In recent months, you’ve probably heard about Mexico’s biometric CURP, a government project aiming to modernize citizen identification. The idea is to integrate biometric data like facial recognition, fingerprints, iris scans, and signatures into a single ID key—promising faster, more secure identity verification for millions.
But what seemed like a decisive step toward national digitalization has just hit a major bump: the first public tender to hire the cloud services that would support the system has been declared void.
At TecnetOne, we break down what this failure means, the risks involved, and the potential scenarios going forward.
What Happened with the Tender?
The Ministry of the Interior (Segob) issued a call for comprehensive cloud computing services to support Renapo (National Population Registry), a key component of the biometric CURP infrastructure.
The budget wasn’t small—up to 520 million pesos over multiple years to ensure computing power, storage, networking, and above all, high cybersecurity standards.
Two consortiums submitted bids:
- Triara.Com, Uninet, and Scitum
- B Drive IT, S.A. de C.V.
The problem: neither met the technical requirements.
The consequence: the tender was declared void on September 3, 2025.
This delays cloud infrastructure consolidation and puts the project timeline at risk. A pilot program is already running voluntarily in Mexico City, but mass rollout was set for January 2026, with mandatory adoption in February.
Consequences of the Failure
This isn’t a minor delay—CURP biométrica is on a tight schedule. If the next bidding process fails again, Segob could face:
- Significant delays in Renapo modernization
- Additional costs to rework requirements and processes
- Political and administrative scrutiny
A third failed attempt could lead to audits by the Federal Audit Office (ASF) and discourage vendors from participating in future tenders.
Learn nore: Ransomware in Mexico: Cyberattacks Cause Major IT Sector Losses
What Are the Government’s Alternatives?
If public bidding continues to fail, Mexican law offers a few fallback options:
- Direct awarding: Legally valid in urgent or public interest cases—but prone to legal challenges and concerns about transparency, especially when dealing with biometric data.
- Public-private partnerships: Potentially flexible, but involve long processes that may not fit the project’s current deadlines.
- International vendors: Technologically strong, but raise sovereignty and data control concerns.
- Temporary use of existing infrastructure: A short-term fix with likely compromises in privacy and security.
Transparency and Conflicts of Interest
Beyond technicalities, the greatest risk lies in lack of transparency. Experts warn that any prior relationships between officials and bidding companies could result in serious conflicts of interest.
Mexico’s track record with tech projects shows that direct awards often lead to public distrust, especially when managing sensitive data from millions of citizens.
Cybersecurity and Technology Risks
Concentrating biometric data in one system makes it an attractive target for cybercriminals. Recent cyberattacks on utilities and federal agencies show how exposed the government can be.
What’s more, the dismantling of INAI, Mexico’s independent data watchdog, raises the question: who will oversee data protection?
The government has hinted at using blockchain for transparency, but even that carries its own risks:
- Smart contract vulnerabilities
- Advanced persistent threats (APT)
- Limited scalability
- Privacy issues with public networks
The Monterrey Precedent: Digital ID by Direct Award
One relevant example is the digital ID project in Monterrey, implemented via direct award. While it addressed urgent needs, it also revealed flaws:
- Lack of oversight
- Data leaks
- Public backlash
This reinforces that transparency isn’t optional—it’s essential for national ID systems.
Similar titles: Mexican Water Infrastructure Under Fire: Rising Cyberattacks
Recommendations to Secure the Biometric CURP
Experts like SILIKN suggest several steps to restore trust:
- Publicly share all information (contracts, technical reports, selection criteria) in the Official Gazette and transparency portals
- Conduct independent audits with cybersecurity firms
- Involve academic institutions in infrastructure reviews
- Create clear regulations for data protection and informed consent
- Strengthen third-party oversight to prevent political misuse or mass surveillance
What’s at Stake?
The biometric CURP isn’t just a tech project—it’s a national identity system that will affect millions.
If done right, it could streamline public services. If done poorly, it could become a tool for cyberattacks, fraud, and privacy violations.
At TecnetOne, we believe the challenge is not just technical—it’s ethical, legal, and political. Security, transparency, and inclusion must guide every decision moving forward.