This Privacy Regulation Roundup summarizes the latest major global privacy regulatory developments, announcements, and changes. This report is updated monthly. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant.

Author(s): Safayat Moahamad , John Donovan , Carlos Rivera

Mexico’s Cybersecurity Framework in 2025

Type: Article

Published: August 2025

Affected Region: Mexico

Summary: Mexico relies on a scattered set of laws originally designed for other purposes to address cybersecurity risks, rather than a single dedicated statute. Key requirements are spread across four main pillars that guide daily operations for organizations. The Federal Penal Code criminalizes acts like unauthorized access, system interference, fraud, and data theft, while the National Code of Criminal Procedure enables warrants and evidence preservation for digital investigations.

Data protection is governed by two primary laws – 1) the Federal Law on the Protection of Personal Data Held by Private Parties and 2) the General Law on the Protection of Personal Data Held by Obliged Entities – that mandate risk-based safeguards and breach notifications. Following the dissolution of the National Institute for Transparency in December 2024, enforcement has shifted to the new Secretariat of Anticorruption and Good Governance, with some cases handled by federal courts.

Sector-specific rules add further obligations, such as banks needing to report incidents immediately to the National Banking and Securities Commission and requiring their CISOs to submit monthly reports to executives. Public-security laws, including the National Guard Law and Federal Telecommunications and Broadcasting Law, allow access to telecom data and real-time geolocation under judicial oversight, integrating law enforcement into private-sector incident plans.

Legislative efforts to consolidate these elements have stalled for a decade, with multiple standalone cybersecurity bills proposed since 2015 failing to pass due to committee changes, surveillance disputes, and agency integration concerns. Recent drafts from senators in 2025 aim to create a unified "ley de ciberseguridad" (cybersecurity law) focusing on critical infrastructure protection in sectors like energy, finance, telecoms, and healthcare; establishing a national cybersecurity agency for coordination; and aligning with international standards like the Budapest Convention.

Meanwhile, a separate package of security bills, approved by the Chamber of Deputies in June 2025 and now in the Senate, could expand data governance by easing the National Guard’s access to metadata and geolocation, linking public and private databases, and introducing a biometric Unique Population Registry Code combining fingerprints and facial data with existing identifiers.

Internationally, Mexico is bound by the US-Mexico-Canada Agreement's Chapter 19 for risk-based controls and cross-border cooperation; observes the Budapest Convention without full alignment; and plans to sign the UN Cybercrime Convention opening in late 2025. Compliance involves managing overlapping timelines during incidents (such as 72-hour privacy notifications or 48-hour sector reports), while navigating the lack of a central regulator, with enforcement falling to bodies like the Federal Telecommunications Institute until new structures solidify.

Analyst Perspective: For organizations operating in Mexico, aligning internal programs with standards like ISO 27001, the NIST Cybersecurity Framework, and Budapest evidence models provides a solid foundation amid this patchwork of laws and regulations. Teams should prioritize mapping requirements by data type and regulator, monitoring evolving bills for sudden advancements, and documenting assessments to prove reasonable security measures. Biometric and access rules will likely tighten, and reviewing encryption, retention, and supplier contracts will become essential to handle increased lawful requests efficiently.

Analyst: Carlos Rivera, Principal Advisory Director – Security & Privacy

More Reading:

• Source Material: IAPP
• Related Info-Tech Research:

o Build an Information Security Strategy

o Build a Security Compliance Program

o Build a Data Privacy Program

What the EU AI Act Means for General-Purpose AI Providers

Type: Legislation

Enforced: August 2025

Affected Region: All Regions

Summary: The European Commission has confirmed that the EU Artificial Intelligence Act will apply to general-purpose AI (GPAI) models starting August 2, 2025, following the release of the General-Purpose AI Code of Practice on July 10. This code provides long-awaited clarity for providers, including a computational threshold of 10²³ FLOPs to define GPAI models and guidance on distinguishing them from narrower-use AI systems.

GPAI models are trained on large datasets and can perform diverse tasks across a variety of downstream applications. A further classification – GPAI models with systemic risk – includes more powerful models that may significantly impact public health, safety, security, or fundamental rights. These models face stricter requirements under Articles 53-55, including incident reporting, evaluations, and cybersecurity obligations.

