Chile’s Cybersecurity Framework Law and Essential ICT Service Operators

National Cybersecurity Policy 2023–2028 (Chile)

A strategic document that defines Chile’s cybersecurity goals and priorities for 2023–2028. It is not a law but a policy roadmap that guides later legislation, including Law No. 21.663.

Law No. 21.663 (Cybersecurity Framework Law / Ley Marco de Ciberseguridad)

A Chilean law published in 2024 that creates a national cybersecurity framework, establishes governance structures, and sets mandatory cybersecurity obligations for critical and essential services and their key ICT providers.

Critical / Essential Services

Services whose disruption would seriously affect national security, public order, the economy, or the basic functioning of society (e.g., energy, water, health, banking, telecoms, public administration).

In-scope ICT / Digital Service Provider

An ICT or digital service provider whose services are necessary for the operation or security of a critical or essential service, such that a cyber incident affecting the provider could significantly disrupt that service.

Incident Reporting Obligation

A legal requirement for in-scope organizations to notify the national cybersecurity authority and/or sector regulator within defined timeframes when certain types of cyber incidents occur, especially those affecting critical or essential services.

Risk-Based Approach

A method where cybersecurity measures are selected and prioritized based on the likelihood and impact of different threats, rather than applying the same controls everywhere regardless of context.

Essential Service (under Law 21.663)

A service whose disruption would seriously affect national security, public order, the economy, or fundamental rights (e.g., electricity supply, hospital emergency care, core payment systems, national telecom connectivity).

Essential Service Provider (SE)

The entity that directly provides an essential service to society (e.g., a power grid operator, a major hospital, a telecom backbone operator).

Provider of Essential Services (PSE)

A third-party supplier whose services are necessary for an SE to deliver its essential service; often includes cloud providers, data centers, and managed IT/security services.

ANCI (Agencia Nacional de Ciberseguridad)

Chile’s national cybersecurity agency created by Law 21.663, responsible for coordinating cybersecurity policy, defining and updating lists of SE and PSE, and overseeing compliance.

ICT Provider as SE vs PSE

ICT/telecom providers are SE when their own service is essential (e.g., backbone connectivity). They are PSE when they are critical suppliers enabling another entity’s essential service (e.g., cloud hosting a bank’s core system).

Criticality Criterion

The practical test: if the ICT service fails, does the essential service fail or become dangerously degraded? If yes, the ICT actor is likely an SE (if it provides the service) or a PSE (if it supplies the SE).

Operator of Vital Importance (OVI / OIV)

An entity (public or private) whose operation is so critical that a serious cyber incident affecting it would significantly impact essential services, public order, the economy, or critical State functions. Designated through an administrative process led by ANCI under Law No. 21.663.

Essential Service

A service identified in Chile’s cybersecurity framework as necessary for the functioning of society, the economy, or the State (e.g., electricity, water, health, banking, telecoms). OVIs are operators whose disruption would severely affect these services.

ANCI (National Cybersecurity Agency)

The central authority created by Law No. 21.663 responsible for coordinating cybersecurity policy, identifying and proposing OVIs, supervising compliance, and reviewing the lists of essential services and OVIs.

Impact-Based Criteria

Criteria that assess the potential consequences of a cyber incident on service continuity, public order, economic stability, and State functions, rather than just the sector label or company size.

Three-Year Review Cycle

The periodic process (at least every three years) in which ANCI reviews and updates the lists of essential services and OVIs, including through public consultation, to reflect technological, market, and threat changes.

Non-Essential Provider as OVI

A private entity that is not itself an essential service provider but can be classified as an OVI because its ICT infrastructure (e.g., cloud, data center, DNS, SOC) is critical for multiple essential services or State functions.

ANCI (Agencia Nacional de Ciberseguridad)

Chile’s central civilian cybersecurity authority created by the Cybersecurity Framework Law. It issues binding cybersecurity rules, supervises essential and OVI operators, coordinates CSIRTs, and leads national cybersecurity policy.

CSIRT Nacional (National CSIRT)

The main national incident response team responsible for receiving incident reports, providing technical support, issuing alerts, and coordinating cross‑sector responses to cyber incidents.

Sectoral CSIRTs

Incident response teams focused on specific sectors (e.g., finance, energy, telecom). They handle sector‑specific incidents and coordinate with the National CSIRT and ANCI.

CSIRT de Defensa Nacional

The incident response team dedicated to defense and military systems. It coordinates with the civilian cybersecurity architecture when incidents have mixed or national‑level impact.

Sectoral Authorities/Regulators

Existing regulators for specific sectors (e.g., telecom, energy, finance, health) that now have explicit duties to coordinate with ANCI on cybersecurity, integrate cybersecurity into sector rules, and share incident information.

Operator of Vital Importance (OVI/OIV)

An essential service operator whose failure would have particularly severe impact on national security, public safety, or the economy. Designated through an ANCI‑led process and subject to stricter cybersecurity obligations.

Continuous cybersecurity duty

The legal obligation for covered operators to **continuously implement, monitor, and improve** technological, organizational, physical, and informational security measures, rather than treating cybersecurity as a one-off project.

