Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • Latin America Alert: Chile’s Cybersecurity Framework Act: How will it affect private companies?
2 April 20244 minute read

Chile’s Cybersecurity Framework Act: How will it affect private companies?

Written by:Carla Illanes

On March 26, 2024, Chile enacted its flagship cybersecurity regulation, the Framework Law on Cybersecurity and Critical Information Infrastructure

The Act seeks to ensure the protection and continuity of essential services in the event of a cyberattack and applies certain obligations on private companies and public services that have been identified as operators of such essential services. It also creates the National Cybersecurity Agency (ANCI), which serves as the new regulatory body authorized to enforce the law. 

As of yet, there is no set date for the law’s entry into force. The Chilean legal system allows the President of Chile to publish a decree providing further information on implementation and commencement of ANCI activities in the Official Gazette within one year of a law’s publication. Per Chilean law, regulators have six months to define an implementation date following a law’s publication.

Below, we outline key aspects of the regulation. 

What are essential services and who operates them?

Essential services are those provided by private companies that carry out the following activities: 

  • Generation, transmission, or distribution of electricity
  • Land, air, rail, or maritime transportation, as well as the operation of their respective infrastructure
  • Telecommunications, digital infrastructure services, and information technology services managed by third parties
  • Fuel transportation, storage, or distribution
  • Supply of drinking water or sanitation services
  • Banking, financial, and payment services
  • Administration of social security benefits
  • Postal and courier services
  • Institutional healthcare services provided by hospitals, clinics, medical offices, and medical centers
  • The production or research of pharmaceutical products 

Essential services also include any service provided by the State Administration agencies and the National Electricity Coordinator, as well as those provided under a public service concession.

Can other services be considered essential?

Yes. The ANCI may use a well-founded resolution to classify other services as essential when any interruption to its normal functioning may cause severe damage to the life or physical integrity of 1) the population; 2) relevant sectors of the economic activities; 3) the environment; or 4) the normal functioning of society, the government, national defense, or security and public order services.

The ANCI may also designate further services as essential through public consultation, which must be carried out as stipulated under Act No. 19.880, a measure that establishes the basis of the administrative procedures governing the acts of State Administration bodies. A regulation will be issued by the Ministry of the Interior and Public Security to specify the necessary aspects of the procedure for its correct execution. 

In addition to the services listed above, the ANCI is also expected to identify the specific infrastructures, processes, or functions that will be considered essential.

What kinds of incidents will essential service providers be obligated to report, and to whom? 

Essential services operators must report all major cyberattacks or cybersecurity incidents as soon as possible to the Computer Security Incident Response Team. Major incidents are defined as those that are capable of interrupting the continuity of an essential service or affecting the physical integrity or health of people, as well as those that may affect computer systems containing personal data.

What other obligations must essential service operators comply with?

Essential service operators must permanently implement measures (of a technological, organizational, physical, or informational nature) to prevent, report, and resolve cybersecurity incidents. 

In addition, essential service operators are required to implement any protocols and standards established by the ANCI and the cybersecurity standards dictated by the respective sectorial regulation (eg, defense). 

The ANCI shall establish differentiated security measures according to the type of organization in question, especially considering the characteristics and possibilities of small and medium-sized companies as defined by Act No. 20.416, which establishes special rules for smaller companies.

For more information, please contact the author.

Related insights

Publication

Mexico amends its General Law of Commercial Companies to allow virtual partner,...

26 October 2023 .4 minute read

Publication

Argentina introduces new import/export regime and foreign exchange regulations

21 December 2023 .5 minute read

Publication

Argentina: President Milei is now in office

12 December 2023 .5 minute read

Print

Related capabilities

CybersecurityData, Privacy and CybersecurityRegulatory and Government AffairsIndustrialsEnergy and Natural ResourcesFinancial ServicesHealthcareLife SciencesTelecoms
Privacy policyLegal noticesCookie policyModern slaveryWhistleblowingSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper