A basic legal framework on intermediary liability beyond copyright infringement is absent in Mexico's law and jurisprudence.

Under Art. 183.II of the Telecommunications and Broadcasting Act, telecommunications licensees and, where applicable, authorised entities must maintain records and controls of all communications made from any type of line, including SIM cards, to ensure the identification of the subscriber's name, designation or business name, address, and other relevant details.

Pursuant to Art. 21 of Mexico’s Foreign Trade Act, the Secretariat of Economy (SE) may subject the importation and exportation of goods to prior permit requirements. Arts. 14–20 of the Regulation to the Act further set out the procedure for applying for these permits.
Annex 2.2.1 of the "Agreement whereby the Secretariat of Economy issues General Rules and Criteria on Foreign Trade" establishes that certain goods are subject to a prior import permit, including digital trade-relevant goods under HS heading 8528 (displays/monitors and reception apparatus), in particular tariff items 8528.59.99, 8528.72.06 and 8528.72.99. However, Section 2.2.3 clarifies that this requirement does not apply as a general rule to all importers, as it operates through the Rule 8a/Sector Promotion Programme (PROSEC) mechanism. Under this scheme, SE authorises the temporary and definitive importation of goods for manufacturing purposes, and such imports may be used only to produce goods covered by the relevant authorised PROSEC sector.

It is reported that Mexico provides insufficient prior notification of procedural changes, inconsistent interpretation of regulatory requirements at different border posts, and uneven border enforcement of Mexican standards and labelling rules. Some imports are still not allowed in all ports of entry. Restricting goods to certain ports has made it difficult for foreign exporters to arrange for transportation and logistics, especially for electronic commerce purchases involving SMEs.

It is reported that Mexico’s telecommunications and broadcasting conformity assessment procedure, published in the Official Gazette (DOF) on 25/02/2020, created administrative frictions for the importation and certification of second-hand, rebuilt, or refurbished ICT products. Reported frictions relate, in particular, to the “Family/Model” approach (Art. 26) and to the non-transferability of conformity documents (Art. 7), which may require the re-issuance of conformity documentation where different economic operators, such as the manufacturer, importer, or distributor, must rely on it.
While the original 2020 procedure effectively excluded non-new products from the main certification schemes, an amendment published in the DOF on 27/12/2021 introduced a pathway to certify “non-new products” under a specific scheme. However, restrictions reportedly remain, as non-new products continue to be confined to that route and are not generally eligible under the broader certification schemes.

Until 2020, product certification in Mexico could be conducted only by certification bodies accredited by the Entidad Mexicana de Acreditación (EMA). For IT equipment and consumer electronics, the Mexican agency issuing certificates is the Underwriters Laboratories of Mexico.
The Law of Quality Infrastructure, which repealed the Federal Law on Metrology and Standardisation, allows for self-declaration of conformity if the standard bodies confirm that the Conformity Assessment Procedure includes the obligation by the goods producers (or services suppliers) to be accountable or if it does not affect the public interest (Arts. 60 and 69).

Art. 14 of the Guidelines for Collaboration in the Matter of Security and Justice stipulates that data processing and storage systems employed by authorised telecommunications providers must be located within the national territory, in order to facilitate cooperation with national security authorities.

There are concerns that Art. 50 of the Provisions on Electronic Payment Fund Institutions might force firms to choose only cloud providers based in Mexico, thus indirectly imposing a local data processing requirement. The law requires electronic payment fund institutions to use secondary cloud services provided by a company that is not subject to a different jurisdiction. That would mean that the secondary cloud provider would need to be subject to the Mexican jurisdiction and therefore be located in the country.

The "Federal Law for the Protection of Personal Data in the Possession of Private Parties" applies conditions to transfers of personal data, which apply regardless of whether the data is transferred to national or foreign third parties. For any transfer, the company must inform those third parties of the privacy notice and the purposes for which the data subject has authorised the processing of their data (Art. 35). According to Art. 2, the privacy notice is the document made available to the data subject in physical, electronic, or any other format at the time their personal data are collected, with the purpose of informing them of the intended uses of their data. Art. 35 also requires that the processing of personal data follow the terms set out in the privacy notice, which must specify whether the data subject consents to the transfer, and the receiving third party must assume the same obligations as the transferring controller. Art. 36 further establishes that national or international data transfers may take place without the data subject’s consent when specific conditions are met, including when the transfer is required by law or treaty, necessary for medical prevention, diagnosis, treatment, or healthcare management, carried out within a corporate group under common control, required by a contract concluded or to be concluded in the data subject’s interest, necessary or legally mandated to safeguard the public interest or to pursue or administer justice, required for the recognition, exercise, or defence of a right in judicial proceedings, or necessary for maintaining or fulfilling a legal relationship between the controller and the data subject.
Similar limitations on the transfer of personal data were already contained in the earlier statute of the same name, now repealed, where comparable provisions were set out in Arts. 36 and 37.

Mexico has joined several agreements with binding commitments to open transfers of data across borders. These include: the Mexico-Panama Free Trade Agreement (Art. 14.10), the First Amending Protocol [which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance (Arts. 13.11 and. 13.12(c)], the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11.2), and the United States-Mexico-Canada Agreement (USMCA, Art. 19.8.6).

The new Federal Law for the Protection of Personal Data in the Possession of Private Parties, enacted in 2025, establishes a comprehensive framework for data protection in Mexico. It supersedes the 2010 law of the same name, which had likewise introduced an extensive regime governing the protection of personal data.

Under section 183 of the Telecommunications and Broadcasting Act, telecom operators must retain certain data for the first 12 months in systems that allow real-time consultation and delivery to the competent authorities through electronic means. The data includes:
- the name or corporate name and address of the subscriber;
- the type of communication service, messaging or multimedia services
- data necessary to trace and identify the original and destination of mobile telephone communications, including the destination number and whether the line is the subject of a contract or tariff plan or is prepaid;
- data necessary to determine the date, time and duration of the communication, as well as the messaging or multimedia service;
- the date and time of the first activation of the service and the location label (cell identifier) ​​since the service was activated;
- identification and technical characteristics of the devices, including the international equipment and subscriber identity codes (where applicable); and
- the digital location of the geographical positioning of telephone lines.
At the end of the 12 months, the operator must keep the data for an additional 12 months in electronic storage systems. During this time, information must be delivered to the competent authorities within 48 hours.
It reported that all processing and storage systems used by operators and authorised persons in this regard must be located exclusively in Mexico; however, this is not clear from the regulatory text.

It is reported that copyright enforcement in Mexico remains insufficient in the online environment. Stakeholders indicate that Mexico continues to experience high levels of infringement through multiple channels, including unauthorised streaming services, peer-to-peer networks, direct-download sites, stream-ripping, circumvention tools for video games and consoles, and the distribution of infringing content via physical media. As internet access expands, online piracy is reported to be increasing, and stakeholders have characterised Mexico as a significant market for music and video game piracy. Stakeholders also continue to report notable levels of piracy facilitated by illicit streaming devices and unauthorised Internet Protocol television (IPTV) applications.

Mexico has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.

Mexico has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.