Risk-based approach

A method where security measures are chosen and prioritized based on an assessment of **assets, threats, vulnerabilities, likelihood, and impact**, instead of following a fixed checklist.

Necessity, proportionality, rationality

Three principles guiding security measures: they must be **necessary** to address real risks, **proportionate** to potential impact and resources, and **rational** (reasonable and justifiable) given current best practices.

ANCI protocols and sectoral regulations

Binding or strongly prescriptive **technical rules, guidelines, and standards** issued by the national cybersecurity authority (ANCI) and sector regulators that operators must align with (often alongside international standards like ISO 27001).

Operators of Vital Importance (OVI/OIV)

Entities designated by ANCI (or an equivalent authority) whose services are so critical that their disruption would have **very high impact** on national security, public safety, or the economy; they face **stricter cybersecurity obligations**.

Differentiated obligations for SMEs

The idea that **small and medium-sized enterprises** may follow **simplified or baseline** cybersecurity requirements unless they provide vital or high-risk services, in which case they must still meet stronger, risk-based obligations.

Operator of Vital Importance (OVI)

An entity whose disruption would have a very significant impact on national security, public safety, or the economy, and which is therefore subject to stricter cybersecurity obligations than standard essential entities.

Information Security Management System (ISMS)

A structured framework of policies, procedures, roles, and controls for managing information security risks in a systematic, documented, and auditable way.

Risk Identification

The process of discovering and describing risks by mapping assets, threats, vulnerabilities, and potential impacts on services, especially vital services.

Likelihood–Impact Assessment

A method of evaluating risks by estimating how probable they are (likelihood) and how severe their consequences would be (impact), often using a risk matrix.

Risk Treatment

Deciding and implementing measures to mitigate, transfer, avoid, or accept risks, with OVIs expected to mitigate high and critical risks affecting vital services within defined timeframes.

Documentation and Record-Keeping

The obligation to maintain accurate, complete, and tamper-evident records of security activities (e.g., risk assessments, incidents, changes) to demonstrate compliance to regulators and auditors.

Cybersecurity incident

Any event that compromises the availability, authenticity, integrity, or confidentiality of data or services provided by network and information systems.

Significant incident

An incident with substantial impact (e.g., many users, long duration, critical services, or cross‑border effects) that triggers **mandatory reporting** under NIS2‑based laws.

Early warning (initial notification)

A short‑form report, typically due within **24 hours** of becoming aware of a significant incident, providing high‑level information to ANCI and CSIRTs.

72‑hour notification

A more detailed incident report submitted within about **72 hours**, including scope, impact, and initial technical details.

Final report

A comprehensive post‑incident report (often within about a month) covering root cause, full impact, timeline, and long‑term mitigation measures.

CSIRT

Computer Security Incident Response Team – a specialised team (national or sectoral) that assists with incident handling, information sharing, and coordinated response.

ANCI (National Cybersecurity Authority)

The central authority responsible for implementing national cybersecurity law (including NIS2‑style rules), supervising essential/OVI operators and key ICT providers, and coordinating incident response.

Operator of Vital Importance (OVI)

An operator whose services are so critical that disruption would have a serious impact on public security, safety, or the economy. OVIs face stricter obligations, closer supervision, and potentially higher sanctions.

Supervisory powers

Legal powers granted to ANCI and sectoral authorities to request information, conduct inspections, perform audits or tests, and issue binding instructions to ensure compliance.

Enforcement factors

Key elements considered when deciding sanctions: risk exposure, actual impact, recurrence or past warnings, degree of negligence, and level of cooperation with authorities.

Monetary sanctions (fines)

Financial penalties that can reach millions of euros or a percentage of global turnover for serious or repeated non‑compliance with cybersecurity obligations.

Appeals and remedies

Legal mechanisms (administrative review and court appeals) that allow operators and ICT providers to challenge ANCI’s decisions, including fines, orders, and OVI designations.

Essential Service Operator (ICT context)

An entity whose services are necessary for the maintenance of critical societal or economic functions (e.g., major telecom operator, cloud platform hosting core banking or e‑government systems). Subject to strict cybersecurity, risk management, and incident reporting duties.

OVI (Operador de Importancia Vital)

An operator whose disruption would seriously affect national security, public order, or the economy. ICT or cloud providers can be designated OVI if their infrastructure or services are critical enablers for essential sectors.

Critical Supplier

A provider whose services are embedded in an essential/OVI operator’s critical processes (e.g., outsourced SOC, hosting of core apps). Even if not formally designated, they are often bound by similar cybersecurity and reporting duties via contracts and SLAs.

Incident Reporting Obligation

The duty of essential/OVI operators to notify ANCI and sectoral regulators of certain cybersecurity incidents within defined timeframes. MSPs must support this through rapid client notification and cooperation clauses in contracts.

Regime Alignment

The process of ensuring that cybersecurity measures and incident workflows comply not only with the cyber law but also with related regimes such as data protection, financial regulation (CMF), and telecom regulation (Subtel).

2025–2026 Readiness Roadmap

A prioritized plan for ICT/MSPs that typically includes: mapping critical services and clients, updating contracts/SLAs, strengthening detection and response, testing continuity plans, and pursuing relevant certifications as regulations and ANCI norms are phased in.