Argentina mandates 180-day cybersecurity overhaul for state agencies

The process becomes continuous improvement, not a checkbox.
Agencies must test disaster recovery plans annually and document failures to drive ongoing refinement.

State agencies must establish backup data centers at least 1,500 km away with redundant power, cooling, and dual independent network links to ensure service continuity. High-criticality systems require recovery within 4 hours and maximum 1-hour data loss; medium systems within 24 hours; low systems within 1-5 days, all verified through mandatory testing.

  • 180-day deadline for state agencies to implement cybersecurity overhaul
  • Backup data centers must be located at least 1,500 km from primary facilities
  • High-criticality systems: 4-hour recovery time, 1-hour maximum data loss
  • Argentina recorded 5.7 billion cyberattack attempts in the prior year
  • Full Tier 3 certification deadline extends to 20 months

Argentina's National Cybersecurity Center issued a regulation requiring all public sector organizations to strengthen digital systems against cyberattacks within 180 days, with specific recovery time and data loss thresholds based on system criticality.

Argentina's government has set a hard deadline: six months for every state agency to overhaul how it protects digital systems from cyberattacks, system failures, and disasters. The order came from the National Cybersecurity Center in its first official directive, published in the government gazette in May. It is not a suggestion. It is a regulation with teeth, spelling out exactly what each agency must do, how to test it, and what happens if they fail.

The mandate rests on a simple principle: critical government services cannot simply vanish when something goes wrong. When a hospital's patient records system fails, or a tax agency's database is encrypted by ransomware, or a power grid control center loses connectivity, people suffer. The regulation forces agencies to think through what happens next—and to prove they have a plan that actually works.

Every affected organization must now classify its systems by how essential they are. High-criticality systems—the ones that keep the lights on, figuratively and literally—must be back online within four hours of a failure, with no more than one hour of data lost. Medium-criticality systems get a full day to recover, with up to four hours of acceptable data loss. Low-criticality systems can take between one and five days, as long as backups have been verified. These are not arbitrary numbers. They reflect the real cost of downtime measured in hours, in lost transactions, in public trust.

To meet these targets, agencies must build redundancy into everything. Each organization needs a backup data center—not in the same city, not in the same region, but at least 1,500 kilometers away from the main facility. The distance matters. A single flood, earthquake, or fire cannot take out both sites simultaneously. The backup center must be hardened: redundant power supplies, duplicate cooling systems, fire suppression, physical security, and the ability to keep running while maintenance happens. The two sites must be connected by at least two independent network links, preferably fiber optic cables running through different physical routes and contracted from different providers. A third link—satellite or radio—is recommended for extreme scenarios when everything else fails.

But having a backup center means nothing if no one has tested whether it actually works. The regulation transforms disaster recovery from a document that sits in a filing cabinet into an operational discipline. High-criticality systems must run a full recovery test every year, tabletop exercises twice a year, offline backup recovery tests, and network failover drills. Medium-criticality systems need annual full tests, quarterly tabletop exercises, and offline backup checks. Low-criticality systems must at least verify their backups through sampling. After each test, agencies must write a report documenting what worked, what failed, and how they will fix it. The process becomes continuous improvement, not a checkbox.

The regulation also demands that each agency maintain a detailed inventory of every system, application, dataset, piece of infrastructure, and external vendor it depends on. This inventory must be updated at least once a year, or sooner if the technology architecture changes significantly. Agencies must write formal contingency policies that define roles, responsibilities, procedures, and who has final authority when a crisis hits. They must develop playbooks for different types of incidents—ransomware attacks, physical destruction, data corruption—because not every crisis demands the same response.

The 180-day clock started ticking when the directive was published. That first deadline is when agencies must submit compliance reports showing they have a disaster recovery plan in place, including the location and technical specifications of their backup center and evidence of at least one successful failover test. But the real finish line comes at twenty months, when agencies must achieve Tier 3 certification—a higher standard of readiness and resilience.

Implementing this will not be cheap or easy. Agencies will need to budget for backup infrastructure, negotiate contracts with data center operators, hire or train staff in disaster recovery procedures, and coordinate across technical teams that may have never worked together before. Some agencies may lack the resources to build a backup center 1,500 kilometers away. Others may struggle to find qualified personnel to design and test these systems. The regulation assumes a level of technical sophistication and financial capacity that not all government organizations possess. Yet the mandate is clear: adapt or face non-compliance. The next six months will reveal which agencies are ready to build resilience and which are still hoping nothing bad happens.

The regulation transforms disaster recovery from a document that sits in a filing cabinet into an operational discipline.
— Analysis of the mandate's intent
The Hearth Conversation Another angle on the story
Inventor

Why does Argentina's government care about this now? What triggered the mandate?

Model

The country has been absorbing thousands of cyberattacks. Last year alone, Argentina recorded 5.7 billion attack attempts. At some point, you stop treating it as a problem for IT departments and start treating it as a national security issue.

Inventor

The 1,500-kilometer rule for backup centers—that's oddly specific. Why that distance?

Model

It's about geography and probability. If your main data center and backup are too close, a single event—a flood, an earthquake, a fire—can destroy both. At 1,500 kilometers, you're far enough apart that the same disaster won't hit both. It's the minimum distance that actually buys you safety.

Inventor

Four hours to recover a critical system. That sounds fast. Is it realistic?

Model

It's tight but achievable if you've planned and tested. The point is that four hours is the difference between a bad day and a catastrophe. A hospital can't wait a week to restore patient records. A tax agency can't be offline for days. The regulation is saying: plan for the worst, test constantly, and know your limits.

Inventor

What happens to an agency that doesn't comply by the deadline?

Model

The regulation doesn't spell out penalties in the source material, but the answer is implicit: they remain vulnerable. If they're hit by ransomware or a major failure, they have no legal cover, no tested plan, no backup. The real cost is operational—services fail, people suffer, and the agency becomes a cautionary tale.

Inventor

The tabletop exercises and annual tests—who actually runs those?

Model

That's the hard part. It requires coordination between technical teams, security staff, and leadership. Someone has to design the scenario, someone has to play out the response, someone has to document what went wrong. It's not a one-time event. It's a discipline that has to be sustained.

Inventor

Does this regulation apply to private companies too, or just government?

Model

Just government agencies. But private companies are watching. If the state can mandate this level of resilience, private sector organizations—especially critical infrastructure like banks and utilities—will likely face similar pressure soon.

Want the full story? Read the original at TN ↗
Contact Us FAQ