The newly created Digital Transformation and Telecommunications Agency (ATDT) unveiled the National Cybersecurity Plan 2025–2030 this week, an 85-page document that, at least on paper, promises to make Mexico a regional benchmark in digital protection. It talks about a “secure ecosystem,” advanced governance, and even boasts technical support from the Inter-American Development Bank (IDB). The presentation was polished: well-delivered speeches, a sleek institutional cover, and a narrative tailored for optimistic headlines.
But a closer read reveals something very different: an ambitious yet hollow plan, full of good intentions but missing the basic elements to make it actionable. In a country facing more than 40 billion attempted cyberattacks this year alone, falling short is not just a mistake—it’s a national risk.
The most striking thing is the plan’s timeline, projecting goals out to 2030. It may sound reasonable from a bureaucratic standpoint, but it's utterly inadequate considering the speed of threat evolution in Mexico.
We’re facing four cyberattacks per second. Every month, new Mexican victims are posted on the dark web. Every week, a different sector becomes a target. Every day, there’s another breach in a federal agency.
Talking about results by 2030 without urgent immediate actions is like telling the country:
“Yes, it’s on fire—but we’ll come back with water in five years.”
The document itself acknowledges alarming facts:
The diagnosis is brutal. The response? Weak and out of sync with reality.
The plan’s biggest flaw is also the most glaring: it has no budget.
Not a single figure. Not even an estimate. Yet the goals require real investment:
In a government pursuing extreme austerity, and that cut tech budgets again in 2025, launching a plan with zero allocated resources is a confession: there’s no real intent to implement it.
Learn more: Mexico at a Crossroads: Build a Strong Cybersecurity Strategy
The document vaguely refers to “quarterly goals” and some first steps for late 2025, but that’s it.
What’s missing?
A plan without a roadmap is like a plan without a destination.
It also fails to address who is responsible during a breach in a specific agency.
Who leads the response if an attack hits:
Without a clear command chain, responses will remain slow, chaotic, and improvised.
Perhaps the most alarming omission is the absence of organized crime, which now dominates much of Mexico’s cybercriminal landscape.
The plan mentions:
But it completely ignores the link between cybercrime and national criminal organizations.
Today, cartels like CJNG and Sinaloa:
None of this is mentioned across 85 pages.
There’s also no mention of:
The plan outlines the threats, but ignores who’s actually behind them in Mexico.
Over half of Mexico’s serious incidents last year were attacks on private critical infrastructure, especially in:
Yet the plan fails to propose:
In a country where the economy depends heavily on the private sector, ignoring it is a costly mistake.
Similar titles: Is the Mexican Government Being Hacked by Its Own Employees?
While Mexico faces:
The plan does not include:
It’s like writing a city’s security plan without ever mentioning street crime.
Ironically, the document does a great job at diagnosing the problem. The issue isn’t the analysis.
The problem is that the proposed solutions are:
It’s a plan that sounds good, but won’t work.
Technically competent, but strategically hollow.
Ambitious on the outside, empty on the inside.
Spreading it as a “great step forward” creates false confidence—something Mexico simply cannot afford.
The National Cybersecurity Plan 2025–2030 could have been a turning point. A real foundation for national digital defense.
But without:
The plan is just decorative.
Unless it’s rebuilt from scratch, it will remain a shiny illusion in a country that’s losing ground in the digital battle every day.
We can’t afford to keep improvising when we’re the target of thousands of attacks every second.