On November 15, 2024, Legislative Decree number 113 was published in the Official Gazette, which contains the Cybersecurity and Information Security Law. 

The purpose of the law is to establish the guiding principles and the legal framework to structure, regulate, and supervise the cybersecurity and information security measures of the information systems of the entities obliged to comply with it: public institutions, any entity that administers public resources or entities that execute acts of the public administration. Among the most relevant points of the law, the following stand out: 

  • Art. 4 of the law conceptualizes the most relevant terms for the adequate development of cybersecurity and information security in the Salvadoran legal framework, determining which acts or circumstances should be considered threats, incidents, vulnerabilities, and cybernetic or computer risks. 
  • Art. 6 of the regulation contains the obligations of the entities to whom the law applies. The main obligations are: i) to implement cybersecurity and information security management systems; ii) to develop IT and information security strategies under international standards; iii) to keep an updated record of all the actions carried out that make up the management system; and iv) to implement operational continuity and cybersecurity plans. 

One of the most relevant novelties of the Cybersecurity and Information Security Law is the creation of the State Cybersecurity Agency. The main attributions of the agency are: 

  • Set forth the nation’s cybersecurity and information security policy; 
  • Issue regulations, protocols, and technical guidelines on cybersecurity and information security; and 
  • Implement the necessary action programs to respond to cybersecurity and information security threats or incidents. 

Chapter III of the regulation establishes administrative sanctions for obligated parties that fail to comply with the obligations contemplated therein. Violations will be classified as minor, serious, or very serious. Fines for minor violations are between one to ten minimum monthly salaries of the commercial sector, for serious violations the range is between eleven and fifty minimum monthly salaries and for very serious violations the range is between fifty-one to one hundred minimum monthly salaries. For offenders belonging to the public sector, in addition to the pecuniary sanction, infractions entail warnings, dismissal, or removal from office depending on the infraction or re-offense. 

The law is effective as of November 28, 2024.  

For more information, contact us at [email protected]