SkarpSkarp
Get the App

Chapter 2 of 9

Essential Services in Chile’s Cybersecurity Law

Defines what counts as an essential service under the law and highlights where ICT, telecommunications, digital infrastructure, and managed IT services fit in.

15 min readen

1. Where Essential Services Fit in Chile’s Cybersecurity Law

Chile’s Cybersecurity Framework Law (Law No. 21.663), published in June 2024 (about 1.5 years ago relative to today), creates a national system to protect essential services.

In this module you will:

  • Understand what an essential service is under Law 21.663
  • Distinguish between Essential Service Providers (SE) and Providers of Essential Services (PSE)
  • See how telecoms, cloud, data centers, and managed IT fit into the framework
  • Learn how ANCI (Agencia Nacional de Ciberseguridad) can expand the list of essential services

Keep in mind:

  • The law defines broad sectors (energy, health, finance, etc.) and then identifies specific services inside those sectors as essential.
  • Many essential services depend on ICT and digital infrastructure, so ICT actors can be essential in themselves or critical suppliers.

Use this module together with your knowledge from the previous one on the overall framework of Law 21.663.

2. Legal Categories: SE vs PSE (Core Distinction)

Law 21.663 uses two key categories:

  1. Essential Service Providers (SE – Sujetos Esenciales)

These are the entities that directly provide an essential service to society. They operate in critical sectors like:

  • Energy
  • Water and sanitation
  • Transport
  • Financial systems
  • Health
  • Telecommunications and digital infrastructure
  1. Providers of Essential Services (PSE – Proveedores de Servicios Esenciales)

These are third parties whose services are necessary for an SE to deliver its essential service. Common examples:

  • Cloud providers hosting critical systems of a bank or hospital
  • Managed security service providers (MSSPs) monitoring a power grid
  • Data center operators hosting the core systems of a stock exchange

Key idea:

  • SE = the owner/operator of the essential service itself.
  • PSE = a critical supplier whose failure would seriously affect the essential service.

Under the law, both SE and PSE have cybersecurity obligations, but SE are the main reference point for defining what is essential.

3. Essential Sectors Under Law 21.663 (High-Level Map)

Law 21.663 lists strategic sectors where essential services are found. The exact wording may be refined in regulations, but the core sectors are:

  1. Energy
  • Electricity generation, transmission, distribution
  • Oil and gas production, transport, and storage
  1. Water and Sanitation
  • Drinking water supply and distribution
  • Wastewater collection and treatment
  1. Transport and Logistics
  • Air, maritime, rail, and road transport operations
  • Ports, airports, logistics hubs
  1. Financial and Payment Systems
  • Banks and financial institutions
  • Securities and derivatives markets
  • Payment systems and clearing houses
  1. Health
  • Hospitals and critical healthcare providers
  • Emergency medical services
  1. Public Administration and Security
  • Key government services (e.g., civil registry, tax systems)
  • Public security and emergency response systems
  1. Telecommunications and Digital Infrastructure
  • Telecom networks and internet connectivity
  • Data centers, cloud, and other core digital infrastructure

The detailed list of which specific entities are SE in each sector is refined through regulations and ANCI resolutions. For this course, focus on:

  • The sector (e.g., health)
  • The service that is essential (e.g., hospital emergency services)
  • The ICT dependencies (e.g., EHR system, network, data center).

4. Sector-by-Sector: Concrete Essential Service Examples

Visualize each sector as a layered system: physical operations + ICT backbone.

  1. Energy
  • Essential service: Continuous electricity supply to a city.
  • SE: National electric transmission operator.
  • ICT dependency: SCADA systems, grid control centers, secure communication links.
  1. Water and Sanitation
  • Essential service: Potable water supply to a region.
  • SE: Regional water utility.
  • ICT dependency: Remote monitoring and control of pumps, treatment plants.
  1. Transport and Logistics
  • Essential service: Air traffic control.
  • SE: Civil aviation authority or ANSP.
  • ICT dependency: Radar systems, flight planning systems, communication networks.
  1. Financial and Payment Systems
  • Essential service: Real-time gross settlement (RTGS) for interbank transfers.
  • SE: Central bank or designated system operator.
  • ICT dependency: Core banking systems, secure networks, data centers.
  1. Health
  • Essential service: Hospital emergency and intensive care.
  • SE: Major public or private hospital.
  • ICT dependency: Electronic health records, imaging systems, telemedicine.
  1. Telecommunications and Digital Infrastructure
  • Essential service: National internet backbone connectivity.
  • SE: Major telecom operator providing backbone and international links.
  • ICT dependency: Core routers, undersea cable landing stations, DNS infrastructure.

