Skip to main content
NOPE
In Effect Law Data Protection Context Relevance

Puerto Rico Cybersecurity Act

Act 40-2024 Cybersecurity Act of Puerto Rico

Puerto Rico's comprehensive cybersecurity law establishing cybersecurity framework for public and private sectors, complementing Act 111-2005 breach notification.

Jurisdiction

Puerto Rico

PR

Enacted

Jun 1, 2024

Effective

Jul 1, 2024

Enforcement

Puerto Rico Cybersecurity Bureau

Comprehensive cybersecurity framework complementing data breach law

Who Must Comply

This law applies to:

  • Public and private entities in Puerto Rico
  • Critical infrastructure operators
  • Entities processing sensitive data

Capability triggers:

sensitiveDataProcessing (required)
Required Increases applicability

Who bears obligations:

Operator

Safety Provisions

  • Cybersecurity risk assessment requirements
  • Incident response planning mandates
  • Security controls for critical infrastructure
  • Cybersecurity governance framework

Enforcement

Enforced by

Puerto Rico Cybersecurity Bureau

Penalties

Fines and enforcement actions

Quick Facts

Binding
Yes
Mental Health Focus
Yes
Child Safety Focus
No
Algorithmic Scope
No

Why It Matters

Puerto Rico's 2024 Cybersecurity Act creates comprehensive security obligations for AI chatbot platforms processing Puerto Rican users' sensitive data.

Recent Developments

Enacted June 2024, effective July 2024

What You Need to Comply

Cybersecurity risk assessments; incident response plans for sensitive data including mental health information

NOPE can help

Cite This

APA

Puerto Rico. (2024). Act 40-2024 Cybersecurity Act of Puerto Rico. Retrieved from https://nope.net/regs/pr-act-40-2024

BibTeX

@misc{pr_act_40_2024,
  title = {Act 40-2024 Cybersecurity Act of Puerto Rico},
  author = {Puerto Rico},
  year = {2024},
  url = {https://nope.net/regs/pr-act-40-2024}
}

Related Regulations

In Effect PR Data Protection

Puerto Rico Act 111-2005

Puerto Rico's medical information privacy law with breach notification requirement 'as expeditiously as possible' - stricter than federal standards.

In Effect CARICOM Data Protection

CARICOM CCSCAP 2025

CARICOM's 2025 regional cyber security framework establishing digital safety culture and coordinated incident response across 18 member states.

In Effect CL Data Protection

Chile Cybersecurity Law

First cybersecurity framework law in Latin America (Law 21,663 promulgated Mar 26, 2024; published Apr 8, 2024). Creates National Cybersecurity Agency (ANCI), mandatory incident reporting, and encryption rights.

In Effect AR AI Safety

Argentina AI Strategy

Non-binding AI governance guidelines establishing principles for responsible AI use. Argentina positioning as AI innovation hub with limited regulatory barriers. Emphasizes transparency, accountability, and human oversight. Multiple legislative proposals pending inspired by EU AI Act, aiming to establish formal regulatory authority.

Failed CA AI Safety

AIDA

Would have regulated high-impact AI systems with potential penalties up to $25M or 5% global revenue. Part of Bill C-27 which died when Parliament ended.

In Effect PE AI Safety

Peru AI Regulations

Peru's first comprehensive AI regulatory framework, inspired by EU AI Act. Establishes three-tier risk-based approach: prohibited uses, high-risk systems (including healthcare), and low-risk/acceptable AI. First general AI regulation in Latin America. Requires human oversight, transparency, and risk assessments for high-risk AI including healthcare applications.

Back to all regulations Check if this applies to you