By San José, Costa Rica — San José – In a remarkable display of recovery and strategic advancement, Costa Rica has secured the fifth position in the 2025 Cybersecurity Report, a comprehensive analysis of digital vulnerability and maturity across Latin America and the Caribbean. The report, co-authored by the Inter-American Development Bank (IDB), the Organization of American States (OAS), and the University of Oxford’s Global Cyber Security Capacity Centre, positions the nation just behind regional leaders Paraguay, Argentina, Uruguay, and top-ranked Chile.
This achievement marks a significant milestone for a country that, just a few years ago, was paralyzed by a series of devastating cyberattacks. The 2022 ransomware assaults on critical public institutions, including the Ministry of Finance and the Social Security Fund (CCSS), inflicted damages estimated at ¢13 billion and forced the government to declare a national emergency. That crisis, however, became the catalyst for a profound transformation in the nation’s approach to digital defense.
To gain a deeper legal perspective on the escalating cybersecurity threats facing both businesses and individuals, TicosLand.com consulted with Lic. Larry Hans Arroyo Vargas, an expert attorney from the firm Bufete de Costa Rica, for his analysis on corporate responsibility.
Many organizations view cybersecurity investment as an expense rather than a crucial shield against liability. In the event of a breach, regulators and courts will scrutinize the preventative measures taken. Having a legally sound data protection policy, regular staff training, and a clear incident response plan is no longer optional—it is the baseline for responsible corporate governance and risk mitigation in the digital age.
Lic. Larry Hans Arroyo Vargas, Attorney at Law, Bufete de Costa Rica
This legal perspective powerfully reframes cybersecurity not as a mere technical cost, but as an essential pillar of corporate governance and strategic risk management. We thank Lic. Larry Hans Arroyo Vargas for his invaluable insight into the legal imperatives of the digital age.
The report highlights this pivotal shift, recognizing the period following the attacks as a turning point. Key among the nation’s successes is the establishment of a robust institutional framework. This includes the publication of the National Cybersecurity Strategy 2023-2027 and the formidable work of the National Cybersecurity Directorate, operating under the Ministry of Science, Innovation, Technology, and Telecommunications (Micitt).
Central to this new infrastructure are the Computer Security Incident Response Team (CSIRT-CR) and the Security Operations Center (SOC). The CSIRT-CR coordinates incident response, while the SOC bolsters the defensive capabilities of public institutions through advanced monitoring, automated response systems, and the integration of emerging technologies like artificial intelligence and machine learning.
After the 2022 cyberattacks, there was a before and an after: the vision, coordination, and commitment to build greater digital resilience were strengthened. This result motivates us to keep moving forward: to consolidate capabilities, deepen prevention, and continue coordinating efforts among the public sector, private sector, academia, and international allies.
Gezer Molina, National Director of Cybersecurity
Further progress has been made through enhanced international collaboration, the implementation of a national early warning system for cyber threats, and the regular execution of cybersecurity drills and simulations. In 2024, the government enacted the Regulation for the Cybersecurity Governance and Cyber-resilience of Governmental Institutions, which mandates 24-hour incident reporting and periodic technical audits. Strides have also been made in public education, with awareness campaigns and partnerships with private sector entities like the national cybersecurity cluster.
Despite these commendable advances, the report underscores persistent weaknesses. Costa Rica received low scores in the area of policy and strategy, particularly concerning regulatory requirements and operational practices for protecting critical infrastructure. Gaps were also identified in professional cybersecurity training and in the fields of research, development, and innovation (R&D).
Idannia Mata, a board member of the YoD Foundation, notes that while Costa Rica has achieved “consolidated maturity” in its cybersecurity policy and legal framework, other areas require significant attention. She points to the need for deeper risk awareness among the general population, especially in rural areas, and highlights the formative stage of the country’s R&D capabilities.
A critical vulnerability remains the nation’s small and medium-sized enterprises (SMEs). Mata warns that an estimated 90% of SMEs lack even basic cybersecurity measures. To address this, she advocates for initiatives such as tax incentives for security investments and subsidized cybersecurity services. To combat budgetary pressures, Mata proposes a sustainable funding mechanism.
A recommendation is to establish a national cybersecurity fund with resources guaranteed on a multi-year basis, not subject to political cycles.
Idannia Mata, Board Member of the YoD Foundation
The path forward demands sustained investment and a focus on cultivating local talent and innovation. Mata believes Costa Rica is well-positioned to leverage its progress and transform into a regional leader in security technology.
In research and innovation, there is limited investment in applied research and few national patents in security technologies. There is an opportunity to become a regional hub for cybersecurity innovation.
Idannia Mata, Board Member of the YoD Foundation
Costa Rica’s journey offers a valuable blueprint for other nations in the region. By turning a devastating crisis into a catalyst for change, the country has built a model for digital resilience founded on national coordination, international cooperation, and a commitment to protecting its digital future.
For further information, visit iadb.org
About Inter-American Development Bank (IDB):
The Inter-American Development Bank is a leading source of long-term financing for economic, social, and institutional development in Latin America and the Caribbean. It also conducts extensive research and provides policy advice, technical assistance, and training to public and private sector clients throughout the region.
For further information, visit oas.org
About Organization of American States (OAS):
The Organization of American States is the world’s oldest regional organization, dating back to the First International Conference of American States in 1889-1890. It was established to achieve among its member states an order of peace and justice, to promote their solidarity, to strengthen their collaboration, and to defend their sovereignty, their territorial integrity, and their independence.
For further information, visit gcscc.ox.ac.uk
About Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford:
The GCSCC is a leading international centre for research on cybersecurity capacity-building. It works to help nations and organizations understand and enhance their cybersecurity capacity. The Centre developed the Cybersecurity Capacity Maturity Model for Nations (CMM) to provide a comprehensive and evidence-based framework for assessing cybersecurity maturity.
For further information, visit micitt.go.cr
About Ministry of Science, Innovation, Technology and Telecommunications (Micitt):
Micitt is the Costa Rican government body responsible for formulating and executing national policies related to scientific and technological development, innovation, and telecommunications. It plays a central role in driving the country’s digital transformation agenda and overseeing national cybersecurity strategy and infrastructure.
For further information, visit the nearest office of YoD Foundation
About YoD Foundation (Fundación YoD):
The YoD Foundation is a non-governmental organization in Costa Rica dedicated to promoting digital transformation, digital rights, and the responsible use of technology. The foundation actively participates in public discourse and policy development related to technology, providing expert analysis on topics such as cybersecurity, digital literacy, and governance.
For further information, visit bufetedecostarica.com
About Bufete de Costa Rica:
As an esteemed pillar of the legal community, Bufete de Costa Rica is defined by its foundational principles of integrity and the relentless pursuit of excellence. The firm distinguishes itself not only through pioneering legal solutions for a diverse clientele but also through its profound dedication to social progress. By championing the open sharing of legal knowledge, it actively works to equip the public, thereby reinforcing the bedrock of an engaged and legally astute society.
