What is AI regulation in Mexico?
Global AI regulation
Mexico does not yet have a single omnibus AI law. As of 4 June 2026, AI in Mexico is governed mainly through existing data protection, public administration and sector specific rules, plus emerging policy documents and non binding ethics guidance. The clearest current direction is a public sector guidance path: privacy duties, impact assessment for government uses involving significant personal data, and principle based governance, while broader AI bills and national planning work are still being developed.
What this means
When people ask about AI regulation in Mexico, they often expect one dedicated AI Act. That is not the present position. Mexico currently regulates AI through laws that already apply to data, government systems and regulated activity, together with ethics declarations, public strategy work and draft legislation.
That does not mean AI is unregulated. It means the rules are spread across several instruments. Some are binding now, especially personal data rules and public sector controls. Others, such as the January 2026 ethics declaration and the different draft AI bills, are directional rather than compulsory.
A second complication is institutional change. Older technical guidance still often comes from INAI, but INAI itself was extinguished in 2025 and key data protection functions were transferred into the new federal transparency and good government structure.
Why it matters
For founders, operators, buyers and advisers, the practical issue in Mexico is usually not a missing AI licence. It is whether an AI use case already triggers duties under data protection, confidentiality, public administration, procurement, consumer, labour or intellectual property rules. If you handle customer data, employee data, biometric data or public sector records, you may already have compliance work to do even without a dedicated AI Act.
This matters even more for government and government facing systems. Mexico's policy direction is increasingly tied to digital public infrastructure, public cloud, state capacity and documented human responsibility. That means organisations selling into the public sector, or building tools for public use, should expect scrutiny on privacy, explainability, data handling, security and who remains accountable when automation is used.
How it works
Mexico does not yet have a single AI act
As of 4 June 2026, Mexico has not enacted a federal omnibus AI law comparable to a cross sector AI Act. The current model is layered. The binding parts come mainly from personal data, transparency and administrative law. AI specific policy is being shaped through ethics declarations, Senate and congressional proposals, and digital government planning. In practice, the first legal questions are usually about existing law, not about a standalone AI statute.
Existing data protection law does most of the hard law work
The main binding hooks are the federal data protection laws reissued in March 2025. They apply to personal data in physical and electronic form and require lawful treatment, purpose limitation, data minimisation, accuracy, privacy notices, security measures and confidentiality. In the private sector, people must be able to exercise ARCO rights, meaning access, rectification, cancellation and opposition. Sensitive personal data generally requires express written consent. Material security incidents must be notified to affected people. If cloud services, external processors or other third parties are used, the original controller still carries responsibility and must ensure equivalent protections.
Public bodies face stronger ex ante controls
Mexico's public sector rules go further where government systems process personal data intensively or in a relevant way. If a public body plans to launch or materially change a policy, platform, application or other technology of that kind, it must submit a data protection impact assessment 30 days before operation, so the authority can issue non binding recommendations. Public bodies must also design and run systems so that data protection duties are met by default, maintain security documentation, supervise compliance internally and integrate privacy controls into services and platforms from the start.
Institutions changed after INAI
The institutional map changed in 2025. Following constitutional and legislative reform, the former INAI was extinguished and its functions were redistributed. Within the federal executive, the Secretaria Anticorrupcion y Buen Gobierno now has a Unidad de Proteccion de Datos Personales, supported by directorates for the public and private sectors, with powers over rights protection procedures, verification, conciliation and sanctions. Transparencia para el Pueblo now forms part of the wider federal transparency architecture. Older INAI materials still matter as technical guidance, but the institutional home is now different.
Policy is advancing through strategy and non binding guidance
Mexico's AI path is not only about restrictions. It is also about public digital infrastructure, state capacity and ethics. That can be seen in the June 2025 interinstitutional forum on AI and supercomputing and in the January 2026 Declaration of ethics and good practices for the use and development of AI in Mexico, issued by Secihti and ATDT. The declaration is expressly non binding, but it is politically important because it frames AI around rights, accountable human responsibility, explainability, collective governance, social benefit, impact awareness, national needs, education, cultural and linguistic diversity, and responsible handling of data.
Public sector digital governance is part of the regulatory picture
Mexico is also building AI governance through digital government machinery. Federal planning and reporting now tie AI to public cloud infrastructure, government data platforms, cybersecurity, training for civil servants and technology review before procurement. This means operational governance is emerging through how the state builds, buys and hosts technology, not only through draft legislation.
Near term change is likely, but the law is still unsettled
Congress and the Senate are actively working on AI related texts, including draft framework laws, a possible national AI strategy or plan, and reforms touching deepfakes, image and voice cloning, authors' and performers' rights, and other harms linked to generative AI. Senate work in 2025 and 2026 has openly discussed a future General Law on AI, a possible national AI authority and algorithmic impact assessments in the public sector. But as of 4 June 2026, this remains a moving legislative agenda, not a settled code.