In every case, if the service stops, society is heavily impacted. That is the core criterion for being essential.

5. When Does an ICT or Telecom Company Become an SE vs a PSE?

For ICT and telecom actors, the same company might be:

  • An SE in one context, and
  • A PSE in another.

A. ICT/Telecom as Essential Service Providers (SE)

You are an SE when your own service is classified as essential. Examples:

  • A telecom operator providing national mobile and fixed connectivity that supports emergency calls and government communications.

→ Its telecom network is itself an essential service.

  • An operator of a national Internet Exchange Point (IXP) that is critical for routing Chilean internet traffic.

→ The IXP is an essential digital infrastructure.

In these cases, your outage directly disrupts an essential service for society.

B. ICT/Telecom as Providers of Essential Services (PSE)

You are a PSE when you support another entity’s essential service in a way that is mission-critical for them. Examples:

  • A cloud provider hosting the core banking platform for a systemic bank.

→ If the cloud platform fails, the bank’s essential services fail.

  • A data center operator hosting the national tax authority’s main systems.

→ Outage prevents tax collection and public services.

  • A managed security service provider (MSSP) monitoring the network of a national power grid operator.

→ Failure in monitoring could allow a major cyber incident.

Rule of thumb:

  • Ask: If my service fails, does the essential service fail or become dangerously degraded?
  • If yes, and the client is an SE, you likely qualify as a PSE.
  • If your own service directly serves the public as critical infrastructure, you might be an SE yourself.

6. Thought Exercise: Classify ICT Actors (SE or PSE?)

Decide whether each actor is more likely to be an SE, a PSE, or neither, under Law 21.663. Write down your answers, then compare with the suggested classification below.

Scenario A

A company operates a submarine cable landing station that carries most of Chile’s international internet traffic.

  • Your classification: `_`

Suggested answer:

  • Likely SE (its own service – international connectivity – is essential digital infrastructure).

---

Scenario B

A cloud provider hosts the core systems of Chile’s main stock exchange.

  • Your classification: `_`

Suggested answer:

  • Likely PSE (critical supplier to a financial SE; failure disrupts trading).

---

Scenario C

A small software house maintains the internal HR system of a regional hospital (not clinical systems).

  • Your classification: `_`

Suggested answer:

  • Likely neither SE nor PSE under the law. HR is important but not usually mission-critical to the essential health service itself.

---

Scenario D

A managed SOC (Security Operations Center) monitors the national tax platform used by most citizens and companies.

  • Your classification: `_`

Suggested answer:

  • Likely PSE (its monitoring service is essential to protect a critical public administration service).

Use this kind of reasoning in real cases: identify the essential service, then see whether the ICT actor provides it (SE) or enables it critically (PSE).

7. ANCI’s Power to Expand or Refine Essential Services

The Agencia Nacional de Ciberseguridad (ANCI), created by Law 21.663, plays a central role in keeping the list of essential services up to date.

What ANCI can do

  • Propose and refine criteria for what counts as an essential service, based on:
  • Impact on national security
  • Impact on public order and safety
  • Impact on economic stability
  • Impact on fundamental rights of people
  • Recommend or issue regulations (together with sectoral regulators) that:
  • Specify which entities in each sector are SE
  • Define which suppliers qualify as PSE
  • Update lists over time to include new technologies and services, for example:
  • Critical cloud platforms
  • National identity and authentication systems
  • Key digital platforms used by the state or the public

Why this matters for ICT providers

  • Being listed as SE or PSE triggers obligations (e.g., risk management, incident reporting, audits).
  • Even if you are not currently listed, ANCI can later classify your service as essential if its societal impact grows.

In practice, ICT companies need to monitor ANCI’s regulations and resolutions and understand how their services fit into critical chains.

8. Quick Check: Essential vs Non-Essential ICT Services

Answer this question to check your understanding of when an ICT service becomes essential under Law 21.663.

Which of the following is the **best** indicator that an ICT provider should be classified as a Provider of Essential Services (PSE)?

