global
Variables
Utilities
CUSTOM STYLES
Blog
/
Blog

How to comply with the new obligations of Decree No. 66/025 on cybersecurity

Nextfense
Team
August 1, 2025

Cybersecurity has become a strategic priority for organizations in all sectors, and in Uruguay, the recent Decree No. 66/025 reinforces this need by establishing new obligations for public entities and critical sectors. This regulatory framework seeks to protect critical information assets and ensure the continuity of the country's essential services.

In this article, we explain the key points of the decree, its implications and how Nextfense's specialized services can help you comply with these regulations.

What is Decree No. 66/025 and to whom does it apply?

Decree No. 66/025, enacted on February 20, 2025, establishes a regulatory framework in cybersecurity that applies to:

  • Public entities.
  •  Private entities linked to critical sectors, such as:
  • Cheers
  • Energy
  • Telecommunications
  • Transportation
  • Banking and Financial Services
  • Drinking water, agro-industry, defense, among others.

The main objective of the decree is to strengthen the protection of critical information assets, prevent cybersecurity incidents and ensure the resilience of essential services.

Main obligations of Decree No. 66/025

The organizations covered by the decree must comply with a series of specific measures, including:

  1. Adopt effective security measures: implement controls and procedures to protect critical information assets.
  1. Follow national and international standards in cybersecurity.
  2. Perform cybersecurity audits: periodically evaluate the state of information systems.
  1. Identify vulnerabilities and risks to mitigate them
  2. Report cybersecurity incidents: report any incident to CERTuY (National Computer Security Incident Response Center) within 24 hours.
  1. Appoint an Information Security Officer: appoint an internal or external professional to lead the organization's cybersecurity strategy.
  1. Comply with the Cybersecurity Framework: adopt the framework developed by AGESIC and achieve the assigned level of maturity.

What happens if you don't comply with the decree?

Failure to comply with the obligations established in Decree No. 66/025 can have serious consequences, such as:

  • Legal sanctions: The Agency for the Development of Electronic Management and the Information and Knowledge Society (AGESIC) can warn non-compliant entities.
  •  Loss of trust: Customers, partners, and citizens can lose trust in your organization.
  •  Operational risks: The lack of security measures increases vulnerability to cyberattacks, which can compromise the continuity of services.

How can Nextfense help you comply with Decree No. 66/025?

In Nextfense, we are experts in cybersecurity and have a portfolio of services designed to help you comply with new regulations. Here's how we can support you:

1. Cybersecurity Audits

We carry out comprehensive audits to assess the state of your information systems, identify vulnerabilities and ensure compliance with the Cybersecurity Framework. Our approach includes:

  • Review of policies and procedures.
  • Technological infrastructure analysis.
  • Identifying security breaches and recommendations for improvement

2. Virtual CISO (Chief Information Security Officer)

If your organization doesn't have an internal CISO, we offer you a Virtual CISO, a service that provides strategic leadership in cybersecurity. This outside professional:

  • Design and implement security policies.
  • Monitor regulatory compliance.
  • It acts as a liaison with AGESIC and CERTuY.

3. Incident Management and Response

We help you prepare to respond quickly and effectively to cybersecurity incidents. Our services include:

  • Development of incident response plans
  • Forensic analysis to identify the root cause of problems
  • Assistance in communication and reporting to CERTuY.

4. Vulnerability Assessment

We identify and prioritize risks in your systems so you can mitigate them before they become incidents. This service is key to protecting your critical assets and ensuring operational continuity.

5. System hardening

We strengthen the security of your systems and applications by configuring advanced controls, reducing the attack surface and minimizing risks.

Conclusion: Comply with Decree No. 66/025 and protect your organization

Decree No. 66/025 marks a before and after in cybersecurity in Uruguay, establishing a clear framework for protecting critical information assets. Complying with these regulations is not only a legal obligation, but also an opportunity to strengthen the security and resilience of your organization.

At Nextfense, we're here to help you navigate this new regulatory landscape and ensure that your organization is prepared to face cybersecurity challenges.

Do you need help to comply with Decree No. 66/025?

📞 Contact us Just today for a personalized consultation.

🛡️ Protect your organization with our cybersecurity experts.

See more articles

Blog
August 21, 2025
How to Conduct an Information Systems Security Assessment
Blog
August 1, 2025
How to manage cyber risk: Keys to reducing threats, protecting assets, and eliminating vulnerabilities
News
July 22, 2025
Nextfense revolutionizes cybersecurity: a new launch of comprehensive services!