On April 1, 2026, a new Article 30-B of Mexico's Federal Tax Code (Código Fiscal de la Federación) took effect, and with it Rule 2.9.21 of the 2026 Miscellaneous Tax Resolution (RMF 2026), published in the Diario Oficial de la Federación on December 28, 2025. Together they compel every digital service provider and intermediary marketplace serving Mexican users to grant the Tax Administration Service (SAT) permanent, online access to transaction-level records — data made available no later than the day after each transaction and held in a searchable five-year archive. Covered platforms had to hand SAT working access credentials by April 30, 2026.
The case SAT makes, fairly stated
The fiscal logic is real and worth stating before contesting it. Cross-border digital commerce is genuinely hard to tax: value accrues to non-resident platforms, the taxable event is a stream of small transactions, and enforcement historically depended on platforms reporting honestly about themselves. Mexico began levying 16% VAT on foreign platforms in 2025, and the tax base is not trivial — e-commerce through digital platforms reached roughly MX$790 billion in 2024, per the Mexican Online Sales Association (AMVO). When a base that large is largely self-declared, an authority's ability to verify rather than merely receive matters.
SAT has also been notably consultative and explicit about limits. On December 4, 2025, it met with Meta, Amazon, TikTok, Mercado Libre, DiDi, Rappi, Netflix, Walmart and Airbnb (Comunicado SAT 63-2025) and stated the access is "enfocada exclusivamente en la información de índole fiscal" — fiscal data only, not personal profiles, messages or consumption history — and that platforms may choose their own "sistema, interfaz o aplicativo" to provide it. The stated purpose is narrow: confirm correct VAT remittance.
Why permanent live access is the wrong instrument
Grant all of that, and the measure is still disproportionate to its goal — because Mexico already has the data through a less intrusive channel. Mexico operates one of the world's most comprehensive mandatory e-invoicing regimes: the CFDI. Nearly every taxable transaction already generates a fiscal folio transmitted to SAT in near real time. The authority is not blind; it already sees the transactional record VAT enforcement requires.
Article 30-B layers something qualitatively different on top of that: standing, credentialed access into the platforms' own production systems. A periodic structured report is bounded — defined fields, a fixed cadence, a clear scope. A username and password into a live database is open-ended by design. The data fields Rule 2.9.21 reaches are not anodyne either: client RFC, CURP, domicile, bank-account details, payment method, and — for lodging and goods marketplaces — property and import information, broken down by ISR, IVA and IEPS. Concentrating that in a government-accessible store invites the classic failure modes of standing access: scope creep beyond the original purpose, and a single high-value breach target.
Those risks are not hypothetical hand-wringing. Writing in El Universal, telecom and digital-rights analyst Irene Levy noted that the rules set no "estándares técnicos mínimos de seguridad informática" and no access-traceability protocol, leaving "espacios relevantes de discrecionalidad" — meaningful discretion with little oversight. She also observed that the combination of permanent real-time access with a blocking power "no es habitual" among comparable jurisdictions. A regime that promises "fiscal data only" but hands the state a live key, without a logged, auditable, purpose-bound access protocol, asks platforms and users to trust restraint rather than design.
A blunt enforcement backstop
The enforcement mechanism compounds the problem. Under Articles 18-H Bis and 18-H Quintus of the VAT Law, a platform that fails to comply faces temporary blocking of its service, executed through Mexico's telecom concessionaires until the omission is corrected. Using network-level blocking as a routine tax-enforcement tool is a heavy instrument with collateral reach: it degrades a service for every Mexican user, not just the delinquent taxpayer, and normalizes a site-blocking machinery whose appetite rarely stays confined to its original justification. Proportionate enforcement escalates — notice, audit, penalty — before it reaches for the kill switch.
What proportionate would have looked like
The instructive contrast is not anti-tax; it is pro-design. The OECD Model Reporting Rules for Digital Platforms and the EU's DAC7 directive target the same evasion problem and have been adopted across dozens of jurisdictions — yet they rely on periodic, standardized reporting. Platforms file a defined dataset on a schedule to the tax authority, which then exchanges it with counterparts. There is no standing credential, no live database access, no telecom-level blocking as a first-line tool. The reporting is auditable, scoped, and revisable by law rather than by administrative discretion.
Mexico could have reached the same VAT-compliance outcome by tightening platform reporting on top of its existing CFDI infrastructure. Instead it chose the most intrusive option on the menu and paired it with the bluntest enforcement backstop. For a tech sector that AMVO data shows is still expanding briskly, that is a signal worth weighing: jurisdictions that treat permanent system access as a default rather than a last resort raise the cost of operating without a commensurate gain in compliance — and set a template other governments are quick to copy. The goal is legitimate. The method is not the only one available, and probably not the right one.