Cybersecurity in Paraguay: between urgency and legislative improvisation

In recent weeks, Paraguay has once again been shaken by alarming news regarding the vulnerability of its computer systems. At the end of May, a new massive leak of sensitive data belonging to the Ministry of Health was confirmed. This incident adds to a series of previous breaches that have exposed highly personal information, including home addresses, full names, tax debt details and data from facial recognition systems managed by institutions such as the Superior Court of Electoral Justice (TSJE), the Ministry of Finance, the Central Bank, Itaipu and the National Police.

In response to this critical situation, the National Congress has introduced two legislative bills focused on cybersecurity. In addition, a preliminary draft bill promoted by the Metropolitan University of Asunción was presented alongside a public hearing. This surge in legislative activity reflects a growing institutional concern over the lack of adequate mechanisms to protect Paraguay’s cyberspace.

At TEDIC, however, as an organization specializing in digital rights and technology, we view this phenomenon with a mix of hope and caution.

An urgent need, but one that demands responsibility

There is no doubt that Paraguay urgently needs to move towards a robust public policy on cybersecurity. The repeated exposure of sensitive data not only compromises individuals’ personal security, but also undermines public trust in state institutions. Creating a regulatory framework in this area is essential. However, its development must be rigorous, grounded in democratic principles, respect for human rights and sound legislative practices.

The process of drafting legislation can neither be driven by immediate impulses nor rely on quick fixes. It is a constitutional process that requires thorough analysis, public consultation, comparative legal review and careful legislative drafting. Poorly designed laws can be not only ineffective, but also dangerous.

What is being proposed?

In late May, two bills were introduced in the Chamber of Deputies, along with a preliminary draft bill:

1. “Cybersecurity, Data Protection and Cybercrime Prevention” bill, presented by Deputy Germán Solinger (File D-2584479, introduced on May 12, 2025).
2. “Cybersecurity and Protection of Paraguayan Cyberspace” bill, presented by Deputy Luis Federico Franco Alfaro (File D-2584815, introduced on May 28, 2025).
3. The preliminary draft of the Cybersecurity Law, led by the Metropolitan University of Asunción and accompanied by a public hearing that opened the door to a broader conversation.

While it is encouraging that Congress is paying attention to the issue, we are concerned about the growing number of initiatives that, so far, show no clear signs of coordination or alignment. A multitude of legislative proposals could fragment the debate and result in overlapping or even contradictory regulations.

What TEDIC proposes

TEDIC has been working on this issue since 2016. In 2017, we contributed to the Ministry of Information and Communication Technologies (MITIC) first National Cybersecurity Plan. In 2024, we submitted our feedback on the draft of the National Cybersecurity Strategy, which was later approved in May through Resolution 3900/25. We are closely following these new legislative initiatives because we believe that any legislation in this field must emerge from an inclusive, transparent and well-informed process.

We acknowledge and value the good intentions behind the proposed bills. The political and academic interest in addressing cybersecurity is a positive step forward. However, it is also our responsibility to point out that legislating on these matters without prior assessments, comparative legal studies, public participation and sound technical criteria can result in poorly conceived solutions with significant institutional costs.

Therefore, TEDIC urges Congress—especially the Chamber of Deputies, which is leading two bills—to unify efforts and work towards a single, robust and ambitious legislative proposal, with the participation of specialized organizations, academia, the private sector and civil society.

For all three proposals, we submitted our views and main concerns regarding the bills currently under discussion, as well as our perspective on how an effective public cybersecurity policy should be developed.

1) Core concerns: Legislative technique and lack of coordination

Among the cybersecurity legislative proposals introduced, the bill identified by file D-2584815, spearheaded by Deputy Luis Federico Franco Alfaro, stands out for assigning the lead authority on cybersecurity to the Ministry of National Defense. This approach contrasts with the other two legislative initiatives and the preliminary draft bill promoted by the Metropolitan University of Asunción, which propose the Ministry of Information and Communication Technologies (MITIC) as the governing body.

Assigning cybersecurity to the defense sector represents a substantive change in the nature of the institutional approach, shifting the coordination of the digital ecosystem towards a logic of national security and militarization. This model deviates from international best practices promoted by multilateral organizations such as the OECD, which strongly recommend that cybersecurity governance remain under civilian leadership, ensuring transparency, multi-stakeholder participation and respect for human rights.

Organizations such as Fundación Karisma, representing Latin American civil society, have also warned about the risks of a militarized approach to cybersecurity. This approach tends to prioritize state control, surveillance and defense over the protection of individual rights and the promotion of a free, open and inclusive internet. Moreover, it reinforces closed structures that are less participatory and less accountable.

The militarization of cybersecurity can restrict the involvement of key actors such as academia, the private sector, civil society and organizations specialized in human rights and technology. It also misaligns national legislation with the principles of democratic internet governance, which require the inclusion of multiple stakeholders and the development of public policies grounded in transparency, public deliberation and a rights-based approach.

