Privacy & Information Security Law Blog

Chile's cybersecurity law was recently updated to impose obligations on “essential service providers”, including those in the electricity and banking sectors, and on ”operators of vital importance”. The law also establishes a government agency dedicated to cybersecurity enforcement.

Scope of Application: The law applies to:

• Essential Service Providers (“ESPs”): ESPs include, but are not limited to, electricity generation, transmission, and distribution; fuel transport and supply; water supply and sanitation; telecommunications; digital infrastructure; digital services; managed IT services; various forms of transportation; banking, financial services, and payment methods; social security administration; postal services; institutional health providers (hospitals, clinics); and pharmaceutical production/research.

• Operators of Vital Importance (“OVIs”): A subset of service providers to be designated in July 2025 based on their dependence on information systems and networks, and the significant impact their disruption could have. OVIs will be subject to stricter obligations and higher fines than ESPs.

Infractions and Penalties: The law establishes a regime of infractions with corresponding fines, depending on severity.

• Minor offenses: Fines up to USD 345,000 for ESPs and USD 690,000 for OIVs.
• Serious offenses: Fines up to USD 1,380,000 for ESPs and 2,760,000 for OIVs.

New Institutional Framework: 

• National Cybersecurity Agency: The law establishes the National Cybersecurity Agency (the “ANCI”), which will be the primary authority for cybersecurity regulation. Its main objectives are to advise the Chilean President on cybersecurity matters, protect national interests in cyberspace, and coordinate relevant institutions.

Mandatory Registration on the ANCI’s Platform: 

• Online registration must be completed by the designated incident reporting officer.
• A formal designation document signed by the legal representative is required.
• Institutions must assign both a primary and a backup contact.
• Failure to register is considered a regulatory infraction.

Key Principles: The law is guided by several principles, including:

• Damage Control: Coordinated and diligent action to prevent escalation and spread of cyberattacks.
• Cooperation with Authority: An obligation to cooperate with the competent authorities in resolving cybersecurity incidents.
• Computer Security: Adopting necessary technical measures, including encryption.
• Reasonableness: Cybersecurity measures and the ANCI's powers should be proportionate to the risk and potential impact of a cybersecurity issue.
• Security and Privacy by Default and by Design: IT systems, applications and technologies must be designed and managed with data security and privacy in mind.

Cybersecurity Obligations:

• General Duties for ESPs and OVIs:

• Implement permanent measures to prevent, report and resolve cybersecurity incidents, following the ANCI's protocols and standards.
• Conduct review operations, exercises, drills and analyses of computer networks and systems.
• Take necessary measures to reduce the impact and spread of incidents.
• Obtain cybersecurity certifications as required by law.
• Report cyberattacks and cybersecurity incidents within a maximum of three hours of detection (with updates within 72 hours and a final report within 15 days).

• Specific Duties for OVIs: These include implementing continuous information security management systems, preparing and maintaining operational continuity and cybersecurity plans (which must be certified and periodically reviewed) and continuously training personnel.

Entry into Force: The law was enacted on March 26, 2024, and published in the Official Gazette on April 8, 2024. The ANCI commenced its activities on January 1, 2025. Key provisions that enable the law to become fully enforceable came into force on March 1, 2025.