Last review date: 30 December 2025

• Law N° 18,331 (Law of the Protection of Personal Data and Habeas Data Action N° 18331) and its Regulating Decree N° 414/009
• Law N° 19,670 (Accountability Act and Balancing of Budget Execution of the Exercise ) and its Regulating Decree N° 64/020

Last review date: 30 December 2025

The National Cybersecurity Strategy 2024–2030 (ENC) is the main public policy instrument governing cybersecurity in Uruguay, setting strategic guidelines for the protection of information systems, digital assets, and critical infrastructure (National Cybersecurity Strategy of Uruguay 2024-2030).

At the regulatory level, Decree No. 66/025 on Information Security and Cybersecurity regulates the powers of AGESIC’s Information Security Directorate and CERTuy and establishes mandatory obligations for all public entities, as well as for private entities linked to critical services or sectors (Decree N° 66/025). These obligations include the adoption of the AGESIC Cybersecurity Framework, the designation of a security officer, audit and log retention requirements, and the obligation to report cybersecurity incidents to CERTuy within 24 hours. In addition, Law No. 20,212 strengthens the institutional framework and creates the National Cybersecurity Incident Registry.

Regarding personal data protection, Law No. 18,331 and its regulations establish security and accountability principles, including privacy by design and by default and impact assessments, complemented by coordination mechanisms between CERTuy and the URCDP for personal data breaches (Law No. 19,670, Article 38).

The framework is further complemented by Law No. 18,600 on electronic documents and signatures and its regulatory decrees (Law N° 18600), Law No. 20,327 on cybercrime, and sector-specific regulations issued by authorities such as URSEC and the Central Bank of Uruguay (BCU). (Law N° 20327)

Last review date: 30 December 2025

There are no specific laws or regulations regarding non-personal data.

The Agency for the Development of Electronic Government and the Information-Based Society (AGESIC by its acronym in Spanish), published the "National Data Strategy 2030" on 26 December 2024.

The guidelines aim to promote the availability and strategic use of data as an asset for evidence-based decision-making, innovation for the benefit of the entire society, inclusive economic growth, and the strengthening of the pillars of democracy. It leverages on data to increase transparency, accountability, citizen participation, and efficiency in the provision of public services while respecting the protection of personal data.