before Congress propose the creation of a National Artificial Intelligence Agency or Council, intended to coordinate AI policy and standard-setting across sectors, though such a body has not yet been established.

Yes — there are several draft bills and ongoing consultation processes in Mexico concerning artificial intelligence regulation:

• One of the principal proposals is the Draft Federal Law for the Ethical, Sovereign and Inclusive Development of Artificial Intelligence, introduced in April 2025. It aims to create a comprehensive legal framework for AI development, deployment and oversight. 
• Another is the Federal Law Regulating Artificial Intelligence, introduced on 28 February 2024, which proposes risk-based classification of AI systems (including “unacceptable risk”) and designates a regulatory authority. 
• There is a noted count of over 60 bills introduced in the Mexican Congress between 2020 and mid-2024 that address AI in some form (governance, ethics, IP, rights of data subjects, etc.). 
• Some of these drafts include public consultation or stakeholder engagement components as part of the legislative process (industry, civil society, academia).

There is no specific or mandatory licensing regime in Mexico that applies exclusively to the provision of AI-based services. In other words, companies do not require prior governmental authorization solely because they develop or deploy artificial intelligence systems. However, AI activities are subject to general and sectoral compliance obligations, depending on the type of service and data involved:

• Data Protection ("LFPDPPP 2025"): Any AI service involving the collection or processing of personal data must comply with the LFPDPPP 2025 and its principles of legality, purpose limitation, proportionality, and accountability. Controllers must issue privacy notices, establish a lawful basis for processing, implement security measures, and—where automated decision-making significantly affects individuals—ensure human oversight and mechanisms for data-subject rights.
• Consumer Protection ("Federal Consumer Protection Law"): AI-driven digital services must comply with the Ley Federal de Protección al Consumidor, prohibiting deceptive or discriminatory automated practices and requiring transparent communication of terms, pricing, and algorithmic decisions that may affect consumers.
• Financial and Health Sectors: Entities using AI within regulated industries (such as financial services or medical devices) must comply with existing authorization and disclosure regimes. For example, Fintech institutions using automated models may need CNBV approval through the “innovative model” framework, while AI-based diagnostic software must be authorized by COFEPRIS as Software as a Medical Device ("SaMD").
• Public-Sector Systems: Under the 2018 Guide for the Use of Artificial Intelligence in the Federal Public Administration, agencies are required to conduct an impact analysis and maintain human oversight for AI systems deployed in governmental operations.

As of October 2025, Mexico has not yet enacted any binding classification of AI systems as “high-risk” or “prohibited.” There is no statutory list equivalent to that found in the EU AI Act or other mature frameworks. Nonetheless, draft legislation and regulatory discussions in Mexico signal an emerging risk-based approach:

• Draft Federal Law for the Ethical, Sovereign and Inclusive Development of Artificial Intelligence (April 2025): This bill proposes to categorize AI systems according to risk levels—“unacceptable,” “high,” “medium,” and “low”—based on their potential impact on fundamental rights, public safety, and human dignity. Under the draft, unacceptable-risk uses (for example, subliminal manipulation, biometric mass surveillance, or autonomous lethal systems) would be prohibited. High-risk systems (e.g., AI in health, education, employment, or law enforcement) would be subject to prior conformity assessments and human oversight requirements.
  Status: still under congressional review, not yet in force.
• Public-sector guidance ("2018 Federal AI Guide"): Although non-binding, this document instructs public agencies to avoid or mitigate deployments of AI systems that could result in discrimination, violation of privacy, or lack of explainability—effectively treating such applications as “high-risk” for ethical and governance purposes.
• Data-protection and human-rights frameworks: Under the LFPDPPP 2025, any automated processing that significantly affects individuals—particularly in profiling, credit scoring, or biometric identification—is deemed high-impact processing and must comply with reinforced transparency, lawful-basis, and accountability obligations. While not labelled “high-risk AI,” these provisions serve a similar function by elevating the compliance threshold.

In practice, Mexico’s current position is principle-based rather than categorical: AI uses are evaluated through the lens of existing fundamental rights, data protection, and sectoral rules. Once the pending federal AI bill is enacted, a formal list of high-risk or prohibited technologies is expected to be defined through secondary regulations.

