In May 2000, Mexico amended several statutes, including the Code of Commerce, by introducing Title II on electronic commerce, drawing upon the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

In August 2003, Mexico amended its Commercial Code by reforming and expanding Title II on electronic commerce, including the introduction of a chapter on foreign electronic signatures. These amendments draw on the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

The "Law on the National System of Research and Intelligence in the Field of Public Security" grants the Secretariat for Security and Citizen Protection (SSPC) broad powers to access personal, fiscal, biometric, and geolocation data from public and private sources without prior judicial authorisation, while also establishing a single, centralised database to which federal, state, and municipal authorities may obtain direct access without a warrant. It further establishes a Central Intelligence Platform to integrate and connect public and private databases under the authority of the Digital Transformation Agency and the National Intelligence Centre in Mexico, permitting the use of such information without judicial oversight. The platform will consolidate an extensive range of data, including vehicle and licence plate records, biometric identifiers, telephone information, property and commercial registries, corporate and land records, fiscal data, firearms registries, information from private security service providers, data on detained and sentenced persons, and records relating to financial and banking services, transport, health, telecommunications, maritime activities, and other sectors.

The Federal Copyright Act provides a safe harbour regime for intermediaries concerning copyright infringements. According to the 2020 amendments to Arts. 114 Septies and 114 Octies of the Mexican Federal Copyright Law, Internet Service Providers (ISPs) are not liable for copyright infringements if they:
- 'Promptly and readily' remove any copyrighted works that infringe copyright, regardless of whether they are notified of the infringement or discover it themselves.
- Do not initiate the transmission of the works, performances, or productions, do not select them, and do not receive financial compensation for their transmission, making available, or reproduction.
These safe harbour provisions limit ISP liability, ensuring they are not directly liable for damages when they adhere to appropriate compliance measures. However, it is reported that these provisions lack the detail and clarity found in other similar regulations.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Mexico's law and jurisprudence.

Under Art. 183.II of the Telecommunications and Broadcasting Act, telecommunications licensees and, where applicable, authorised entities must maintain records and controls of all communications made from any type of line, including SIM cards, to ensure the identification of the subscriber's name, designation or business name, address, and other relevant details.

Pursuant to Art. 21 of Mexico’s Foreign Trade Act, the Secretariat of Economy (SE) may subject the importation and exportation of goods to prior permit requirements. Arts. 14–20 of the Regulation to the Act further set out the procedure for applying for these permits.
Annex 2.2.1 of the "Agreement whereby the Secretariat of Economy issues General Rules and Criteria on Foreign Trade" establishes that certain goods are subject to a prior import permit, including digital trade-relevant goods under HS heading 8528 (displays/monitors and reception apparatus), in particular tariff items 8528.59.99, 8528.72.06 and 8528.72.99. However, Section 2.2.3 clarifies that this requirement does not apply as a general rule to all importers, as it operates through the Rule 8a/Sector Promotion Programme (PROSEC) mechanism. Under this scheme, SE authorises the temporary and definitive importation of goods for manufacturing purposes, and such imports may be used only to produce goods covered by the relevant authorised PROSEC sector.

It is reported that Mexico provides insufficient prior notification of procedural changes, inconsistent interpretation of regulatory requirements at different border posts, and uneven border enforcement of Mexican standards and labelling rules. Some imports are still not allowed in all ports of entry. Restricting goods to certain ports has made it difficult for foreign exporters to arrange for transportation and logistics, especially for electronic commerce purchases involving SMEs.

It is reported that Mexico’s telecommunications and broadcasting conformity assessment procedure, published in the Official Gazette (DOF) on 25/02/2020, created administrative frictions for the importation and certification of second-hand, rebuilt, or refurbished ICT products. Reported frictions relate, in particular, to the “Family/Model” approach (Art. 26) and to the non-transferability of conformity documents (Art. 7), which may require the re-issuance of conformity documentation where different economic operators, such as the manufacturer, importer, or distributor, must rely on it.
While the original 2020 procedure effectively excluded non-new products from the main certification schemes, an amendment published in the DOF on 27/12/2021 introduced a pathway to certify “non-new products” under a specific scheme. However, restrictions reportedly remain, as non-new products continue to be confined to that route and are not generally eligible under the broader certification schemes.

Until 2020, product certification in Mexico could be conducted only by certification bodies accredited by the Entidad Mexicana de Acreditación (EMA). For IT equipment and consumer electronics, the Mexican agency issuing certificates is the Underwriters Laboratories of Mexico.
The Law of Quality Infrastructure, which repealed the Federal Law on Metrology and Standardisation, allows for self-declaration of conformity if the standard bodies confirm that the Conformity Assessment Procedure includes the obligation by the goods producers (or services suppliers) to be accountable or if it does not affect the public interest (Arts. 60 and 69).

Mexico has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

In December 2024, Mexico removed the constitutional basis for the Instituto Federal de Telecomunicaciones (IFT) as an autonomous regulator and reassigned its core telecommunications and broadcasting regulatory functions to the Federal Executive. Under the subsequent institutional architecture, the IFT was replaced by the Telecommunications Regulatory Commission (Comisión Reguladora de Telecomunicaciones, CRT), which operates as a deconcentrated technical body attached to the Agency for Digital Transformation and Telecommunications (ATDT). It is reported that the CRT is not independent from the government in its decision-making.

Art. 14 of the Guidelines for Collaboration in the Matter of Security and Justice stipulates that data processing and storage systems employed by authorised telecommunications providers must be located within the national territory, in order to facilitate cooperation with national security authorities.

There are concerns that Art. 50 of the Provisions on Electronic Payment Fund Institutions might force firms to choose only cloud providers based in Mexico, thus indirectly imposing a local data processing requirement. The law requires electronic payment fund institutions to use secondary cloud services provided by a company that is not subject to a different jurisdiction. That would mean that the secondary cloud provider would need to be subject to the Mexican jurisdiction and therefore be located in the country.

The "Federal Law for the Protection of Personal Data in the Possession of Private Parties" applies conditions to transfers of personal data, which apply regardless of whether the data is transferred to national or foreign third parties. For any transfer, the company must inform those third parties of the privacy notice and the purposes for which the data subject has authorised the processing of their data (Art. 35). According to Art. 2, the privacy notice is the document made available to the data subject in physical, electronic, or any other format at the time their personal data are collected, with the purpose of informing them of the intended uses of their data. Art. 35 also requires that the processing of personal data follow the terms set out in the privacy notice, which must specify whether the data subject consents to the transfer, and the receiving third party must assume the same obligations as the transferring controller. Art. 36 further establishes that national or international data transfers may take place without the data subject’s consent when specific conditions are met, including when the transfer is required by law or treaty, necessary for medical prevention, diagnosis, treatment, or healthcare management, carried out within a corporate group under common control, required by a contract concluded or to be concluded in the data subject’s interest, necessary or legally mandated to safeguard the public interest or to pursue or administer justice, required for the recognition, exercise, or defence of a right in judicial proceedings, or necessary for maintaining or fulfilling a legal relationship between the controller and the data subject.
Similar limitations on the transfer of personal data were already contained in the earlier statute of the same name, now repealed, where comparable provisions were set out in Arts. 36 and 37.