Cybersecurity in Focus: Uruguay Sets Clear Rules for Public Agencies and Strategic Sectors

By Manuel Pittaluga, partner specializing in Data Privacy, Pittaluga Abogados, manuel@pittaluga.com

Decree No. 66/025, approved on February 20, 2025, formally defines the role of the Information Security Directorate within AGESIC and establishes new cybersecurity requirements for both public entities and certain private companies.

The goal is clear: to strengthen the preparedness of the State and key sectors in the face of increasingly complex digital threats.

What does the decree establish?

A central provision is the mandatory adoption of AGESIC’s Cybersecurity Framework, which requires:

-Implementing security measures based on each organization’s specific risk profile.
-Appointing a person responsible for ensuring compliance with cybersecurity policies.
-Conducting regular assessments of the organization’s security level and pursuing continuous improvement.
-Reporting significant cybersecurity incidents.
-Providing ongoing training for staff.

Who is subject to the regulation?

-All public sector entities, including ministries, municipal governments, autonomous agencies, and state-owned enterprises.
-Private companies that provide essential services such as healthcare, energy, water, transportation, finance, telecommunications, or major digital platforms.

What are the consequences of non-compliance?

While the decree does not specify exact penalties, it does outline potential consequences:

-Public agencies may face administrative sanctions in the event of incidents or data breaches.
-AGESIC may request reports, issue formal observations, or escalate serious cases to oversight bodies.
-If third parties are affected, civil or criminal liability may apply, including fines under data protection laws.

In summary, Uruguay seeks to ensure that both the public sector and key private operators adopt a more responsible and proactive stance in an increasingly demanding digital environment.