Compliance Alert: Navigating Colombia's Evolving Cybersecurity Mandates and Critical Infrastructure Protection

Colombia stands at a critical juncture in its digital transformation, positioned as one of the most advanced countries in the Latin America and Caribbean (LAC) region in terms of digitalization. However, this rapid advancement has made the nation a prominent target in a constantly evolving cyber threat landscape. Compliance professionals must focus on aligning their strategies with the country’s burgeoning regulatory requirements, particularly concerning the protection of Critical National Cybernetic Infrastructure (ICCN) and enhanced data privacy safeguards.

The Urgent Imperative: A High-Risk Threat Landscape

The need for robust compliance is underscored by the sheer volume of attacks targeting Colombia. Last year, Colombia was subjected to 36 billion cyberattacks, making it the second most attacked country in Latin America. The increasing reliance on digital systems, accelerated by the COVID-19 pandemic, elevates potential vulnerabilities across all sectors.

This risk materialized dramatically with the September 2023 IFX Networks ransomware attack, which was described by government officials as the "largest on infrastructure in Colombia in recent years". This incident severely impacted approximately 78 Colombian state entities and 762 private companies, including the country’s judiciary branch and the Ministry of Health and Social Protection. Such incidents highlight the severe operational, financial, and legal repercussions of inadequate cyber preparedness.

Strengthening Digital Trust: New Governance and Policies

Colombia’s comprehensive digital economy development relies on strengthening the "Trust Environment" pillar, which assesses the presence of a governance framework that balances data enablers and safeguards.

The government manages its digital security policies through a series of National Council on Economic and Social Policy (CONPES) documents. Recent policy efforts have focused on institutionalizing security:

• Policy Foundation: The National Trust and Digital Security Policy (CONPES 3995) of 2020 established measures to develop digital trust.
• Governance and Risk Management: Decree 338 of 2022 established general guidelines to strengthen digital security governance, particularly aiming to manage digital security risks for essential services and Critical Cyber Infrastructures (ICCN). This framework defines parameters for MinTIC to establish thresholds for significant damage to the ICCN.
• Response Mechanisms: Decree 338 of 2022 also modified the organization and operation of Colombia’s internal cyber emergency response working group, ColCERT. Strengthening incident response capabilities and ensuring the new cybersecurity governance structure is operational and coordinated remains a priority.

The Critical Compliance Gap: Private Sector ICCN

A primary focus area for compliance officers, particularly those in critical sectors like financial services, energy, utilities, and telecommunications, must be the forthcoming requirement to protect private assets deemed critical.

The most significant regulatory deficiency currently identified is that the existing ICCN regime excludes private ICCN assets and essential services. Policy recommendations strongly advocate that, given the sizable share of essential digital resources operated by the private sector, these assets must be included under the country’s Critical National Cybernetic Infrastructure regime. Including private ICCN assets under the ICCN regime is designated as a priority policy recommendation requiring a legal change.

Data Protection Refinements

While Colombia boasts a comprehensive data protection framework supporting major rights such as access and rectification, the framework has not been fully harmonized with international best practices. Compliance teams should prepare for future reforms that may make current non-mandatory guidelines legally binding:

• Missing Core Rights: The framework lacks core elements such as the explicit recognition of the right to data portability.
• Breach Reporting: There is no explicit obligation within the codified legal framework to mandate the reporting of data breaches to data subjects.
• Emerging Technologies: The existing framework needs to go further in addressing challenges brought forth by emerging technologies such as Artificial Intelligence (AI) and cloud computing. For instance, a bill was submitted to the Senate in July 2025 to regulate AI development based on ethical, responsible, competitive, and innovative principles, signaling forthcoming requirements in this area.

Refining the data protection framework is deemed a priority recommendation.

Actionable Compliance Steps

Organizations seeking to enhance their digital resilience and compliance posture in Colombia should take the following steps:

1. Prepare for Mandatory ICCN Inclusion: Assess whether your organization's assets qualify as critical infrastructure or provide essential services. Proactively implement risk management, security plans, and necessary human resources to manage these risks adequately, anticipating forthcoming legal obligations.
2. Adopt Risk Management Frameworks (RMFs): Implement a standardized framework to enhance resilience against cyber threats. The majority of professionals surveyed in the region rely on ISO 27001 (39%) and the NIST Cybersecurity Framework (38%). The NIST framework utilizes five main pillars: Identify, Protect, Detect, Respond, and Recover.
3. Invest in Human Capital and Awareness: Institutional resistance and insufficient training and awareness were cited as two of the most common challenges encountered when implementing RMFs. Companies should invest in human capacity building to ensure continuous skill and knowledge updating in cybersecurity risk mitigation.
4. Engage in New Governance: Monitor the progress of new legislative proposals, including the creation of a specialized digital-security authority (ANSD or ANSDAE). The unanimous consensus among experts underscores the need for binding rules and institutional coordination to drive accountability and transparency in preparation and response.