SkarpSkarp
Get the App

Chapter 1 of 9

From Policy to Law: Overview of Chile’s Cybersecurity Framework

Introduces Chile’s Cybersecurity Framework Law (Law No. 21.663), its objectives, scope, and why it matters for ICT and digital service providers that support critical services.

15 min readen

1. From Policy to Law: Why Chile’s Cybersecurity Framework Matters

Big Picture

Chile has moved from high-level cybersecurity policy to a binding legal framework.

  • National Cybersecurity Policy 2023–2028: sets the strategy and priorities.
  • Cybersecurity Framework Law – Law No. 21.663: sets concrete, enforceable rules.

Law No. 21.663:

  • Was published in June 2024 (about 1.5 years before today).
  • Is often referred to as the “Ley Marco de Ciberseguridad”.
  • Creates a national cybersecurity system and obligations for critical services, including many ICT and digital service providers.

Think of it as Chile’s version of a national cybersecurity baseline, similar in purpose to the EU’s NIS2 Directive, but tailored to Chile’s context.

In this module, you’ll learn:

  • What the law is trying to achieve.
  • How it connects to the National Cybersecurity Policy 2023–2028.
  • Which organizations are in scope, especially ICT and digital service providers that support critical services.
  • What this means in practice for technology and operations.

2. Context: From National Policy 2023–2028 to Law 21.663

National Cybersecurity Policy 2023–2028 (PCN 2023–2028)

Chile’s National Cybersecurity Policy 2023–2028 is a strategic document, not a law. It:

  • Defines goals like resilience, protection of critical infrastructure, and international cooperation.
  • Identifies risks (ransomware, attacks on essential services, disinformation, etc.).
  • Sets lines of action: governance, capacity building, public–private cooperation, and incident response.

How Law 21.663 Implements the Policy

The policy said what the country wants to achieve. Law 21.663 says how to make it mandatory.

Law 21.663:

  • Creates institutions (e.g., a national cybersecurity authority and a national CSIRT structure).
  • Defines “critical services” and “essential services” that must comply with stricter rules.
  • Imposes obligations: risk management, incident reporting, minimum security measures, audits, and sanctions.

Key idea:

  • Policy = roadmap (PCN 2023–2028)
  • Law = rules of the road (Law 21.663)

When you read any article of the law, ask: Which policy objective is this implementing? This helps you understand why the rule exists.

3. Main Objectives of Law No. 21.663

Core Objectives (Plain Language)

Law 21.663 aims to:

  1. Protect critical and essential services
  • Ensure that services like energy, water, health, banking, telecoms, transport, public administration can keep operating even under cyberattacks.
  1. Create a national cybersecurity governance model
  • Establish a central authority and a national incident response system.
  • Clarify who coordinates whom during major incidents.
  1. Standardize cybersecurity obligations
  • Define minimum cybersecurity requirements for organizations in scope.
  • Introduce mandatory incident reporting.
  1. Promote risk-based, continuous improvement
  • Push organizations to adopt risk management, not just checklists.
  • Encourage alignment with international standards (e.g., ISO/IEC 27001, NIST-style controls), even if not always named explicitly.
  1. Enable supervision and sanctions
  • Give regulators power to monitor compliance.
  • Allow fines and other measures if organizations fail to protect critical services.

For ICT and digital service providers, this means cybersecurity is no longer just a “good practice” – it becomes a legal compliance requirement when you support critical or essential services.

4. Quick Thought Exercise: Linking Policy Goals to Legal Rules

Imagine you are an IT manager at a company that provides cloud hosting for a major Chilean hospital network.

The National Cybersecurity Policy 2023–2028 sets these two simplified goals:

  1. Ensure continuity of health services during cyber incidents.
  2. Improve national capacity to detect and respond to cyberattacks.

Your task (reflect, no need to write code):

  1. For each policy goal, write down one possible legal obligation that Law 21.663 could impose on your company. For example:
  • Goal 1 → Obligation: `...?`
  • Goal 2 → Obligation: `...?`
  1. Compare your ideas with this sample mapping:
  • Goal 1 (continuity of health services)
  • Possible obligation: Maintain and regularly test backup and recovery plans for critical clinical systems hosted in the cloud.
  • Goal 2 (detection and response)
  • Possible obligation: Notify the national cybersecurity authority and sector regulator within a defined time (e.g., hours) after detecting a serious incident affecting hospital services.

Reflect: How similar are your ideas to these? This is how strategic policy gets translated into concrete legal duties.

5. Scope: Who and What Does Law 21.663 Cover?

1. Public and Private Sectors

Law 21.663 explicitly covers both:

  • Public bodies (ministries, agencies, municipalities, etc.).
  • Private entities that provide critical or essential services, or that support those services.

2. Critical and Essential Services

The law uses categories similar to many international frameworks (like NIS2). While detailed lists and thresholds are set by regulations and sectoral rules, the main types of services include:

  • Energy (electricity generation and distribution, oil and gas).
  • Water and sanitation.
  • Health (hospitals, clinical information systems, emergency care).
  • Finance (banks, payment systems, stock exchanges).
  • Telecommunications and internet (ISPs, mobile networks, backbone infrastructure).
  • Transport and logistics (airports, ports, rail systems, traffic control).
  • Public administration and citizen services (civil registry, tax systems, social benefits).

