National Cybersecurity Plan 2025–2030: Ambition Without Direction

The newly created Digital Transformation and Telecommunications Agency (ATDT) unveiled the National Cybersecurity Plan 2025–2030 this week, an 85-page document that, at least on paper, promises to make Mexico a regional benchmark in digital protection. It talks about a “secure ecosystem,” advanced governance, and even boasts technical support from the Inter-American Development Bank (IDB). The presentation was polished: well-delivered speeches, a sleek institutional cover, and a narrative tailored for optimistic headlines.

But a closer read reveals something very different: an ambitious yet hollow plan, full of good intentions but missing the basic elements to make it actionable. In a country facing more than 40 billion attempted cyberattacks this year alone, falling short is not just a mistake—it’s a national risk.

A Five-Year Plan for a Problem That Needs Answers Now

The most striking thing is the plan’s timeline, projecting goals out to 2030. It may sound reasonable from a bureaucratic standpoint, but it's utterly inadequate considering the speed of threat evolution in Mexico.

We’re facing four cyberattacks per second. Every month, new Mexican victims are posted on the dark web. Every week, a different sector becomes a target. Every day, there’s another breach in a federal agency.

Talking about results by 2030 without urgent immediate actions is like telling the country:

“Yes, it’s on fire—but we’ll come back with water in five years.”

The document itself acknowledges alarming facts:

1. Mexico ranks second in Latin America for ransomware victims published on the dark web.
   
   
2. Attacks surged by 78% in 2024 alone.
   
   
3. 70% of federal agencies have critical vulnerabilities.
   
   
4. Between 2024 and 2025, there were 237,000 ransomware attempts against public infrastructure.

The diagnosis is brutal. The response? Weak and out of sync with reality.

A Plan With No Budget Is Just a Wish List

The plan’s biggest flaw is also the most glaring: it has no budget.

Not a single figure. Not even an estimate. Yet the goals require real investment:

1. Building a new National Cybersecurity Operations Center (CSOC)
   
   
2. Training thousands of government officials
   
   
3. Implementing a National Risk Management Framework
   
   
4. Modernizing federal platforms
   
   
5. Raising baseline security standards for states and municipalities

In a government pursuing extreme austerity, and that cut tech budgets again in 2025, launching a plan with zero allocated resources is a confession: there’s no real intent to implement it.

Learn more: Mexico at a Crossroads: Build a Strong Cybersecurity Strategy

Goals With No Roadmap, Deadlines, or Ownership

The document vaguely refers to “quarterly goals” and some first steps for late 2025, but that’s it.

What’s missing?

1. Concrete timelines
   
   
2. Intermediate milestones
   
   
3. Clear success indicators
   
   
4. Mandatory deadlines
   
   
5. Remediation mechanisms

A plan without a roadmap is like a plan without a destination.

It also fails to address who is responsible during a breach in a specific agency.

Who leads the response if an attack hits:

1. The Ministry of Health?
   
   
2. Pemex?
   
   
3. A state government?
   
   
4. A small town with no IT team?

Without a clear command chain, responses will remain slow, chaotic, and improvised.

The Real Enemy Doesn’t Appear in the Document

Perhaps the most alarming omission is the absence of organized crime, which now dominates much of Mexico’s cybercriminal landscape.

The plan mentions:

1. Ransomware
   
   
2. Generative AI
   
   
3. Global threats

But it completely ignores the link between cybercrime and national criminal organizations.

Today, cartels like CJNG and Sinaloa:

1. Launder money via crypto
   
   
2. Hire hackers for extortion
   
   
3. Distribute malware
   
   
4. Use deepfakes in scams
   
   
5. Buy initial access on the dark web
   
   
6. Infiltrate insiders in companies

None of this is mentioned across 85 pages.

There’s also no mention of:

1. Forensic financial analysis for blockchain
   
   
2. Mandatory collaboration with the Financial Intelligence Unit
   
   
3. Detection of local Conti or LockBit nodes

The plan outlines the threats, but ignores who’s actually behind them in Mexico.

The Private Supply Chain: A Huge Blind Spot

Over half of Mexico’s serious incidents last year were attacks on private critical infrastructure, especially in:

1. Manufacturing
   
   
2. Healthcare
   
   
3. Retail
   
   
4. Energy
   
   
5. Logistics
   
   
6. Transportation

Yet the plan fails to propose:

1. Minimum security standards for vendors
   
   
2. Regulation for essential private services
   
   
3. Obligations for hospitals or industrial plants
   
   
4. Third-party audits
   
   
5. Hardware/software supply chain controls

In a country where the economy depends heavily on the private sector, ignoring it is a costly mistake.

Similar titles: Is the Mexican Government Being Hacked by Its Own Employees?

Deepfakes, Scams, and Massive Fraud: Completely Ignored

While Mexico faces:

1. Waves of WhatsApp scams
   
   
2. AI-generated impersonations
   
   
3. Automated extortion
   
   
4. Large-scale social engineering
   
   
5. Massive identity theft
   
   
6. Constant data leaks

The plan does not include:

1. Deepfake mitigation strategies
   
   
2. National systems to combat digital scams
   
   
3. Identity verification mechanisms
   
   
4. Standard protocols for data breaches

It’s like writing a city’s security plan without ever mentioning street crime.

A Solid Diagnosis… With Zero Execution Capacity

Ironically, the document does a great job at diagnosing the problem. The issue isn’t the analysis.

The problem is that the proposed solutions are:

1. Generic
   
   
2. Bureaucratic
   
   
3. Operationally weak

It’s a plan that sounds good, but won’t work.

Technically competent, but strategically hollow.

Ambitious on the outside, empty on the inside.

Spreading it as a “great step forward” creates false confidence—something Mexico simply cannot afford.

Conclusion: Mexico Doesn’t Need Another Pretty PDF. It Needs Immediate Action.

The National Cybersecurity Plan 2025–2030 could have been a turning point. A real foundation for national digital defense.

But without:

1. Budget
   
   
2. Clear ownership
   
   
3. Timelines
   
   
4. Real strategies
   
   
5. Acknowledgment of the actual threat actors

The plan is just decorative.

Unless it’s rebuilt from scratch, it will remain a shiny illusion in a country that’s losing ground in the digital battle every day.

We can’t afford to keep improvising when we’re the target of thousands of attacks every second.