Civilian oversight is not merely an administrative issue; it is a structural principle that defines the democratic nature of public cybersecurity policy. Replacing this approach with a military one compromises not only the institutional legitimacy of the regulatory framework but also its capacity to build trust, coordinate sectors and develop effective, sustainable responses that uphold fundamental freedoms.

2) Deficiencies in legislative technique, misconceptions about the nature of the law, and misapplication of principles from administrative and criminal law

All three proposals exhibit serious shortcomings in legislative technique. A law intended to have real impact must follow a minimum normative structure: clear objectives, a defined scope of application, guiding principles, a glossary of terms, differentiated responsibilities among the actors involved, among other fundamental elements.

In the analyzed bills, these components appear in a fragmented and disorganized way, some unnecessary, others entirely absent. This lack of rigor not only affects the clarity of the legal text but also complicates its future implementation and oversight.

For example, in the preliminary draft bill, Articles 1 and 2 address the purpose of the law and its scope of application. Article 1 refers to general principles, but none are actually defined or developed anywhere in the text. Meanwhile, Article 3, in the conceptual glossary, introduces two terms, “generative artificial intelligence” and “cyberterrorism”, yet neither is elaborated on or referenced elsewhere in the bill. Sanctioning provisions are included, but they lack clarity.

Finally, there is a concerning tendency to conflate legally distinct areas such as cybersecurity, personal data protection and cybercrime. Although these fields are interrelated and may complement one another, each is governed by its own logic, principles and objectives.

The most evident case appears in one of the proposals—which we will refrain from identifying for now—that calls for a single law on cybersecurity and personal data protection. This reflects a lack of understanding of the fundamentally different nature of these legal frameworks. Such an artificial fusion, beyond being confusing, poses potential risks to fundamental rights.

A noticeable lack of terminological consistency can also be observed in the concepts used to refer to illicit activities in the digital environment. While expressions such as “ciberamenazas” (cyber threats) or “ciberdelitos” (cybercrimes) are commonly used in everyday language, these terms lack clear normative recognition in either the Paraguayan Penal Code or international treaties such as the Budapest Convention on Cybercrime.

In this context, it would be advisable for the law to propose a conceptual unification that aligns legal terminology with the existing penal framework. For instance, instead of using informal terms like “ciberdelitos” or “delitos cibernéticos“—which are currently neither defined nor typified—it should employ “delitos informáticos“, which is the most widely recognized category in both criminal law doctrine and international instruments (often referred to as cybercrimes or computer-related crimes in English).
It is also crucial to unify and clarify the use of terms such as “ciberataques” (cyberattacks) and “ataques cibernéticos” (cybernetic attacks) across the three legislative proposals and the preliminary draft bill. To prevent inconsistent interpretations, these concepts should be aligned with existing criminal offenses, such as computer sabotage, unauthorized access to systems, or damage to data or digital infrastructure. If new criminal classifications are introduced, it is essential to establish their relationship to the current penal framework, thereby ensuring both their effective enforceability and their legal compatibility with the national legal system.

3) Lack of harmonization with existing and pending regulations

A cybersecurity law cannot be treated as an isolated piece of legislation. It must form part of a broader legal ecosystem that includes and interacts with related laws. However, the current proposals reveal an unclear overlap with other areas of law, such as personal data protection or computer-related crimes, lacking proper differentiation and articulation.

An effective cybersecurity policy requires, in addition to a specific law, complementary legal frameworks such as:

• The Personal Data Protection Law, which is still under discussion in Congress.
• A legal framework for essential infrastructure (commonly referred to as “critical infrastructure”).
• Regulations on data governance.
• The update of the Public Information Access Law, to adapt it to the challenges of the digital environment.
• Disconnect from the 2025–2028 Cybersecurity Strategic Plan

Legislating on cybersecurity without considering this broader normative context risks creating overlaps, legal loopholes and conflicts of jurisdiction.

4) Cybersecurity governance: a structural deficit

Another key element missing from the current legislative proposals is the design of comprehensive and participatory cybersecurity governance. In democratic contexts, the challenges of protecting cyberspace cannot be shouldered solely by the state, let alone by a single public institution. Cybersecurity is a cross-cutting issue that affects all sectors: businesses, universities, the media, civil society organizations and, of course, the general public.

While some proposals mention the creation of institutional committees or councils, these are typically confined to the state apparatus, without establishing clear mechanisms for the participation of other relevant stakeholders. This closed approach not only limits the effectiveness of public policies but also undermines the legitimacy of the decision-making process.

At TEDIC, we believe that effective cybersecurity governance must be built on a multi-stakeholder approach, recognizing the roles and responsibilities of the various sectors that already participate—directly or indirectly—in the design, use, implementation and evaluation of technologies.