Best practices recommended or adopted in Mexico reflect a combination of domestic guidance, data-protection obligations, and international ethical standards, since there is no unified AI act yet. The most relevant pillars are the following:

General Best Practices

Mexico promotes a principle-based and rights-oriented governance model, emphasizing transparency, accountability, human oversight, and non-discrimination.

Key references include:

• Federal AI Guide (2018): Principles and Impact Analysis Guide for the Development and Use of Systems Based on Artificial Intelligence in the Federal Public Administration (Government of Mexico, 2018). It establishes best practices for explainability, proportionality, data quality, and human intervention in automated decision-making. The Guide also recommends prior impact analyses to identify ethical or societal risks before AI deployment.
• OECD Principles on Artificial Intelligence (2019) and the UNESCO Recommendation on the Ethics of AI (2021)—both formally endorsed by Mexico—serve as the country’s international benchmarks for responsible AI: fairness, transparency, safety, explainability, and accountability.
• Data-Protection Framework ("LFPDPPP 2025"): The 2025 LFPDPPP incorporates stricter accountability and transparency duties, requiring controllers to ensure that automated processing involving personal data is lawful, explainable, and subject to user rights (access, rectification, opposition, etc.).
• Sector-specific guidance:
  
  • Financial Sector (CNBV): requires documentation and model governance for “innovative models.”
  • Health Sector (COFEPRIS): mandates lifecycle traceability and validation for AI-based Software as a Medical Device ("SaMD").

Requirements for Algorithm Traceability or Auditability

There is no single, cross-sector legal obligation mandating algorithm traceability. However:

• Under the data-protection accountability principle, controllers must be able to demonstrate how automated processing decisions are made when personal data is involved.
• Regulated industries (finance, health) must maintain technical documentation and model logs sufficient for supervisory audit or validation by CNBV or COFEPRIS.
• Public-sector entities, under the 2018 AI Guide, must ensure explainability and traceability for every stage of AI system development and operation.
  In practice, traceability and auditability are treated as best-practice obligations—de facto requirements for compliance with data-protection, cybersecurity, and supervisory expectations.

User-Facing Transparency and Disclosure Obligations

Yes. Under Mexican data-protection law, organizations deploying AI that processes personal data must:

• Provide clear and accessible privacy notices, explaining the nature of automated decision-making, its purposes, and potential effects on individuals.
• Offer mechanisms for human review or contestation when automated decisions may significantly affect rights or interests (e.g., credit scoring, hiring).
• Maintain a record of processing activities and ensure individuals can exercise ARCO rights (Access, Rectification, Cancellation, Opposition).

These transparency duties are reinforced by consumer-protection law, which prohibits misleading or discriminatory automated practices and requires truthful algorithmic disclosures in digital services.

No. AI systems are not yet legally required to undergo impact assessments or formal risk classification under Mexican law. There is no binding, cross-sector regulation equivalent to the EU’s AI Act risk framework. That said, several legal and policy instruments encourage or indirectly require such evaluations, depending on the sector and the type of data processed:

• Public Sector (mandatory for government systems): The 2018 “Principles and Impact Analysis Guide for the Development and Use of Systems Based on Artificial Intelligence in the Federal Public Administration” requires federal agencies to:
  
  • Conduct an impact assessment before developing or deploying any AI system.
  • Identify potential risks to fundamental rights, discrimination, privacy, and security.
  • Implement mitigation and accountability mechanisms, including human oversight.

This obligation currently applies only to public administration entities, not private companies.

• Private Sector (recommended but not mandatory): Under the LFPDPPP 2025, controllers must ensure accountability and risk-based governance when processing personal data, particularly in automated or AI-driven contexts.
  
  Although the law does not explicitly require an AI Impact Assessment, it obliges data controllers to:
  
  • Evaluate the risks to privacy and rights resulting from new technologies.
  • Implement preventive and corrective controls, which in practice mirror the logic of a Data Protection Impact Assessment ("DPIA"). This means organizations processing personal data through AI should conduct internal risk analyses to demonstrate compliance.

• Draft AI Legislation (forthcoming): The Draft Federal Law for the Ethical, Sovereign and Inclusive Development of AI (April 2025) would introduce a risk-based classification system:
  
  • Unacceptable-risk AI systems (e.g., social scoring, subliminal manipulation) would be banned.
  • High-risk AI systems (e.g., in health, education, employment, law enforcement) would require ex-ante risk assessments and ongoing monitoring.

This bill remains under legislative discussion and is not yet in force.

Yes. In Mexico, several general regulations already apply to artificial intelligence, even though there is no dedicated AI statute yet. These laws and instruments impose binding obligations on how AI systems are designed, deployed, and monitored—particularly when they involve personal data, consumer interactions, or regulated sectors. The most relevant are:

• LFPDPPP 2025
  
  • Scope: Applies to any processing of personal data by private entities, including data used to train or operate AI systems.
    
  • Key obligations:
    
    • Controllers must ensure lawfulness, transparency, proportionality, purpose limitation, and accountability in all automated processing.
    • When automated decision-making significantly affects individuals (e.g., profiling, credit scoring, biometric identification), organizations must provide clear notices, enable human review, and ensure technical and organizational safeguards.
  • Status: In force since 21 March 2025, replacing the 2010 version.
• General Law on the Protection of Personal Data in Possession of Obligated Subjects ("LGPDPPSO 2025")
  
  • Scope: Applies to public-sector entities processing personal data, including AI systems used by government agencies.
  • Key elements: Emphasizes impact assessments, transparency, and security controls for AI deployments within the public administration.
• Federal Consumer Protection Law ("LFPC")
  
  • Scope: Governs consumer relations, including online and automated services.
  • Relevance to AI: Prohibits deceptive or discriminatory algorithmic practices, obliges suppliers to disclose automated decision criteria when relevant to pricing or service conditions, and requires truthful digital advertising.
• Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) and CNBV Provisions
  
  • Scope: Applies to institutions using automated or algorithmic systems in financial services.
  • Relevance to AI: Requires proper governance, traceability, and supervisory access for models used in credit scoring, fraud detection, or risk assessment.
• Health Regulations ("COFEPRIS")
  
  • Scope: AI-powered medical software is regulated as Software as a Medical Device ("SaMD") under the Mexican Pharmacopoeia Supplement 5.0.
  • Relevance: Requires validation, safety documentation, and risk classification similar to other medical devices.
• Cybersecurity and Civil Liability Frameworks
  
  • Federal Criminal Code and Cybercrime Provisions apply where AI systems are used to commit or facilitate unlawful acts (e.g., data breaches, identity theft, fraud).
  • Civil Code and Federal Civil Liability Law govern damages caused by defective or negligent operation of AI systems.
• Ethical and Policy Instruments
  
  • 2018 Federal AI Guide (mandatory for the public sector, voluntary reference for private actors).
  • UNESCO Recommendation on the Ethics of Artificial Intelligence (2021) and OECD AI Principles (2019)—both endorsed by Mexico—serve as benchmarks for responsible development, transparency, and human oversight.

Mexico’s cybersecurity legal framework is fragmented but evolving, composed of constitutional mandates, general federal laws, sector-specific regulations, and policy instruments rather than a single “Cybersecurity Act”.

Below is the current legal structure as of October 2025:

1. Constitutional Basis

• Political Constitution of the United Mexican States, Articles 6 and 16
  Establish the rights to privacy, data protection, and inviolability of private communications. These provisions ground all cybersecurity duties related to safeguarding personal data, networks, and digital communications.

2. General and Cross-Sector Laws

• Federal Criminal Code (Código Penal Federal)
  Articles 211 bis 1–211 bis 7 criminalize:
  
  • Unauthorized access, interference, or alteration of IT systems, networks, or data.
  • Theft or misuse of information obtained through cyber intrusions.
  • Production or distribution of malware or devices designed for cyber offenses.

These provisions are Mexico’s de facto cybercrime law, aligning with the Budapest Convention on Cybercrime, which Mexico has signed (ratification pending implementation law).

• LFPDPPP 2025
  
  • Imposes security and breach-notification obligations on private entities handling personal data.
  • Requires controllers to adopt technical, administrative, and physical measures to prevent unauthorized access, loss, or alteration of data.
  • Mandates prompt notification to the data-protection authority and affected individuals in case of security incidents.
• General Law on the Protection of Personal Data in Possession of Obligated Subjects ("LGPDPPSO 2025")
  
  • Mirrors the same security principles for public-sector entities, requiring information-security risk assessments, incident-response procedures, and staff training.
• Telecommunications and Broadcasting Law (2025)
  
  • Requires network and service operators to implement security and integrity mechanisms in telecommunications infrastructure.

