Mexico does not apply a horizontal de minimis threshold, which is the minimum value of goods below which customs do not charge duties, across all trading partners. Yet, Rule 3.7.35 of the General Foreign Trade Rules for 2025 provides duty relief to specific, origin-based categories. For shipments from the United States and Canada, the de minimis threshold for customs duties is USD 117, while for countries covered by certain trade agreements, including Panama, the Pacific Agreement, and the Trans-Pacific Partnership, the applicable de minimis threshold is USD 1.

Under Mexico’s Value Added Tax Law (LIVA), non-resident suppliers of digital services without an establishment in Mexico are subject to specific compliance obligations. In particular, Art. 18-D(VI) requires such suppliers to appoint a legal representative and provide an address in Mexican territory for notification and compliance-monitoring purposes. Where a non-resident supplier fails to comply with the relevant obligations, Art. 18-H BIS provides for the temporary blocking of access to the supplier’s digital service through Mexican telecommunications network concessionaires until compliance is achieved.
The applicability of these obligations depends on whether the activity qualifies as a “digital service” under Art. 18-B, which enumerates four categories, including (i) digital content, and (ii) digital intermediation between third-party suppliers and customers. In this regard, the SAT’s Criterion 40/IVA/N, published in the Official Gazette on 11 October 2024, broadens the interpretation of “digital intermediation services” by treating platforms as intermediaries where, for consideration, they enable customers to offer goods or services to third parties and allow suppliers and customers to agree via the platform on the transaction terms and price. The criterion further clarifies that this characterisation may apply even where the platform presents itself as merely an “online store,” if it also connects third-party suppliers with customers.

The "Law on the National System of Research and Intelligence in the Field of Public Security" grants the Secretariat for Security and Citizen Protection (SSPC) broad powers to access personal, fiscal, biometric, and geolocation data from public and private sources without prior judicial authorisation, while also establishing a single, centralised database to which federal, state, and municipal authorities may obtain direct access without a warrant. It further establishes a Central Intelligence Platform to integrate and connect public and private databases under the authority of the Digital Transformation Agency and the National Intelligence Centre in Mexico, permitting the use of such information without judicial oversight. The platform will consolidate an extensive range of data, including vehicle and licence plate records, biometric identifiers, telephone information, property and commercial registries, corporate and land records, fiscal data, firearms registries, information from private security service providers, data on detained and sentenced persons, and records relating to financial and banking services, transport, health, telecommunications, maritime activities, and other sectors.

The Federal Copyright Act provides a safe harbour regime for intermediaries concerning copyright infringements. According to the 2020 amendments to Arts. 114 Septies and 114 Octies of the Mexican Federal Copyright Law, Internet Service Providers (ISPs) are not liable for copyright infringements if they:
- 'Promptly and readily' remove any copyrighted works that infringe copyright, regardless of whether they are notified of the infringement or discover it themselves.
- Do not initiate the transmission of the works, performances, or productions, do not select them, and do not receive financial compensation for their transmission, making available, or reproduction.
These safe harbour provisions limit ISP liability, ensuring they are not directly liable for damages when they adhere to appropriate compliance measures. However, it is reported that these provisions lack the detail and clarity found in other similar regulations.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Mexico's law and jurisprudence.

Under Art. 183.II of the Telecommunications and Broadcasting Act, telecommunications licensees and, where applicable, authorised entities must maintain records and controls of all communications made from any type of line, including SIM cards, to ensure the identification of the subscriber's name, designation or business name, address, and other relevant details.

Pursuant to Art. 21 of Mexico’s Foreign Trade Act, the Secretariat of Economy (SE) may subject the importation and exportation of goods to prior permit requirements. Arts. 14–20 of the Regulation to the Act further set out the procedure for applying for these permits.
Annex 2.2.1 of the "Agreement whereby the Secretariat of Economy issues General Rules and Criteria on Foreign Trade" establishes that certain goods are subject to a prior import permit, including digital trade-relevant goods under HS heading 8528 (displays/monitors and reception apparatus), in particular tariff items 8528.59.99, 8528.72.06 and 8528.72.99. However, Section 2.2.3 clarifies that this requirement does not apply as a general rule to all importers, as it operates through the Rule 8a/Sector Promotion Programme (PROSEC) mechanism. Under this scheme, SE authorises the temporary and definitive importation of goods for manufacturing purposes, and such imports may be used only to produce goods covered by the relevant authorised PROSEC sector.

It is reported that Mexico provides insufficient prior notification of procedural changes, inconsistent interpretation of regulatory requirements at different border posts, and uneven border enforcement of Mexican standards and labelling rules. Some imports are still not allowed in all ports of entry. Restricting goods to certain ports has made it difficult for foreign exporters to arrange for transportation and logistics, especially for electronic commerce purchases involving SMEs.

