Chile's cybersecurity law was recently updated to impose obligations on “essential service providers”, including those in the electricity and banking sectors, and on ”operators of vital importance”. The law also establishes a government agency dedicated to cybersecurity enforcement.
Scope of Application: The law applies to:
- Essential Service Providers (“ESPs”): ESPs include, but are not limited to, electricity generation, transmission, and distribution; fuel transport and supply; water supply and sanitation; telecommunications; digital infrastructure; digital services; managed IT services; various forms of transportation; banking, financial services, and payment methods; social security administration; postal services; institutional health providers (hospitals, clinics); and pharmaceutical production/research.
- Operators of Vital Importance (“OVIs”): A subset of service providers to be designated in July 2025 based on their dependence on information systems and networks, and the significant impact their disruption could have. OVIs will be subject to stricter obligations and higher fines than ESPs.
Infractions and Penalties: The law establishes a regime of infractions with corresponding fines, depending on severity.
- Minor offenses: Fines up to USD 345,000 for ESPs and USD 690,000 for OIVs.
- Serious offenses: Fines up to USD 1,380,000 for ESPs and 2,760,000 for OIVs.
New Institutional Framework:
- National Cybersecurity Agency: The law establishes the National Cybersecurity Agency (the “ANCI”), which will be the primary authority for cybersecurity regulation. Its main objectives are to advise the Chilean President on cybersecurity matters, protect national interests in cyberspace, and coordinate relevant institutions.
Mandatory Registration on the ANCI’s Platform:
- Online registration must be completed by the designated incident reporting officer.
- A formal designation document signed by the legal representative is required.
- Institutions must assign both a primary and a backup contact.
- Failure to register is considered a regulatory infraction.
Key Principles: The law is guided by several principles, including:
- Damage Control: Coordinated and diligent action to prevent escalation and spread of cyberattacks.
- Cooperation with Authority: An obligation to cooperate with the competent authorities in resolving cybersecurity incidents.
- Computer Security: Adopting necessary technical measures, including encryption.
- Reasonableness: Cybersecurity measures and the ANCI's powers should be proportionate to the risk and potential impact of a cybersecurity issue.
- Security and Privacy by Default and by Design: IT systems, applications and technologies must be designed and managed with data security and privacy in mind.
Cybersecurity Obligations:
- General Duties for ESPs and OVIs:
- Implement permanent measures to prevent, report and resolve cybersecurity incidents, following the ANCI's protocols and standards.
- Conduct review operations, exercises, drills and analyses of computer networks and systems.
- Take necessary measures to reduce the impact and spread of incidents.
- Obtain cybersecurity certifications as required by law.
- Report cyberattacks and cybersecurity incidents within a maximum of three hours of detection (with updates within 72 hours and a final report within 15 days).
- Specific Duties for OVIs: These include implementing continuous information security management systems, preparing and maintaining operational continuity and cybersecurity plans (which must be certified and periodically reviewed) and continuously training personnel.
Entry into Force: The law was enacted on March 26, 2024, and published in the Official Gazette on April 8, 2024. The ANCI commenced its activities on January 1, 2025. Key provisions that enable the law to become fully enforceable came into force on March 1, 2025.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- Age Appropriate Design Code
- Age Verification
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Audit
- Audits
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Behavioral Advertising
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Consumer Rights
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cross-Border Data Transfer
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Protection Officer
- Data Transfer
- David Dumont
- David Vladeck
- Deceptive Trade Practices
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Department of Treasury
- Design
- Digital Markets Act
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DORA
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Electronic Protected Health Information
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- European Union
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- Financial Data
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Geolocation Data
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- HIPAA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Louisiana
- Madrid Resolution
- Maine
- Malaysia
- Maryland
- Massachusetts
- Meta
- Mexico
- Michigan
- Microsoft
- Minnesota
- Missouri
- Mobile
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- North Dakota
- North Korea
- Norway
- Obama Administration
- OCPA
- OECD
- Office for Civil Rights
- Office of Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Online Behavioral Advertising
- Online Privacy
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Poland
- PRISM
- Privacy By Design
- Privacy Notice
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Profiling
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk Assessment
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Sensitive Data
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- States Attorney General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code