Panama strengthens its cybersecurity measures after recent attacks on public entities

Posted on 2026-05-15

Panama Strengthens Cybersecurity Requirements Following Recent Attacks on Public Institutions

New mandatory cybersecurity measures aim to enhance the protection of government systems, sensitive data, and critical digital infrastructure across Panama.

The Government of Panama has officially introduced a new set of mandatory cybersecurity requirements designed to strengthen the protection of public sector technology systems against cyberattacks and other digital threats.

The measures were established through a resolution issued by the National Authority for Government Innovation (AIG) and published in the Official Gazette. Compliance will be mandatory for Central Government entities, autonomous and semi-autonomous institutions, as well as state-owned enterprises.

The announcement follows a series of cybersecurity incidents that reportedly affected several public institutions, including the Ministry of Economy and Finance (MEF), the Social Security Fund (CSS), the Ministry of Health, the Ministry of Labor, and the Panama Emprende platform.

Key Cybersecurity Requirements

Under the new regulation, government entities must implement a series of minimum cybersecurity controls aimed at reducing vulnerabilities and improving resilience against cyber threats.

The required measures include:

• Maintaining an up-to-date inventory of servers, applications, and internet-facing devices.

• Installing and regularly updating security patches on exposed systems.

• Implementing Multi-Factor Authentication (MFA) for remote access, VPN connections, institutional email accounts, and cloud-based services.

• Using only supported and actively maintained operating systems.

• Deploying anti-malware protection on computers and servers.

• Implementing web filtering solutions to block malicious websites, phishing attempts, and dangerous downloads.

• Segregating critical services through Demilitarized Zones (DMZs).

• Restricting direct administrative access from the internet to sensitive systems.

• Conducting at least one annual external penetration test on internet-facing systems.

• Enhancing email security controls to detect fraudulent links, phishing campaigns, and identity spoofing attempts.

Compliance Deadlines

The resolution requires all covered institutions to submit a compliance report to the AIG within 30 calendar days, detailing the implementation status of the mandated cybersecurity controls.

Organizations that have not yet achieved full compliance must submit a corrective action plan outlining the necessary steps to address any deficiencies. The implementation of these corrective measures must be completed within a maximum period of 45 calendar days.

Guidance for Local Governments

Although the regulation primarily targets national government institutions and state-owned entities, the resolution also encourages municipalities, local councils, and provincial or regional authorities to adopt these cybersecurity measures as technical guidelines for strengthening their own digital infrastructure.

Responding to a Growing Global Threat

The decision comes amid increasing global concern over cyberattacks targeting government agencies, public services, and critical infrastructure. Cybercriminal groups continue to exploit vulnerabilities in public sector systems to gain unauthorized access to sensitive information, disrupt services, and compromise operational continuity.

By implementing these new cybersecurity requirements, Panama seeks to improve its national cyber resilience, reduce exposure to digital threats, and enhance the protection of government information systems in an increasingly connected world.

As cyber threats continue to evolve, proactive cybersecurity governance and the adoption of modern security controls are becoming essential components of public sector digital transformation and national security strategies.