It is reported that Mexico’s telecommunications and broadcasting conformity assessment procedure, published in the Official Gazette (DOF) on 25/02/2020, created administrative frictions for the importation and certification of second-hand, rebuilt, or refurbished ICT products. Reported frictions relate, in particular, to the “Family/Model” approach (Art. 26) and to the non-transferability of conformity documents (Art. 7), which may require the re-issuance of conformity documentation where different economic operators, such as the manufacturer, importer, or distributor, must rely on it.
While the original 2020 procedure effectively excluded non-new products from the main certification schemes, an amendment published in the DOF on 27/12/2021 introduced a pathway to certify “non-new products” under a specific scheme. However, restrictions reportedly remain, as non-new products continue to be confined to that route and are not generally eligible under the broader certification schemes.

Until 2020, product certification in Mexico could be conducted only by certification bodies accredited by the Entidad Mexicana de Acreditación (EMA). For IT equipment and consumer electronics, the Mexican agency issuing certificates is the Underwriters Laboratories of Mexico.
The Law of Quality Infrastructure, which repealed the Federal Law on Metrology and Standardisation, allows for self-declaration of conformity if the standard bodies confirm that the Conformity Assessment Procedure includes the obligation by the goods producers (or services suppliers) to be accountable or if it does not affect the public interest (Arts. 60 and 69).

The "Federal Law for the Protection of Personal Data in the Possession of Private Parties" applies conditions to transfers of personal data, which apply regardless of whether the data is transferred to national or foreign third parties. For any transfer, the company must inform those third parties of the privacy notice and the purposes for which the data subject has authorised the processing of their data (Art. 35). According to Art. 2, the privacy notice is the document made available to the data subject in physical, electronic, or any other format at the time their personal data are collected, with the purpose of informing them of the intended uses of their data. Art. 35 also requires that the processing of personal data follow the terms set out in the privacy notice, which must specify whether the data subject consents to the transfer, and the receiving third party must assume the same obligations as the transferring controller. Art. 36 further establishes that national or international data transfers may take place without the data subject’s consent when specific conditions are met, including when the transfer is required by law or treaty, necessary for medical prevention, diagnosis, treatment, or healthcare management, carried out within a corporate group under common control, required by a contract concluded or to be concluded in the data subject’s interest, necessary or legally mandated to safeguard the public interest or to pursue or administer justice, required for the recognition, exercise, or defence of a right in judicial proceedings, or necessary for maintaining or fulfilling a legal relationship between the controller and the data subject.
Similar limitations on the transfer of personal data were already contained in the earlier statute of the same name, now repealed, where comparable provisions were set out in Arts. 36 and 37.

Mexico has joined several agreements with binding commitments to open transfers of data across borders. These include: the Mexico-Panama Free Trade Agreement (Art. 14.10), the First Amending Protocol [which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance (Arts. 13.11 and. 13.12(c)], the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11.2), and the United States-Mexico-Canada Agreement (USMCA, Art. 19.8.6).

The new Federal Law for the Protection of Personal Data in the Possession of Private Parties, enacted in 2025, establishes a comprehensive framework for data protection in Mexico. It supersedes the 2010 law of the same name, which had likewise introduced an extensive regime governing the protection of personal data.

Under section 183 of the Telecommunications and Broadcasting Act, telecom operators must retain certain data for the first 12 months in systems that allow real-time consultation and delivery to the competent authorities through electronic means. The data includes:
- the name or corporate name and address of the subscriber;
- the type of communication service, messaging or multimedia services
- data necessary to trace and identify the original and destination of mobile telephone communications, including the destination number and whether the line is the subject of a contract or tariff plan or is prepaid;
- data necessary to determine the date, time and duration of the communication, as well as the messaging or multimedia service;
- the date and time of the first activation of the service and the location label (cell identifier) ​​since the service was activated;
- identification and technical characteristics of the devices, including the international equipment and subscriber identity codes (where applicable); and
- the digital location of the geographical positioning of telephone lines.
At the end of the 12 months, the operator must keep the data for an additional 12 months in electronic storage systems. During this time, information must be delivered to the competent authorities within 48 hours.
It reported that all processing and storage systems used by operators and authorised persons in this regard must be located exclusively in Mexico; however, this is not clear from the regulatory text.

It is reported that copyright enforcement in Mexico remains insufficient in the online environment. Stakeholders indicate that Mexico continues to experience high levels of infringement through multiple channels, including unauthorised streaming services, peer-to-peer networks, direct-download sites, stream-ripping, circumvention tools for video games and consoles, and the distribution of infringing content via physical media. As internet access expands, online piracy is reported to be increasing, and stakeholders have characterised Mexico as a significant market for music and video game piracy. Stakeholders also continue to report notable levels of piracy facilitated by illicit streaming devices and unauthorised Internet Protocol television (IPTV) applications.