It is reported that certain elements of the conformity assessment procedures for second-hand, rebuilt, or reconditioned ICT products contained in DOF: 25/02/2020 are duplicative and would make import operations complex and unfeasible. Under the new definitions of “Family” and “Model” (Chapter 4, Section 1, Article 26, Number 2), any product model that is not included in a Family would have to be certified under the certification scheme called “Sample by Product Model and Surveillance for More than One Lot.” This procedure requires that the certificate of conformity indicates the number of products that make up the lots, resulting in continuous and even parallel updates of the certificate of conformity.
Further, if conformity certificates become non‐transferable – as established in Art. 7 (Chapter 3, Section 1) – new conformity certificates would have to be issued to both manufacturers and distributors of products, thereby delaying the entry of products into the Mexican market. As a result of this regulation, it is not possible to certify and, consequently, to import, used, second-hand, rebuilt, or reconditioned ICT products. Certification for these types of products already exists for various NOMs ((Norma Oficial Mexicana) under the powers of the Ministry of Economy, so there is a potential contradiction between the mandate of the telecoms regulator and the existing criteria for evaluating the conformity of the Ministry of Economy.

Until 2020, product certification in Mexico could only be undertaken by certification bodies accredited by the Entidad Mexicana de Acreditación (EMA). For IT equipment and consumer electronics, the Mexican agency issuing certificates is the Underwriters Laboratories of Mexico.
The Law of Quality Infrastructure, which repealed the Federal Law on Metrology and Standardization, allows for self-declaration of conformity if the standard bodies confirm that the Conformity Assessment Procedure includes the obligation by the goods producers (or services suppliers) to be accountable, or if it does not affect the public interest (Arts. 60 and 69).

It is reported that Mexico provides insufficient prior notification of procedural changes, inconsistent interpretation of regulatory requirements at different border posts, and uneven border enforcement of Mexican standards and labeling rules. Some imports are still not allowed in all ports of entry. Restricting goods to certain ports has made it difficult for foreign exporters to arrange for transportation and logistics, especially for electronic commerce purchases involving SMEs.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Mexico's law and jurisprudence.

Mexico has a safe harbour regime in place for intermediaries for copyright infringements. The Copyright Law does not make internet service providers (ISPs) liable in specific situations like caching, search engine, mere conduit or routing. Recent amendments have introduced Arts. 114 Septies and 114 Octies, into the existent Mexican Federal Copyright Law, containing the provisions related to ISP’s liability. The amendment provides that ISPs will not be liable as long as:
- They "promptly and readily" eliminate any copyrighted works that infringe upon copyright, regardless of whether they acquire knowledge of the infringement through a notice or by their own means;
- They do not initiate the chain of transmission of the works, performances or productions or select them, and do not receive financial compensation for the transmission, making available or reproduction of the works.
Limited safe harbor measures have been provided, so that ISPs are not directly liable, when they comply with appropriate compliance measures. Thus, the measures implemented are free from liability to pay damages, and not from complying with the precautionary measures.
It is reported, however, that such provisions lack the detail and clarity that are present in other regulations on the same topic.

Art. 30 of the Federal Law on the Protection of Personal Data in Possession of Individuals states that all data controllers are required to designate a personal data officer or department to act as Data Protection Officer and handle requests from data subjects exercising their ARCO Rights under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.

The protection for processing and control of personal data is governed by the Data Protection Law, which sets forth that the processing of personal information is subject to the consent of the owner. Such consent may be implied, which is sufficient to process general personal data, whereas express consent is required to process financial information, and written consent is required to process sensitive information.

According to Art. 190 of the Federal Telecommunications and Broadcasting Law, the telecom operators must keep certain data for the first 12 months in systems that allow consultation and delivery in real time to the competent authorities through electronic means. The data includes:
- the name or corporate name and address of the subscriber;
- the type of communication service or messaging or multimedia services
- data necessary to trace and identify the original and destination of mobile telephone communications, including the destination number and whether the line is the subject of a contract or tariff plan or is prepaid;
- data necessary to determine the date, time and duration of the communication, as well as the messaging or multimedia service;
- the date and time of the first activation of the service and the location label (cell identifier) ​​since the service was activated;
- identification and technical characteristics of the devices, including the international equipment and subscriber identity codes (where applicable); and
the digital location of the geographical positioning of telephone lines.
At the end of the 12-month period, the operator must keep the data for an additional 12 months in electronic storage systems, during which time the delivery of information to the competent authorities must be carried out within 48 hours.
It reported that all processing and storage systems used by operators and authorised people in this regard must be located exclusively in Mexico, however this is not clear from the regulatory text.

According to Art. 13.11 of the First Amending Protocol (which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance), the four parties (Chile, Colombia, Peru and Mexico) commit to allow cross-border information transfers through electronic means, including also the transfer of personal data for business activities. Moreover, in Art. 13.11.bis the parties commit to ban forced localisation of computer facilities in their national territories. Other binding commitments can be found in Article 19.8.6 of the United States Mexico Canada Agreement (USMCA), Art. 14.10 of the Mexico-Panama Free Trade Agreement, and Art. 14.11.2 of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).

There are concerns that Art. 50 of the Provisions on Electronic Payment Fund Institutions might force firms to choose only cloud providers based in Mexico, thus indirectly imposing a local data processing requirement. The law requires electronic payment fund institutions to use secondary cloud service provided by a company that is not subject to a different jurisdiction. That would mean that the secondary cloud provider would need to be subject to the Mexican jurisdiction.

Consent is necessary for data transfer of personal data across borders on the basis of Arts. 6, 8, and 9 of the Federal Law on the Protection of Personal Data in Possession of Individuals. Moreover, pursuant to Art. 37 of the law, domestic and international transfers of personal data may be carried out without the consent of the data subject under certain exceptions including, among others: the necessity of the transfer for medical diagnosis or prevention, health care delivery, medical treatment or health services management; the transfer to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies as the data controller; the necessity by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject.

Pursuant to the Decree amending and adding several provisions of Articles 6, 7, 27, 28, 28, 28, 73, 78, 94 and 105 of the Political Constitution of the United Mexican States, the "Instituto Federal de Telecomunicaciones" (IFT) is created. It is reported that the "Instituto Federal de Telecomunicaciones" (IFT), executive authority for the supervision and administration of the telecommunications sector services, is independent from the government in its decision making.

Mexico has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that Mexico mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market.

The Mexican Federal Law for Protection of Industrial Property provides a framework for effective protection of trade secrets.