Chile’s Cybersecurity Framework Act: How will it affect private companies?
On March 26, 2024, Chile enacted its flagship cybersecurity regulation, the Framework Law on Cybersecurity and Critical Information Infrastructure.
The Act seeks to ensure the protection and continuity of essential services in the event of a cyberattack and applies certain obligations on private companies and public services that have been identified as operators of such essential services. It also creates the National Cybersecurity Agency (ANCI), which serves as the new regulatory body authorized to enforce the law.
As of yet, there is no set date for the law’s entry into force. The Chilean legal system allows the President of Chile to publish a decree providing further information on implementation and commencement of ANCI activities in the Official Gazette within one year of a law’s publication. Per Chilean law, regulators have six months to define an implementation date following a law’s publication.
Below, we outline key aspects of the regulation.
What are essential services and who operates them?
Essential services are those provided by private companies that carry out the following activities:
- Generation, transmission, or distribution of electricity
- Land, air, rail, or maritime transportation, as well as the operation of their respective infrastructure
- Telecommunications, digital infrastructure services, and information technology services managed by third parties
- Fuel transportation, storage, or distribution
- Supply of drinking water or sanitation services
- Banking, financial, and payment services
- Administration of social security benefits
- Postal and courier services
- Institutional healthcare services provided by hospitals, clinics, medical offices, and medical centers
- The production or research of pharmaceutical products
Essential services also include any service provided by the State Administration agencies and the National Electricity Coordinator, as well as those provided under a public service concession.
Can other services be considered essential?
Yes. The ANCI may use a well-founded resolution to classify other services as essential when any interruption to its normal functioning may cause severe damage to the life or physical integrity of 1) the population; 2) relevant sectors of the economic activities; 3) the environment; or 4) the normal functioning of society, the government, national defense, or security and public order services.
The ANCI may also designate further services as essential through public consultation, which must be carried out as stipulated under Act No. 19.880, a measure that establishes the basis of the administrative procedures governing the acts of State Administration bodies. A regulation will be issued by the Ministry of the Interior and Public Security to specify the necessary aspects of the procedure for its correct execution.
In addition to the services listed above, the ANCI is also expected to identify the specific infrastructures, processes, or functions that will be considered essential.
What kinds of incidents will essential service providers be obligated to report, and to whom?
Essential services operators must report all major cyberattacks or cybersecurity incidents as soon as possible to the Computer Security Incident Response Team. Major incidents are defined as those that are capable of interrupting the continuity of an essential service or affecting the physical integrity or health of people, as well as those that may affect computer systems containing personal data.
What other obligations must essential service operators comply with?
Essential service operators must permanently implement measures (of a technological, organizational, physical, or informational nature) to prevent, report, and resolve cybersecurity incidents.
In addition, essential service operators are required to implement any protocols and standards established by the ANCI and the cybersecurity standards dictated by the respective sectorial regulation (eg, defense).
The ANCI shall establish differentiated security measures according to the type of organization in question, especially considering the characteristics and possibilities of small and medium-sized companies as defined by Act No. 20.416, which establishes special rules for smaller companies.
For more information, please contact the author.