Puerto Rico Cybersecurity Act

Act 40-2024 Cybersecurity Act of Puerto Rico

Puerto Rico's comprehensive cybersecurity law establishing cybersecurity framework for public and private sectors, complementing Act 111-2005 breach notification.

Jurisdiction

Puerto Rico

Enacted

Jun 1, 2024

Effective

Jul 1, 2024

Enforcement

Puerto Rico Cybersecurity Bureau

Comprehensive cybersecurity framework complementing data breach law

Puerto Rico OGP

Why It Matters

Puerto Rico's 2024 Cybersecurity Act creates comprehensive security obligations for AI chatbot platforms processing Puerto Rican users' sensitive data.

Recent Developments

Enacted June 2024, effective July 2024

At a Glance

Applies to

AI CompanionMental Health AppGeneral Chatbot

Requires

Transparency Incident Reporting

Who Must Comply

Public and private entities in Puerto Rico
Critical infrastructure operators
Entities processing sensitive data

Obligations fall on:

Operator — Operates the platform or service

Safety Provisions

Cybersecurity risk assessment requirements
Incident response planning mandates
Security controls for critical infrastructure
Cybersecurity governance framework

Compliance & Enforcement

Penalties

Fines and enforcement actions

Primary Source

Puerto Rico OGP

https://bvirtualogp.pr.gov/ogp/Bvirtual/leyesreferencia/PDF/2-ingles/0040-2024.pdf

View on map

Puerto Rico

Focus Areas

Mental health & crisis

Active safeguards required

Cite This

APA

Puerto Rico. (2024). Act 40-2024 Cybersecurity Act of Puerto Rico.

Related Regulations

In Effect PR

Puerto Rico Act 111-2005

Puerto Rico's medical information privacy law with breach notification requirement 'as expeditiously as possible' - stricter than federal standards.

In Effect CARICOM

CARICOM CCSCAP 2025

CARICOM's 2025 regional cyber security framework establishing digital safety culture and coordinated incident response across 18 member states.

In Effect CL

First cybersecurity framework law in Latin America (Law 21,663 promulgated Mar 26, 2024; published Apr 8, 2024). Creates National Cybersecurity Agency (ANCI), mandatory incident reporting, and encryption rights.

In Effect AR

Argentina AI Strategy

Non-binding AI governance guidelines establishing principles for responsible AI use. Argentina positioning as AI innovation hub with limited regulatory barriers. Emphasizes transparency, accountability, and human oversight. Multiple legislative proposals pending inspired by EU AI Act, aiming to establish formal regulatory authority.

Failed CA

AIDA

Would have regulated high-impact AI systems with potential penalties up to $25M or 5% global revenue. Part of Bill C-27 which died when Parliament ended.

In Effect BR

Brazil ECA Digital

Comprehensive child digital safety law applying to any IT product or service directed at or likely to be accessed by minors in Brazil, with extraterritorial reach.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.