In September 2025, the Office of the U.S. Trade Representative announced a public consultation process in advance of the joint review of the Agreement between the U.S., Mexico, and Canada (USMCA or Agreement) on July 1, 2026. This review offers an opportunity to evaluate how well the Agreement keeps pace with rapidly changing global priorities, especially in the realm of cybersecurity and digital trade. 

When it was first signed, the USMCA broke new ground as one of the first major trade agreements to include cyber provisions. This forward thinking approach recognized early on that strong cyber commitments are essential to maintaining the integrity of modern commerce. 

But as digital technologies evolve and threats grow more sophisticated, it's clear that the Agreement’s cybersecurity framework needs to evolve as well. In response, several of the Center for Cybersecurity Policy and Law (CCPL) organizations submitted comments to the consultation, expressing strong support for the Agreement’s digital chapter while identifying key areas for enhancement to ensure the USMCA remains a model for continued cooperation in cybersecurity and digital trade.

Across submissions, a common theme emerged: the need to reinforce the Agreement’s existing language and make its commitments more actionable. 

The original USMCA text included important provisions such as promoting national incident response capabilities, improving information sharing mechanisms, adopting risk-based approaches, enabling cross border data flows, and using consensus based international standards. While the current provisions provide a strong baseline, comments from the Coalition to Reduce Cyber Risk (CR2) recommend revising key provisions to include more enforceable terms, replacing phrases such as “shall endeavor to” with “shall,” to ensure greater clarity and accountability among parties.  

In addition to these overarching recommendations, the submissions identified several priority areas where updated language or new commitments could help modernize the USMCA’s digital trade chapter. These include:

• Alignment of Cyber Incident Reporting Measures: Divergent cyber incident reporting requirements across North America create complexity for organizations managing cross-border operations, often slowing response times and increasing costs during active incidents. Aligning core elements such as reporting thresholds, timelines, and minimum information requirements under the USMCA would streamline compliance, improve coordination, and strengthen regional resilience through faster, more consistent information sharing.
• Alignment of Secure Software Development Requirements: As governments introduce secure software development requirements to embed security from the outset, inconsistent implementation across jurisdictions has led to overlapping and sometimes conflicting obligations for developers. Greater alignment among the USMCA Parties around common secure-by-design principles would reduce compliance burdens, enhance software supply chain security, and promote trusted digital trade across North America.
• Coordination of Strategies to Transition to Post-Quantum Cryptography: The coming shift to post-quantum cryptography poses challenges for interoperability and security if national strategies diverge. Aligning USMCA members around common implementation timelines, technical standards, and recognition of NIST’s globally accepted algorithms would promote a coordinated transition, enhance resilience, and ensure consistency in protecting North America’s digital infrastructure against future quantum threats.
• Coordinated Vulnerability Disclosure: Strengthening national capabilities for coordinated disclosure of cybersecurity vulnerabilities would ensure a more consistent and effective approach to mitigating cyber risks across North America. Promoting voluntary, harmonized frameworks aligned with international standards such as ISO/IEC 29147 and 30111 would bolster trust, enhance resilience, and support secure cross-border digital trade.
• Cybersecurity in Workforce and Skills Development - Embedding cybersecurity into workforce training and digital literacy initiatives is essential to cultivating a cyber-ready labor force. Supporting upskilling efforts across the USMCA region would help ensure that workers and businesses alike are prepared to meet evolving security challenges in the digital economy.
• Encryption: Strong encryption remains fundamental to safeguarding data, privacy, and trust in the digital economy. The USMCA could reinforce this commitment by not only prohibiting requirements that weaken encryption or compel disclosure of proprietary information, but also by explicitly banning any mandate for government “backdoor” access, which would undermine security and create technical barriers to trade.
• Establishing a USMCA Cybersecurity Regulatory Cooperation Forum: A trilateral cybersecurity forum would provide a dedicated platform for regular coordination among government and industry stakeholders across North America. Such a mechanism could align national policies, reduce regulatory fragmentation, and enable more effective collaboration on shared cybersecurity challenges.
• Interoperable Cybersecurity Risk Management and Critical Infrastructure Security: Aligning cybersecurity risk management and critical infrastructure security frameworks across the USMCA region would reduce fragmentation and duplicative compliance requirements. By promoting interoperable, risk-based approaches grounded in international standards like ISO/IEC 27001 and 27017, the Parties can strengthen regional resilience, support secure cross-border operations, and create a more predictable environment for digital trade and investment.
• Mutual Recognition of Cloud Security Requirements for Government Procurement: Varying cybersecurity certification and conformity assessment requirements for government cloud procurement across North America create duplicative, costly, and time-consuming compliance processes for providers. Establishing mutual recognition of cloud security accreditations based on shared baseline standards would streamline certification, strengthen regional trust, and ensure governments can access secure, innovative cloud services more efficiently.
• Mutual Recognition of Cybersecurity Labels and Conformity Assessments: Divergent cybersecurity labeling and certification schemes across North America create unnecessary compliance burdens and supply chain inefficiencies for manufacturers. Establishing mutual recognition of labels and conformity assessments, particularly through a “certify once, comply with many” approach, would streamline compliance, foster interoperability, and accelerate the availability of secure digital products throughout the region.
• Removal of Untrusted Vendors from Critical Infrastructure: With North American supply chains deeply interconnected, inconsistent national approaches to managing untrusted vendors leave critical systems unevenly protected. A trilateral commitment to identify and remove such vendors would enhance regional cybersecurity, safeguard shared infrastructure, and ensure trusted, secure trade across all three USMCA markets.
• Small and Medium-Sized Enterprises: Small and medium-sized enterprises play a vital role in North America’s digital supply chains but remain especially vulnerable to cyber threats. Strengthening USMCA provisions to promote SME adoption of international cybersecurity standards, such as the NIST Cybersecurity Framework, would enhance their resilience and reinforce the overall security of the regional digital ecosystem.

Together, these updates would ensure the USMCA continues to serve as a global model for aligning trade and cybersecurity policy, supporting a more secure, innovative, and resilient digital economy across North America. 

Find each submission below:

Coalition to Reduce Cyber Risk

Cybersecurity Coalition

Digi Americas Alliance

‍