The regulation has a broad extraterritorial scope: Any provider whose model outputs are used within the EU – even indirectly – may be subject to the Act. Non-EU providers must designate an authorized representative responsible for ensuring compliance and maintaining documentation, similar to requirements under the GDPR but with added enforcement duties. Although registration is not mandatory, failure to do so limits the ability of EU authorities to track and communicate with the representative.

The release of the Code just weeks before the compliance deadline underscores the EU’s intent to enforce its AI strategy on schedule, though it raises practical challenges for providers preparing for enforcement. Ongoing refinement and support will be critical to ensure effective implementation across the global AI ecosystem.

Analyst Perspective: While the EU’s ambition to lead on AI governance is clear, the timing and substance of its GPAI enforcement raise some valid concerns. Dropping the General-Purpose AI Code of Practice just weeks before the August 2 enforcement date leaves little room for organizations to adapt – especially for global developers now facing extraterritorial obligations they may not have anticipated or fully understood.

The computational thresholds are neat on paper but don’t meaningfully address the nuanced ways risk manifests in real-world deployments. There's a sense that the EU is racing to codify control over foundational models without offering the operational clarity that providers need – especially smaller players navigating systemic risk rules meant for Big Tech.

Until the guidance becomes more consistent and implementation is better supported, there’s a risk this turns into a compliance-heavy exercise with limited impact on actual safety or trust outcomes. For now, it feels like the EU is enforcing ambition before it has truly built alignment – or a practical enforcement model to match.

Analyst: John Donovan, Principal Research Director – Infrastructure & Operations

More Reading:

• Source Material: IAPP
• Related Info-Tech Research:

o Prepare for AI Regulation

o Develop an AI Compliance Strategy

o Conduct an AI Privacy Risk Assessment

Agentic AI and the Future of Accountability

Type: Article

Published: August 2025

Affected Region: All Regions

Summary: Whether agentic AI becomes a threat or a safeguard may depend on design and oversight. AI systems capable of perceiving, reasoning, and acting independently are emerging as the next frontier beyond traditional generative AI. Unlike chatbots or copilots, AI agents can execute decisions and actions with minimal or no human input.

The privacy impact of agentic AI is deeply ambivalent. On one side, AI agents risk excessive data collection, unpredictable sharing, and opaque consent models. On the other hand, with the right design, agentic AI can act as a privacy enforcer. By minimizing human touchpoints, enforcing data minimization, masking identifiers, and automating compliance checks, agents can reduce human error.

Security is the most urgent concern. Agentic AI introduces unique risks because it operates autonomously across workflows.

• Shadow AI adoption of agents by business units undermines visibility and governance.
• Overprivileged agents may inherit excessive permissions, risking unauthorized access or data exfiltration.
• Autonomous vulnerabilities such as hallucinations and prompt injection can escalate quickly, leading to malicious exploitation.

Unlike traditional software, these systems can act unpredictably, making continuous monitoring, anomaly detection, and strict least-privilege controls essential. Red teaming and human-on-the-loop oversight are critical too.

It is important to consider who would be responsible if an agent executed a harmful trade, signed a contract, or acted on hallucinated information. Organizations must establish clear policies, involve legal and compliance teams early, and update guidelines as the technology evolves. However, how policies are deployed and operationalized may need to evolve to ensure AI agents can be privacy enablers and operational assets rather than a source of systemic risk.

Analyst Perspective: From a privacy standpoint, agentic AI tests the durability of existing principles like consent, purpose limitation, and proportionality. Nevertheless, it can allow for the automation of strong compliance guardrails. Unlike employees, who can be monitored and disciplined, autonomous agents operate at machine speed and scale, compounding risks before humans can intervene. Therefore, security must shift to continuous behavioral monitoring and anomaly detection, treating agents as unpredictable actors within an organizational ecosystem.

The governance challenge will require organizational accountability for deployment, developer accountability for transparency, and security and privacy by design and default on both sides. Privacy principles of minimization, transparency, and accountability may be stressed by AI agents. However, extending the same rigor of oversight and monitoring as human agents by leveraging policy-as-code coupled with visibility enhancing governance tools may provide a balanced path forward.

Analyst: Safayat Moahamad, Research Director – Security & Privacy

More Reading:

• Source Material: Harrison Pensa LLP, Salesforce, CSO Online, Forbes (1), Forbes (2)
• Related Info-Tech Research:

o Mature Your Privacy Operations

o Develop an AI Compliance Strategy

o Build an Information Security Strategy

If you have a question or would like to receive these monthly briefings via email, submit a request here.