3. Sector-Specific Cybersecurity Rules:

• Financial Services: CNBV supervises; Circular Única & Fintech rules require ISO 27001-style governance, incident reporting, and business-continuity plans.
• Fintech & Payments: Banco de México and CNBV enforce the 2018 Fintech Law; mandate secure infrastructure, encryption, authentication, and immediate regulator notification of incidents.
• Health: COFEPRIS and the Ministry of Health oversee compliance; health-data guidelines and SaMD rules demand protection of sensitive data and cybersecurity testing of connected devices.
• Critical Infrastructure / Energy: CENACE, CRE, and SENER issue reliability guidelines; operators must secure industrial control systems and report cyber incidents.

4. National Strategies and Institutional Coordination

• National Cybersecurity Strategy (Estrategia Nacional de Ciberseguridad, 2017)
  Published by the Secretaría de Seguridad y Protección Ciudadana ("SSPC"), it sets out principles of risk management, cooperation, capacity-building, and protection of critical infrastructure.
  (The SSPC is currently drafting an updated version aligned with Mexico’s forthcoming Digital Security Law, expected to be debated in 2026.)
• National Guard – Policía Cibernética
  Handles cyber-incident response, public alerts, and coordination with international CERTs.
• CSIRT-MX (Computer Security Incident Response Team)
  Operated by the Secretariat of National Defense and the National Guard, serves as the national CERT coordinating vulnerability disclosure and threat intelligence.

5. Forthcoming Legislation
Several congressional committees are reviewing the Draft Federal Cybersecurity Law (initiatives from 2022–2024). The bill would:

• Create a National Cybersecurity Agency.
• Establish mandatory incident-reporting and critical-infrastructure protection regimes.
• Align national law with Budapest Convention standards.

As of October 2025, the bill remains pending in the Chamber of Deputies.

Yes. Mexico’s National Cybersecurity Strategy (Estrategia Nacional de Ciberseguridad, 2017) remains the standing policy instrument. It was issued by the Federal Government in 2017 and has not been formally replaced or superseded.

There is no updated national strategy in force as of 20 October 2025. Independent analyses note that implementation has lagged and that renewal efforts have stalled, even as authorities continue awareness and capacity-building campaigns (e.g., National Cybersecurity Week 2025). 

Separately, Congress has drafted federal cybersecurity bills under discussion that, if enacted, would establish a more comprehensive framework, but these initiatives are still pending. 

Yes — there are several draft laws and public consultations in Mexico pertaining to cybersecurity (because, of course, we have to legislate things like this when it becomes urgent). Key considerations include:

1. Initiative with draft decree issuing the Cybersecurity Law (30 April 2025): A draft at the federal level proposing a full “Law of Cybersecurity” to regulate cyber-attacks, infrastructure, incident reporting and penalties.
   • Cybersecurity Law Initiative (Mexico City) (13 May 2025): A local initiative in the City of Mexico (“CDMX”) for a law on cybersecurity and data-protection in cyberspace, including public participation via a “parlamento abierto”. 
   • Initiative that reforms Articles 211 bis 2, and others of the Federal Criminal Code (7 Oct 2025): A proposed reform to the criminal code to increase penalties for cyber-crimes.

Yes, there are minimum cybersecurity-type requirements for companies and service providers in Mexico — but they’re sector-specific rather than uniform across all industries. 
What obligations exist:

• Under the LFPDPPP 2025 (effective 21 March 2025), private entities must implement technical, administrative and physical security measures to protect personal data. 
• For the financial sector, analysts note that under supervision by CNBV and Banco de México, institutions are required to have “information security, IT risk management, business continuity” obligations. 
• In the telecommunications sector, the new Telecommunications and Broadcasting Law (16 July 2025) introduces new regulatory burdens and digital infrastructure obligations, which implicitly include cybersecurity concerns (though not always technically labelled “cybersecurity minimums”).

