Escrito por:
The Organic Law on Strengthening Cybersecurity was published on May 22, 2026, in the Fifth Supplement to Official Registry No. 290.
- Purpose and Regulatory Scope
Its scope of application encompasses public sector entities that manage essential services or critical digital infrastructure, digital service providers under the principle of shared responsibility, and private legal entities whose activities have a direct impact on the continuity of essential services, in accordance with the criteria established in the applicable technical regulations.
- Key General Provisions
The Law incorporates legal definitions for concepts such as cyberattack, cybersecurity incident, digital resilience, critical digital infrastructure, cybersecurity risk, and digital service provider. In addition, it creates the National Catalogue of Essential Services and Critical Digital Infrastructure, to be administered by the Ministry of Telecommunications and the Information Society (MINTEL), acting as the governing authority for the telecommunications and information society sector in Ecuador, must be reviewed at least every two years. The Law also legally authorizes ethical hacking activities and penetration testing, subject to the principles of consent, legitimate purpose, and personal data protection, with the aim of identifying vulnerabilities in technological systems.
- New Obligations
Public institutions and operators of critical digital infrastructure are required to immediately notify the competent authority of any cybersecurity incident that compromises the availability, integrity, or confidentiality of systems or sensitive information. Such notification must be submitted within a maximum period of seventy-two (72) hours from the detection of the incident, in accordance with the guidelines and protocols issued by the governing authority.
Article 43 of the Organic Law on Personal Data Protection has been amended to include the obligation to notify personal data security breaches to both the Personal Data Protection Authority and the corresponding regulatory body. For informational and technical coordination purposes, the relevant CSIRT must also be notified within a maximum term of five (5) days from becoming aware of the incident.
- Sanctioning Regime
Minor Infringements: Fines ranging from one (1) to ten (10) Unified Basic Salaries (SBU) for public officials and civil servants, and from 0.1% to 0.7% of the previous fiscal year’s gross turnover for private companies or public enterprises. These include delays in updating cybersecurity policies or protocols that do not result in operational impact, as well as the omission of periodic reports or minor notifications to the competent authority.
Serious Infringements: Fines ranging from ten (10) to twenty (20) Unified Basic Salaries (SBU) for public officials and civil servants, and from 0.7% to 1.0% of the previous fiscal year’s gross turnover for private companies or public enterprises. These include failure to implement the national cybersecurity policy, concealment of significant incidents affecting system availability, lack of minimum technical security measures, and failure to adopt actions aimed at preventing, mitigating, or controlling cybersecurity risks and security breaches.
Very Serious Infringements: Fines ranging from twenty (20) to forty (40) Unified Basic Salaries (SBU) for public officials and civil servants, and from 1.0% to 1.5% of the previous fiscal year’s gross turnover for private companies or public enterprises. These encompass the concealment of critical incidents, the deliberate failure to report attacks or breaches affecting third-party rights, the destruction of digital records linked to critical infrastructure, and the intentional refusal to cooperate with the competent authority or the manipulation of technical evidence.
© TobarZVS
This publication contains information of general interest and does not constitute legal opinion on specific issues. Any analysis will require legal advice from the Firm.