In recent years, Paraguay has made significant strides toward consolidating its national cybersecurity efforts. A clear example of this is the institutional transformation reflected in the new National Cybersecurity Strategy 2025-2028, which marks a before and after compared to the National Cybersecurity Plan of 2017. This evolution not only represents a shift in focus but also strengthens the Ministry of Information and Communication Technologies (MITIC) as the central authority for the country’s digital security.
In 2017, the plan presented significant structural weaknesses. MITIC’s role was limited to coordination through the National Cybersecurity Commission, without a consolidated operational structure. It lacked a formal technical authority, which resulted in fragmented coordination and unclear execution. Additionally, there was no organizational structure within MITIC dedicated to cybersecurity, nor a governance model that involved all state institutions. The absence of metrics, a limited focus on training, and weak coordination with the private sector left the country vulnerable to growing threats.
These weaknesses have been addressed comprehensively in the 2025-2028 strategy, which was approved by Decree 3900/25 on May 22, 2025. MITIC has been consolidated as the national authority on cybersecurity, leading the formulation and execution of public policies and coordinating actions with various sectors to strengthen the country’s digital resilience. The General Directorate of Cybersecurity and Information Protection was created within MITIC, the role of CERT-PY was strengthened as the operational body for handling incidents, and a security governance model was approved that decentralizes responsibilities across all public institutions. Furthermore, training programs, awareness campaigns, international cooperation, and a regulatory approach, including key legal reforms, are being implemented.
Were TEDIC’s comments included in the final version?
In 2024, MITIC, through the DGCPI and CERT-PY, led a participatory process to update the National Cybersecurity Strategy 2025-2028 with the support of the OAS. Multiple working groups were held with over 250 participants from various sectors. In this context, TEDIC actively participated in two in-person and virtual meetings, presented observations to the draft, and held a subsequent meeting to explain their observations, pointing out key issues on governance, rights protection, and strengthening the national strategy. However, the following points, considered fundamental for a comprehensive perspective, were not included:
1) Cybersecurity Governance with an Integrated Approach
One of the main points raised by TEDIC was the need for more inclusive, cross-cutting governance with an inter-institutional approach that better reflects the complexity of Paraguay’s digital ecosystem.
Among the contributions made, TEDIC emphasized that although the document proposed a more robust governance architecture than in 2017, it still had significant limitations. Notably, there was a clear absence of key state institutions in the design and implementation of cybersecurity policies. The strategy does not explicitly or operationally include the participation of institutions such as the Ministry of Public Health, the Ministry of Women, the Secretariat for Children and Adolescents, or the Human Rights Directorate of the Ministry of the Interior.
This omission is not trivial. In a context where cybersecurity directly impacts sensitive rights—such as access to health, protection against digital gender violence, or the safety of minors online—excluding these institutions limits the state’s ability to formulate truly comprehensive public policies. TEDIC proposed that these actors should be part of the permanent coordination tables, both in the implementation phase and in the evaluation and adjustment of strategic actions.
2) Mechanisms for Working with Multiple Stakeholders (Civil Society, Academia, Companies, Technical Community)
The published strategy maintains a predominantly technical focus centered on critical infrastructure and incident response. While it mentions the importance of a “human-centered” approach and the need for coordination, it does not specify how or in what spaces institutions representing key social sectors will participate. It also does not describe concrete mechanisms for collaboration with civil society or academia, beyond a general statement of openness to multiple stakeholders.
This represents a missed opportunity to strengthen the legitimacy and effectiveness of the strategy. Inclusive governance not only guarantees a greater diversity of perspectives but also a better capacity to respond to complex threats, such as technology-facilitated gender violence, attacks on hospital infrastructures, or privacy risks for children, adolescents, and other vulnerable groups. The exclusion of these sectors limits the possibility of formulating comprehensive public policies designed not only to protect systems but also to protect people.
3) Imbalance between Preventive and Punitive Approaches
TEDIC’s warning about the alarmist and punitive approach in addressing digital risks is problematic. Many of the measures proposed in the draft—and retained in the final document—are focused on strengthening the legal framework, penalizing behaviors, and protecting infrastructures, without accompanying robust digital education policies, critical literacy, or early protection mechanisms for vulnerable people and groups.
TEDIC argued that this bias toward punitive measures could lead to legal overreactions that violate fundamental rights, especially when there are no clear safeguards to prevent abuses in monitoring or prosecuting certain cybercrimes. In their comments, they provided the example that technical measures aimed at preventing cybercrime could be disproportionately applied against human rights defenders, activists, journalists, or ordinary users operating in contexts of low digital education.
Rethinking Cybersecurity: Towards a Human-Centered Strategy, Not Punishment
One of the most urgent and valuable contributions TEDIC made during the review process of the National Cybersecurity Strategy 2025-2028 was the need to rethink the very concept of cybersecurity from a positive, human-centered perspective. Unfortunately, this was not included. Digital security cannot be limited to protecting infrastructures or pursuing cybercrimes under a militarized or punitive logic. On the contrary, it should aspire to build a digital environment free from violence, inclusive, safe, and just for all people.
This implies recognizing that threats to digital security do not only come from external actors such as hackers or anonymous cybercriminals. In many cases, digital violence is deeply rooted in everyday power and inequality relationships: an ex-partner spying, harassing, or distributing intimate images without consent; cases of cyberbullying destroying the self-esteem of children and adolescents; systematic practices of state surveillance without judicial oversight or democratic controls; or tech companies designing invasive systems without considering the real rights and needs of individuals.
In this sense, the concept of cybersecurity must move away from being reactive and coercive, and become a tool to guarantee the full exercise of human rights in digital environments. Digital security should protect people more than systems; it should prevent harm before punishing it, and it should actively include historically excluded sectors—such as women, LGBTQIA+ people, children, indigenous communities, and people with disabilities—in its design and governance.
Unfortunately, the National Cybersecurity Strategy published by MITIC still does not fully integrate this vision. While general principles such as the “human-centered” approach are mentioned, the practical implementation still follows a logic where the technical and penal aspects dominate the narrative. It speaks about strengthening legal frameworks, criminalizing behaviors, protecting critical infrastructures, and increasing the state’s control capacity, but says very little—if anything—about how to ensure safe environments for those suffering from digital violence in their homes, classrooms, workplaces, or communities.
Cybersecurity cannot be built without care, nor can it function without empathy. It requires a profound transformation that places human dignity, digital rights, and social justice at the center. This also implies changing who makes the decisions: it’s not enough to have technicians and security institutions; Ministries of Health, Women, Children, Education, and Human Rights must also have a seat at the table, along with social organizations, technical communities, teachers, mothers, children, and ordinary users.
A truly democratic cybersecurity not only blocks threats: it also enables freedoms, creates trust, and reduces inequalities. And above all, it does not criminalize those who participate in the digital world but accompanies, protects, and empowers them.
Blue Team Tools: A Resource to Protect Our Activisms