Yes. Mexican authorities have sanctioned private entities for security-related infringements arising from inadequate protection of personal data or deficient controls in regulated systems:

1. Data-protection sanctions (private sector).
   The former data-protection authority has repeatedly fined companies where security breaches of databases were established. For example, a published INAI resolution expressly confirms an infringement for “vulnerability of database security” under Article 63, section XI of the Data Protection Law, imposing monetary sanctions on the controller. 
   Aggregate enforcement data show that in 2023, fines for violations of the private-sector data-protection law exceeded MXN 46 million, with the financial services sector among the most-sanctioned. Earlier years reflect similar patterns (e.g., MXN 32 million in 1H-2021). 
2. Financial-sector supervisory sanctions.
   The CNBV maintains a public registry of sanctions against regulated entities. While sanctions are often catalogued under “operational risk” or related headings rather than labeled “cybersecurity,” they include fines connected to failures in systems control, continuity and integrity that are typically part of institutions’ information-security obligations. 
3. Context from major incidents.
   Mexico has recorded high-profile cyber events (e.g., attacks on critical and large public entities). Even when specific penalty amounts are not publicly detailed, the incidents prompted government scrutiny and reinforced the expectation of preventive security controls and incident management across sectors. 

Yes — there are mandatory incident-response and reporting obligations in Mexico, although the scope varies by sector and by the type of incident.

Under the LFPDPPP 2025 and its antecedents, data controllers must implement security measures and document incidents involving personal data. 

For the financial sector, under the supervision of the CNBV and related rules, entities must report “severe” information-security or cyber-incidents to the regulator promptly.
 
The LFPDPPP (private sector) does not require notification to the regulator; however, under specific circumstances, controllers must notify affected individuals.

The threshold for “reportable” incidents in the financial sector is higher: incidents that disrupt services, involve material loss, have a potential systemic effect or affect many clients. 

The laws do not yet apply a uniform incident-response plan requirement across all sectors (e.g., manufacturing, non-financial services) in a single regulation.

Terms like “cyber-incident”, “severe incident”, and “breach” are defined in the sector context rather than uniformly across all of Mexico:

• Finance sector — must report certain incidents to CNBV and have incident-response processes.
• If processing personal data in the private sector, the controller must have security measures and notify affected individuals when rights are materially impacted; regulator notification is more conditional.
• For other sectors (telecommunications, energy, etc.), you should check sector-specific rules: there may be obligations, but they are less uniformly defined.

In Mexico, coordination between private companies and government authorities during a cyberattack is sector-driven and voluntary for most entities, but mandatory for regulated industries (e.g., banking, telecommunications, health). There is no single federal incident-coordination law—yet companies must interact with designated public bodies depending on the nature and impact of the incident:

• Telecom operators: Under the new Telecommunications and Broadcasting Law (LMTR, Jul 16, 2025), operational and security incidents affecting network integrity, continuity or users must be reported to and coordinated with the new regulator, the CRT; the ATDT provides policy support and inter-agency linkage. Follow CRT secondary rules and any emergency directives. 
• National cyber channels: Engage CERT-MX (National Guard) for technical coordination, indicators of compromise, and joint response; it operates 24/7 and is Mexico’s national CSIRT. For criminal conduct (e.g., extortion/ransomware), coordinate with the FGR through the National Guard cyber units. 
• Sector add-ons (if applicable):
  
  • Finance: notify CNBV/Banco de México per sector incident-reporting rules.
  • Health/SaMD: inform COFEPRIS where patient safety or device integrity is implicated.
  • Personal-data breaches: comply with LFPDPPP-2025 transparency/security duties toward affected individuals and, where applicable, the authority. 
• Coordination stack: CRT for telecom incidents, CERT-MX for technical response, FGR for crimes, and the sector regulator when relevant.

Yes. Mexico has specific criminal provisions addressing cyber-related offenses, codified primarily in the Federal Criminal Code (Código Penal Federal) and complemented by certain sectoral statutes. The framework targets unauthorized access, data manipulation, and the use of information systems to commit crimes, aligning partially with the Budapest Convention on Cybercrime, which Mexico signed in 2018.

