Cullen International’s latest research shows that most national cybersecurity strategies in the Americas do not create binding obligations for the private sector. Instead, they set policy goals which include improving public organisations' cybersecurity preparedness and strengthening the response to incidents.
When there are binding obligations for private entities, these may involve requiring them to implement a risk assessment and management policy. The USA requires vendors to the federal government to manage cybersecurity risks in their supply chain.
Countries such as Brazil and Mexico have legislative proposals on cybersecurity with varying scopes. Even in such countries that do not currently have binding obligations for private entities, the proposed new laws signal the authorities' concern with cybersecurity and may lead to future obligations.
To access the full benchmark, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our Americas Digital Economy service.
more news
25 February 26
Protection of minors: overview of national initiatives on banning access to social media
Our latest benchmark shows that an increasing number of European countries are discussing a potential social media ban on children.
23 February 26
The DNA explained: universal service to serve the same goals under a revised approach
Cullen International is issuing a series of analyses on different aspects of the Digital Networks Act (DNA) proposal. This report covers universal service.
20 February 26
Revised Cybersecurity Act (CSA2) - Changes to the EU cybersecurity certification framework
Cullen International published an analysis of the proposed changes to the EU cybersecurity certification framework under the draft Cybersecurity Act 2 (CSA2) delivered by the European Commission on 20 January 2026.