  1. It offers services to any public institution, regardless of impact.
  2. Its failure would significantly disrupt the delivery of an essential service provided by an SE.
  3. It manages personal data of more than 10,000 users.
Show Answer

Answer: B) Its failure would significantly disrupt the delivery of an essential service provided by an SE.

Option B is correct: a PSE is defined by its **critical role in enabling an SE’s essential service**. Serving any public body (A) or handling lots of personal data (C) might be important for other regulations, but under Law 21.663, the key criterion is whether the ICT provider’s failure would seriously impact an essential service.

9. Mapping a Real ICT Service to the Law (Step-by-Step)

Use this 4-step method to decide how a specific ICT service fits into the law.

Case: A managed IT services company runs and maintains the core network and servers of a large hospital.

  1. Identify the essential service
  • Essential service: Continuous hospital care, including emergency and intensive care.
  1. Identify the Essential Service Provider (SE)
  • SE: The hospital (public or private) designated as critical by health authorities and ANCI.
  1. Analyze the ICT dependency

Ask: If the managed IT service fails, what happens to the hospital’s essential service?

  • No access to patient records
  • Disruption of imaging, lab systems, and possibly life-support monitoring
  • Major impact on patient safety and continuity of care
  1. Classify the managed IT provider
  • Because its failure would seriously disrupt the hospital’s essential service, the managed IT provider likely qualifies as a PSE.

You can apply the same steps to:

  • Cloud hosting for a central bank system
  • Network operations for a national transport control center
  • Security monitoring for a national ID system

Always start from the impact on the essential service, not from the size or type of the ICT company.

10. Flashcards: Key Terms and Distinctions

Use these flashcards to reinforce the most important concepts from this module.

Essential Service (under Law 21.663)
A service whose disruption would seriously affect national security, public order, the economy, or fundamental rights (e.g., electricity supply, hospital emergency care, core payment systems, national telecom connectivity).
Essential Service Provider (SE)
The entity that directly provides an essential service to society (e.g., a power grid operator, a major hospital, a telecom backbone operator).
Provider of Essential Services (PSE)
A third-party supplier whose services are necessary for an SE to deliver its essential service; often includes cloud providers, data centers, and managed IT/security services.
ANCI (Agencia Nacional de Ciberseguridad)
Chile’s national cybersecurity agency created by Law 21.663, responsible for coordinating cybersecurity policy, defining and updating lists of SE and PSE, and overseeing compliance.
ICT Provider as SE vs PSE
ICT/telecom providers are SE when their own service is essential (e.g., backbone connectivity). They are PSE when they are critical suppliers enabling another entity’s essential service (e.g., cloud hosting a bank’s core system).
Criticality Criterion
The practical test: if the ICT service fails, does the essential service fail or become dangerously degraded? If yes, the ICT actor is likely an SE (if it provides the service) or a PSE (if it supplies the SE).

Key Terms

ICT Provider
An organization that offers information and communications technology services, such as telecom connectivity, cloud computing, data centers, software, or managed IT/security services.
Law No. 21.663
Chile’s Cybersecurity Framework Law, published in June 2024, which establishes the national cybersecurity system, defines essential services, and creates the National Cybersecurity Agency (ANCI).
Essential Service
A service considered vital for national security, public order, economic stability, or the protection of fundamental rights, whose disruption would cause serious societal impact.
Managed IT Services
Outsourced services where a provider operates and maintains an organization’s IT infrastructure and applications, often including monitoring, patching, and support.
Digital Infrastructure
Core technical facilities and services that support digital communications and data processing, such as data centers, cloud platforms, internet exchange points, and backbone networks.
Critical Infrastructure
Physical or virtual systems and assets so vital that their incapacity or destruction would have a debilitating impact on security, the economy, public health, or safety.
Essential Service Provider (SE)
An organization that directly delivers an essential service (e.g., energy utilities, hospitals, telecom backbone operators).
Managed Security Services (MSSP)
A type of managed IT service focused on cybersecurity, including monitoring, incident detection, and response for clients’ networks and systems.
Provider of Essential Services (PSE)
A third-party provider whose services are necessary for an SE to deliver its essential service, such that the failure of the provider’s services would significantly affect the essential service.
ANCI (Agencia Nacional de Ciberseguridad)
The National Cybersecurity Agency of Chile, responsible for coordinating cybersecurity policy, supervising compliance with Law 21.663, and defining and updating the list of SE and PSE.