Examples
One clear public sector example is VisitMexico. In 2025 the federal government reported that the portal was launched with an AI based virtual travel assistant. That shows how Mexico is already rolling out AI in public services through digital government and sector policy, even without a dedicated AI licensing regime.
A second example is infrastructure rather than lawmaking. The federal government reported that three federal entities were migrated to the public data centre in Aguascalientes and that high performance GPU capacity was added there for AI and advanced analytics projects. This shows Mexico's governance path as one of centralised public infrastructure, sovereign hosting and internal state capability, not only rule writing.
A third example is the formal pre launch process for a public body that wants to deploy a personal data intensive system. Under the public sector data protection framework, that body must prepare and submit a data protection impact assessment in advance, and legacy INAI guidance on AI also recommends assessing privacy impact before implementation. In other words, public sector AI use in Mexico is increasingly expected to create a paper trail before go live, not only after a problem appears.
Common misunderstandings
Mexico has no AI regulation at all. Incorrect. Mexico already applies existing data protection, transparency, administrative and sector specific law to AI uses.
The January 2026 ethics declaration is a binding rulebook. Incorrect. It is guidance, not a compulsory federal AI statute.
INAI still enforces AI and data protection in the same way as before. Incorrect. Older INAI guidance still matters, but INAI itself was extinguished and functions were transferred in 2025.
Only public bodies need to care about current AI rules. Incorrect. Private sector organisations using AI with personal data still face notice, consent, ARCO, security, verification and sanction exposure.
Mexico's future AI law is already settled. Incorrect. Several initiatives and proposals exist, but the legislative picture is still moving.
Risks and boundaries
The biggest boundary is fragmentation. Mexico is not yet a one statute AI jurisdiction. You need to map different legal layers, especially personal data law, public law and sector specific requirements, instead of searching for one complete AI code.
There is also a boundary between public and private sector governance. Public bodies face stronger ex ante structure, especially where personal data processing is intensive or relevant. Private sector organisations still face real duties, but through a different mix of consent, notice, security, rights handling and sanctions.
Soft law should not be mistaken for safe harbour. The Chapultepec principles and older INAI materials are useful for designing governance, but they do not replace the binding duties in the data protection laws. Nor do they guarantee that a regulator will accept weak controls.
This is a fast dating topic. The federal institutional structure changed in 2025, Senate and congressional work continued into 2026, and some official material now points to a Plan Nacional de IA. Publicly visible policy is clearly emerging, but it is still not finalised as one consolidated instrument. Organisations should therefore treat Mexico as a jurisdiction where the governance direction is clear, but the final statutory shape is still open.
What to do next
Leaders should treat Mexico as a governance now, AI act later jurisdiction. Start with a live inventory of AI uses, data sources, vendors, public interfaces and automated decision points. Then test each use against privacy notice, consent, minimisation, retention, breach response, vendor controls and ARCO handling.
If you build for government or deploy in the public sector, add documented human responsibility, explainability thresholds, procurement discipline and, where personal data processing is intensive or relevant, a formal impact assessment track before launch. Keep older INAI guidance in your control set, but update accountabilities to the current post INAI institutional structure.
Finally, monitor federal legislative activity and institutional guidance from the Senate, ATDT, Secihti and Secretaria Anticorrupcion y Buen Gobierno. In Mexico, the immediate compliance burden is already real, and the explicit AI layer may harden further.
FAQs
Does Mexico already have a dedicated AI Act?
No. As of 4 June 2026, Mexico does not yet have a single federal omnibus AI law in force.
What laws matter most right now?
The most important current hard law hooks are the federal personal data laws, together with public administration, transparency and other sector specific rules that apply to the context in which AI is used.
Is the January 2026 declaration legally binding?
No. It is a non binding ethics and good practice instrument intended to guide policy and institutional behaviour.
Who now handles data protection enforcement at federal level?
After the 2025 institutional reform, key data protection functions were transferred into the federal good government structure, especially the Secretaria Anticorrupcion y Buen Gobierno and related transparency bodies.
Do public bodies need an impact assessment before using AI?
If the planned system, platform or technology involves intensive or relevant personal data processing, public sector data protection rules require a data protection impact assessment before operation.
Do private companies have to wait for a future AI law before acting?
No. Private sector organisations already need to comply with notice, consent, security, ARCO and processor management duties when their AI use involves personal data.
Is Mexico moving towards more explicit AI legislation?
Yes. Senate and congressional work in 2025 and 2026 shows active movement towards more explicit AI regulation, but the final legal model is still unsettled.