• Technology companies must be part of the dialogue, as many of them are the creators and managers of critical infrastructure, digital platforms and systems that process large volumes of data.
• Academia contributes technical expertise, critical analysis and the training of professionals who will be responsible for implementing these policies.
• Organized civil society, for its part, ensures the defense of human rights, promotes transparency and safeguards the public interest in technological decision-making.

A sustainable cybersecurity policy cannot be limited to reactive responses to crises. It must include mechanisms for ongoing consultation, spaces for public deliberation and participatory evaluation and monitoring systems. Excluding these stakeholders from the regulatory design process means missing out on valuable technical, ethical and strategic contributions that could strengthen state efforts and enhance the protection of rights in the digital environment.

5) Cybersecurity is not (only) defense: the risk of a punitive and militarized approach

A common thread across the three legislative proposals analyzed is their distinctly reactive and securitized approach. The prevailing narrative is one of crisis, attack and threat, with responses focused almost exclusively on crime prevention, state defense and infrastructure protection. While these elements are indeed part of the broader cybersecurity ecosystem, they should not serve as the starting point or the conceptual core of public policy in this area.

In line with this perspective, the composition of the councils or committees envisioned in the bills is limited to institutions within the criminal justice system, the Ministry of the Interior, the armed forces, MITIC and agencies linked to control and defense. This punitive and militarized approach reduces the complexity of the digital environment to a matter of national security, when, in fact, what is also at stake are fundamental rights such as privacy, freedom of expression, access to information and equality.

At TEDIC, we firmly believe that cybersecurity must be approached from a comprehensive perspective grounded in human rights. To achieve this, it is essential to include institutional actors who work with historically marginalized groups, as these communities are particularly affected by digital divides and online risks. For example:

• The Ministry of Women, to integrate a gender perspective that acknowledges and addresses technology-facilitated gender-based violence.
• The Ministry of Health, to contribute to mental health policies related to internet use and its impact on people’s lives, from a public health perspective.
• Institutions such as the Ministry of Children and Adolescents, the Secretariat of Youth and the Paraguayan Indigenous Institute (INDI), which can provide essential insights into access, inclusion and the protection of rights in digital spaces.

A modern cybersecurity policy cannot be built solely as a reaction to external attacks or threats. Above all, it must serve as a tool to guarantee free, secure, and equitable access to the internet for everyone, especially those in situations of heightened vulnerability.

Advocating for an inclusive perspective is not an obstacle to the effectiveness of cybersecurity policies; rather, it is an essential condition for their legitimacy, sustainability and true ability to protect both institutions and individuals.

6) Human Rights: A symbolic mention, without real focus or concrete tools

Although all three legislative proposals mention human rights in various sections—whether in the introductory sections or as general declarations of principles—these references do not translate into a real, operational or cross-cutting approach. The inclusion of fundamental rights appears more as a symbolic formality than as a structural guide for the law’s design.

A cybersecurity policy that takes human rights seriously must go far beyond merely mentioning them. It must incorporate them as a guiding principle for both normative and technical design, establishing clear standards of proportionality, legality, necessity and accountability. It must also be reflected in concrete measures that protect people in their everyday use of digital technologies.

Among these tools are:

• End-to-end encryption, as a guarantee of confidentiality for personal and professional communications.
• Anonymity, especially important for journalists, activists, vulnerable communities, and anyone who needs to protect their identity online.
• Privacy by design and by default, meaning that technological systems should minimize data collection by default and prioritize user security from their technical inception.
• The promotion of free and auditable software, which strengthens transparency and technological autonomy, while reducing dependence on opaque or foreign infrastructures.

None of the current proposals include these components, nor do they even mention them tangentially. Human rights impact assessments are also not considered for new digital surveillance or control measures. This omission jeopardizes the development of truly democratic, people-centered public policy.

In Conclusion

At TEDIC, we assert that a cybersecurity law cannot be legitimate or effective unless it is deeply aligned with international human rights standards. This includes both legal safeguards and the promotion of rights-protective technologies. Any regulation that omits these pillars risks becoming an instrument of control, rather than a tool for protecting and strengthening freedoms in the digital environment.

If you want to know our opinions on each proposal, you can download them here:

1) The legislative proposal “Cybersecurity, Data Protection and Prevention of Cybercrimes”, presented by Deputy Germán Solinger. According to unofficial sources, this bill will be replaced by the preliminary draft bill, so TEDIC has not conducted an in-depth analysis of it.

2)The legislative proposal “Cybersecurity and Protection of Paraguayan Cyberspace”, by Deputy Luis Federico Franco Alfaro.

3) The preliminary draft of the Cybersecurity Law of the Metropolitan University.

This publication has been funded by the European Union. Its content is the sole responsibility of TEDIC and does not necessarily reflect the views of the European Union.