Introduction: A Paradigm Shift

Cybersecurity is no longer optional in Chile; it's the law. The publication of the Cybersecurity Framework Law (Law No. 21,663) and its initial regulation (Supreme Decree No. 285) represents a fundamental change for all companies in the country. What was once a best practice is now an explicit legal obligation, subject to state supervision and a significant sanctions regime.

For boards and senior management, this means cybersecurity has escalated from being a technical issue to an unavoidable business responsibility. Ignoring this new regulation is not an option.

Key Points for the Board

New Institutional Framework

The National Cybersecurity Agency (ANCI) is created as the governing, supervisory, and sanctioning entity.

Obligated Subjects

The law applies directly to 'Essential Services' (ES) and 'Vital Importance Operators' (VIO), but its scope impacts the entire supply chain.

Fundamental Duties

  • Obligation to report incidents within strict timeframes (from 3 hours)
  • Implement management systems (e.g., ISO 27001)
  • Designate a cybersecurity officer

Severe Sanctions

Fines for non-compliance can reach 40,000 UTM (almost USD 3 million) for VIOs, in addition to reputational risks and management liability.

The New Institutional Framework: ANCI and Key Players

The cybersecurity law establishes a new governance architecture:

National Cybersecurity Agency (ANCI): Governing, supervisory, and sanctioning entity. Primary regulatory counterpart.

National CSIRT: Technical team that coordinates incident response. Single point of contact for regulated entities.

Who Does the Law Apply To?

1. Essential Services (ES)

According to Article 4° of the law, these are public and private entities that develop fundamental activities for the country:

  • Energy: Generation, transmission, or electrical distribution
  • Water: Drinking water supply or sanitation
  • Telecommunications
  • Digital Infrastructure: Data centers, cloud computing
  • IT Services: Managed by third parties
  • Transport and Infrastructure
  • Financial Services: Banking and payment methods
  • Social Security: Benefits administration
  • Logistics: Postal and logistics services
  • Public Sector: Public Administration, Judiciary, and National Congress
  • Pharmaceutical: Production or research

2. Vital Importance Operators (VIO)

These are Essential Services that ANCI formally qualifies as 'vitally important' due to their particular criticality. This qualification implies additional and more demanding obligations.

Key Warning: If your company is a supplier to an ES or VIO, expect to be contractually required to comply with these same standards.

Essential Duties: Obligations for Every Qualified Entity

General Duties (Art. 7)

Every organization qualified as an Essential Service must:

  1. Apply technical and organizational measures permanently to manage risks
  2. Maintain capabilities to Prevent, Report, and Resolve incidents
  3. Implement protocols and standards issued by ANCI

Specific Duty to Report Incidents (Art. 9)

It is mandatory to notify the National CSIRT of every significant incident:

  • Early Alert: Within 3 hours of becoming aware
  • Update Report: Within 72 hours following the alert
  • Final Report: Within 15 business days following the alert

Enhanced Requirements: Obligations for VIOs (Art. 8)

If your company is qualified as a VIO, it must satisfy more rigorous obligations:

1. Implement ISMS

A robust and continuous Information Security Management System, such as one based on ISO 27001.

2. Continuity Plans

Develop, implement, and formally certify continuity and cybersecurity plans.

3. Continuous Operations

Conduct exercises, reviews, and simulations, communicating results to the National CSIRT.

4. Immediate Measures

Adopt rapid actions to mitigate the impact and spread of incidents.

5. Continuous Training

Implement training and cyberhygiene programs for all personnel.

6. Designate Cybersecurity Delegate

Formally appoint a technical liaison with ANCI. Requires a cybersecurity engineer or GRC expert profile.

Supervision and Sanctions Regime

ANCI Powers (Art. 11)

ANCI can:

  • Supervise law compliance
  • Order audits of obligated entities
  • Request detailed information about operations
  • Access facilities and systems

Sanctions (Art. 40)

Sanctions are severe and proportional:

  • Serious Infractions: Fines up to 20,000 UTM (about USD 1.5 million)
  • Very Serious Infractions: Fines up to 40,000 UTM (almost USD 3 million)

ANCI will determine fines considering:

  • Damage caused
  • Benefit obtained
  • Intentionality
  • Recidivism

Immediate Steps for Compliance

1. Urgent Action: Register Cybersecurity Officer

Current mandatory requirement: Register the 'Officer' with ANCI according to General Instruction No. 1.

Officer Requirements:

  • Training or technical experience in cybersecurity
  • Ability to maintain technical relationship with National CSIRT

Registration Process:

  • Portal: portal.anci.gob.cl
  • Authentication: Unique Key + second factor
  • Documentation: Appointment signed with advanced electronic signature

2. Conduct GAP Assessment

Evaluate current state versus requirements for:

  • Information Security Management Systems
  • Continuity plans
  • Reporting protocols

3. Define Board Responsibilities

  • Designate responsible committee or director
  • Establish GRC program oversight
  • Create regular reporting scheme

4. Develop Compliance Roadmap

Prioritize actions based on:

  • Organization classification (ES vs VIO)
  • Gaps identified in assessment
  • Available resources and regulatory timelines

Technology and Compliance Tools

Integrated GRC Platforms

The complexity of complying with multiple simultaneous obligations makes specialized technological solutions essential:

  • Compliance Management: Automated tracking of regulatory obligations
  • Incident Monitoring: Real-time detection and reporting systems
  • Risk Management: Continuous vulnerability assessment
  • Documentation and Audit: Complete traceability for inspections

Whistleblowing Channels and Transparency

A robust ethical channel is fundamental for:

  • Early detection of internal vulnerabilities
  • Compliance with transparency principles
  • Protection of internal whistleblowers
  • Demonstration of organizational commitment

Conclusion: Compliance as Competitive Advantage

The cybersecurity framework law represents both a challenge and an opportunity to build more resilient, secure, and reliable organizations. Proactive compliance not only mitigates regulatory risks but also strengthens stakeholder confidence and business continuity.

Organizations that implement comprehensive corporate compliance management frameworks and GRC solutions will be better positioned to navigate this new regulatory landscape and convert obligations into competitive advantages.

Expert Recommendation

For organizations seeking specialized advisory on implementing cybersecurity compliance frameworks, we recommend consulting with experts in corporate law and technology who can provide a comprehensive view of technical and legal requirements.

The cybersecurity and corporate law specialists team at Anguita Osorio has developed specialized frameworks to help organizations navigate this new regulation, transforming compliance into a strategic business strength.

This article constitutes general information and does not replace personalized legal advice. For specific cases, consultation with cybersecurity law and regulatory compliance specialists is recommended.