1. Federal Criminal Code (Código Penal Federal) — Chapter IX Bis: “Crimes Committed through Information Systems” Articles 211 bis 1 to 211 bis 7 specifically criminalize cyber offenses. These provisions are the legal backbone of Mexico’s cybercrime regime. These articles collectively establish the criminalization of hacking, phishing, ransomware deployment, system sabotage, and data theft.
2. Complementary Provisions in Other Laws:
   • LFPDPPP 2025: Article 63 classifies negligent or intentional data breaches as administrative infractions. When breaches involve malicious access or disclosure, they may also constitute criminal offenses under the Federal Criminal Code.
   • The LMTR 2025 (effective 16 July 2025): replaces the 2014 law and grants the new technical regulator Comisión Reguladora de Telecomunicaciones ("CRT") and the policy agency Agencia de Transformación Digital y Telecomunicaciones ("ATDT") the authority to punish unauthorized access or interception of communications, impose metadata and geolocation retention obligations, and require telecom operators to cooperate with law enforcement, safeguard network integrity, deploy security controls, and report major cyber incidents
   • General Law of the National Guard and Police Powers: Empowers the Policía Cibernética (Cyber Police) to investigate and support the prosecution of cyber offenses, gather digital evidence, and coordinate with international agencies.
3. Institutional Enforcement:
   • Federal Prosecutor’s Office (Fiscalía General de la República – FGR): Through its Cybercrime Unit (Unidad de Investigaciones Cibernéticas y Operaciones Tecnológicas), investigates and prosecutes offenses under Article 211 bis.
   • National Guard Cyber Unit: Provides incident-response assistance and coordinates with CSIRT-MX for digital forensics and early warnings.
4. Legislative Developments:
   • Pending initiatives in 2025 propose:
     • Expanding Articles 211 bis 1–7 to include ransomware, identity theft, cyber extortion, and use of AI for cybercrime.
     • A Federal Cybersecurity Law (draft dated April 2025) that would create a National Cybersecurity Agency and strengthen criminal cooperation and reporting obligations.

Yes. Mexico is formally engaged in multiple international cybersecurity and digital-security cooperation frameworks, though implementation has sometimes lagged behind its diplomatic commitments. As of October 2025, Mexico participates in the following treaties, regional mechanisms, and multilateral initiatives:

1. Council of Europe – Budapest Convention on Cybercrime
   
   • Status: Signed (2018), ratification in process.
   • Implementation: Mexico has aligned Articles 211 bis 1–7 of its Federal Criminal Code with the Convention’s substantive provisions, but a domestic implementation law and formal ratification instrument remain pending before Congress.
   • Authority in charge: Federal Prosecutor’s Office (FGR), through its Cybercrime Unit, is the liaison with the Council of Europe’s 24/7 network.
2. Organization of American States ("OAS") – Inter-American Cybersecurity Program
   
   • Participation: Active member through the Inter-American Committee against Terrorism ("CICTE") and its Cybersecurity Program.
3. OECD and G20 Digital-Security Fora
   
   • OECD: Mexico adheres to the OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity (2015) and participates in the OECD Global Forum on Digital Security for Prosperity, sharing policy updates and best practices.
   • G20: Within the G20 Digital Economy Working Group, Mexico supports initiatives on cyber-resilience, ransomware mitigation, and secure cross-border data flows.
4. United Nations Frameworks
   
   • Mexico aligns with the UN Open-Ended Working Group ("OEWG") on security of and in the use of information and communications technologies, advocating responsible state behavior in cyberspace.
   • It has endorsed the UN General Assembly Resolutions promoting norms of responsible cyber conduct and cooperation on incident response.
   • The Ministry of Foreign Affairs ("SRE") represents Mexico in these diplomatic processes.
5. Regional and Bilateral Cooperation
   
   • Latin American Cybersecurity Cooperation: Through OAS and bilateral memoranda with countries such as Spain, Brazil, and Chile, Mexico exchanges threat intelligence and technical assistance for digital forensics investigations.
   • U.S.–Mexico Cooperation:
     Under the High-Level Security Dialogue ("HLD"), both governments coordinate through CERT-to-CERT mechanisms and share best practices for critical-infrastructure protection and ransomware response.
6. Multistakeholder and Private-Sector Engagement
   
   • Mexico participates in FIRST (Forum of Incident Response and Security Teams) via CSIRT-MX, maintaining global interoperability.
   • The National Guard’s Cyber Police engage with INTERPOL’s Cybercrime Directorate on joint investigations.
   • Through LACNIC and LAC-CSIRT, Mexico contributes to Latin-American cybersecurity exercises and knowledge-sharing events.
7. Global Policy Commitments
   Mexico is also a signatory or participant in:
   
   • UNESCO Recommendation on the Ethics of Artificial Intelligence (2021) – including its digital-security components;
   • OECD Principles on Artificial Intelligence (2019) – covering accountability and cybersecurity within AI systems;
   • International Telecommunication Union ("ITU") Global Cybersecurity Index, where Mexico ranks mid-tier but is improving due to capacity-building and institutional development.