Peru: Cybersecurity Compliance Strategy 2026–2028

Peru has launched a robust national plan to address digital threats with its 2026–2028 National Cybersecurity Strategy (ESNACIB). This strategic document mandates cybersecurity compliance for public institutions and encourages private sector alignment, aiming to strengthen digital resilience across the country.

National Mandate for Cybersecurity Compliance

The ESNACIB, developed by the Secretariat of Government and Digital Transformation (SGTD-PCM), became official on January 13, 2025, and was finalized in July 2025. It sets a clear path to secure Peru’s cyberspace and elevate its digital trust environment between 2026 and 2028.

While mandatory for public sector entities, the strategy urges private organizations, academia, and civil society to participate actively. It underscores the importance of aligning with Peru’s Personal Data Protection Law and broader digital governance policies.

Embracing International Cybersecurity Standards

Peru’s strategy emphasizes adopting international frameworks like ISO/IEC and NIST CSF. Key standards referenced include:

• NTP ISO/IEC 27032:2024 – Guidelines for internet security

• NTP ISO/IEC 27001, 27002, 27005:2022 – Information security and risk management

• NTP ISO/IEC 12207:2016 – Mandatory for all National Informatics System entities

• NIST Cybersecurity Framework and CIS Controls

By prioritizing these norms, Peru aims to reinforce institutional compliance and secure digital infrastructure.

Trust Seals and Accreditation Systems

A notable ESNACIB innovation is the proposed cybersecurity certification system, expected to act as a “trust seal” for both public and private organizations. This system could become a de facto requirement for companies operating in digital services, critical infrastructure, or emerging technology sectors.

The national IP agency INDECOPI is set to support certification of digital signature systems, enhancing the reliability of digital identification mechanisms.

Customs and Trade Implications

Although focused on cybersecurity, the strategy indirectly impacts trade. SUNAT, Peru’s customs authority, is recognized as a stakeholder due to its role in managing critical digital systems. Businesses involved in imports or international trade should expect heightened data handling protocols and security verification measures.

Who Will Be Affected?

The scope is broad. Affected product categories include:

• IoT and connected devices

• Consumer electronics (e.g., smart toys, appliances)

• Telecom and computing infrastructure

• Digital platforms, software, and data systems

• Automotive and transportation-related digital systems

• Products leveraging AI, quantum computing, and emerging tech

Services Hook

If your organization manufactures, imports, or integrates connected digital products, now is the time to review your market access strategy. Entirety’s Regulatory Intelligence Service can guide you through Peru’s evolving digital compliance landscape.

Impact Assessment

• Technical Standards? ✅ Yes

• Type Approval & Market Access? ✅ Yes

• Imports, Customs, Trade, or Market Surveillance? ✅ Yes

• Spectrum Management? ❌ No