On 11 May 2021, the ”Draft Modification of the Mexican Official Standard NOM-151-SCFI-2016, Requirements to be observed for the conservation of data messages and digitalization of documents, published on 30 March 2017” (”Project”) was published in the Official Gazette of the Federation.
The Project aims to regulate and approve the rules applicable to the communication and transmission of data messages through ”certified electronic communications.” Electronic communications, when certified, provide evidence related to the management of the delivery and receipt of data messages made between merchants (i.e., legal entities) and between merchants and public authorities. The Project is applicable to both the public and private sectors.
- The Project defines and standardizes the rules for the communication and transmission of data messages. While previous rules regulated the preservation and digitalization of correspondences, it did not cover the delivery and receipt of data messages.
- It applies to the communication, preservation and digitalization of correspondences (e.g., contracts) of merchants, which must be done by means of a certified electronic communication.
- A certified electronic communication, a new concept introduced in the Project, provides digital and legal security in the communication of data messages sent between merchants and between merchants and authorities.
- Merchants will have to hire the services of a certification service provider since they will have to use a certified advanced electronic signature and include a digital time stamp in each of the data message sent and received in the relevant correspondence.
- The Ministry of Economy through the General Directorate of Commercial Regulations is tasked with the accreditation, supervision and the monitoring for compliance with the Project.
- While the requirements are not mandatory, data messages that do not comply with the requirements of the Project will not hold any probative/evidentiary value.
- The Project sets out the minimum requirements that certified electronic communications must meet. It applies to technological solutions that allow the transmission of data messages by electronic means, between the sender and receiver, and provides evidence related to the management of the delivery and receipt of messages. In particular, the Project applies to the following:
- Notifications, summons, subpoenas, requirements, request for reports or documents and final administrative resolutions made by means of official letters delivered by certified mail, with acknowledgment of receipt, electronic means of communication or any other means
- Preservation of merchant correspondence, with respect to the delivery and receipt of data messages
- The delivery, receipt and acknowledgement of receipt of data messages
- The aforementioned communications must be kept complete, confidential and available from the moment they are sent until they are received, regardless of the technological solution used (i.e., software and hardware that carries out the certified electronic communication and that must be built in accordance with the data structures for sending and receiving data messages published by the Secretariat here).
- Requirements to satisfy integrity, confidentiality and availability:
- The issuer is capable of electronically signing a data message with an advanced electronic signature (AES) certified by a Certification Authority recognized in Mexico.
- The issuer is able to encrypt the data message by means of a cryptographic algorithm or use a cryptographic protocol, compatible with industry standards, which can be consulted at www.firmadigital.gob.mx.
- The receiver is able to decrypt the data message using a cryptographic algorithm. The technological solution (service) used to receive the data message must be able to (i) generate the confirmation of receipt (acknowledgement); (ii) if necessary, allow the recipient to generate an acknowledgement of receipt signed with a certified AES, which also allows verification of the validity, revocation status (OCSP and/or CRL) and signature validation of the issuer of the certificate; and (iii) incorporate a digital time stamp in the data message.
- The receiver is able to detect any alteration to the integrity of the data message signed with certified FEA. Specifically: it must verify validity, revocation status (OCSP and/or CRL, as the case may be) and signature validation of the certificate issuer.
- When the applicable legal provisions so require, the parties must reliably guarantee the identity of the parties sending and receiving the data message.
- When the applicable legal provisions so require, the parties shall include the time at which the data message is sent and received.
The Draft will be open for public consultation until 10 July 2021. Comments may be submitted via email to the following: email@example.com, firstname.lastname@example.org and email@example.com or through the Oficialía de Partes of the Secretariat of Economy, located at Calle Pachuca, number 189, Colonia Condesa, Alcaldía Cuauhtémoc, Mexico City, C.P. 06140, telephone 57 29 91 00, extensions 43219, 43235 and 13204.
For more information about the Project, please click here.