3. ICT and Digital Service Providers in Scope

You may be in scope even if you are not the final service operator, if you:

  • Provide cloud infrastructure or platform services used to deliver a critical service.
  • Operate data centers hosting critical systems or data.
  • Provide managed security services (e.g., SOC, monitoring, incident response) for critical entities.
  • Run critical software platforms (e.g., core banking systems, hospital information systems, industrial control platforms).
  • Offer essential communication platforms (e.g., critical messaging, secure remote access) used for critical operations.

The key question: “If our service fails or is compromised, would it seriously affect the continuity or security of a critical/essential service?” If yes, Law 21.663 likely matters to you.

6. Practical Scenarios: Are These Organizations in Scope?

Let’s walk through some simplified scenarios. Assume all organizations operate in Chile.

#### Scenario A: Cloud Provider for Hospitals

  • A company offers IaaS and PaaS used by a national hospital network to run electronic medical records (EMR) and appointment systems.
  • If the cloud service goes down, emergency rooms and surgeries are disrupted.

Analysis:

  • Health services are critical/essential.
  • The cloud provider is a key ICT provider supporting a critical service.
  • Likely in scope of Law 21.663, with obligations around security controls and incident reporting.

---

#### Scenario B: Small Web Design Agency

  • A 5-person agency builds marketing websites for restaurants and local shops.
  • No involvement with critical infrastructure, no hosting of operational systems.

Analysis:

  • Clients are not providing critical/essential services.
  • The agency’s services are not essential for national security, public order, or basic societal functions.
  • Likely not directly in scope as a critical operator or critical ICT provider under Law 21.663.

---

#### Scenario C: Data Center for a Major Bank

  • A data center hosts core banking systems and payment processing platforms for a systemically important bank.
  • A prolonged outage would affect ATM networks, card payments, and online banking nationwide.

Analysis:

  • Banking and payment systems are clearly critical.
  • The data center is an essential ICT provider to a critical service.
  • Clearly in scope, subject to cybersecurity and reporting obligations.

Use these scenarios as mental models to classify other organizations you encounter in case studies or internships.

7. Quick Check: Scope and Impact on ICT Providers

Answer the question below to check your understanding of the law’s scope for ICT providers.

Which of the following BEST explains when an ICT or digital service provider is likely to fall under Law No. 21.663?

  1. Whenever it processes any personal data of Chilean citizens, regardless of the type of service.
  2. When its services are necessary for the operation or security of a critical or essential service, such that a cyber incident could seriously disrupt that service.
  3. Only when it is a public company owned by the Chilean State and offers internet access to citizens.
Show Answer

Answer: B) When its services are necessary for the operation or security of a critical or essential service, such that a cyber incident could seriously disrupt that service.

Option B is correct because Law 21.663 focuses on protecting critical and essential services. ICT and digital providers fall in scope when their services are necessary for those critical functions and a cyber incident could significantly disrupt them. Option A confuses cybersecurity law with data protection law, and Option C is too narrow and ignores private providers.

8. High-Level Obligations for In-Scope Organizations

While detailed requirements are developed through regulations and sectoral rules, Law 21.663 sets core obligation areas for entities in scope (including ICT/digital providers that support critical services):

  1. Cybersecurity Risk Management
  • Identify and assess cyber risks to critical systems and services.
  • Implement technical and organizational measures to manage those risks.
  1. Minimum Security Measures
  • Maintain secure configurations, access control, network segmentation, backup and recovery, etc.
  • Align with recognized standards where applicable (e.g., ISO/IEC 27001, 27002, or equivalent frameworks).
  1. Incident Detection and Reporting
  • Have capabilities to detect and analyze incidents.
  • Notify the national cybersecurity authority and/or sector regulator within specified timeframes when incidents affect critical/essential services.
  1. Business Continuity and Resilience
  • Maintain business continuity plans (BCP) and disaster recovery plans (DRP) for critical systems.
  • Test these plans regularly (e.g., simulations, drills).
  1. Cooperation with Authorities
  • Share technical information on incidents when required.
  • Implement remediation measures or recommendations issued by the authority.
  1. Supervision and Sanctions
  • Be prepared for audits or inspections.
  • Non-compliance can lead to administrative sanctions, including fines and corrective orders.

For an undergraduate in ICT, think of this as:

> “If your system supports a critical service, you must run it like a secure, monitored, resilient, and auditable environment – because the law says so.”

9. Apply It: Mapping Obligations to a Cloud-Based Critical Service

Consider a SaaS platform that manages electronic prescriptions for public and private hospitals across Chile.

Assume this SaaS is classified as supporting a critical health service under Law 21.663.

Task: For each obligation area below, write down one concrete measure the SaaS provider should implement.

  1. Risk Management

Example answer: Perform an annual risk assessment focusing on unauthorized access to prescription data and service availability.

  1. Minimum Security Measures

Example answer: Enforce multi-factor authentication (MFA) for all health professionals accessing the platform.

  1. Incident Detection and Reporting

Example answer: Implement centralized logging and SIEM to detect suspicious login patterns and define an internal process to notify the national CSIRT within the legal timeframe.

  1. Business Continuity

Example answer: Maintain a geo-redundant backup of prescription data and test failover at least once per year.

  1. Cooperation with Authorities

Example answer: Designate a cybersecurity contact point to coordinate with the national authority and share incident details when requested.

Compare your own ideas with the examples. The more specific and operational your measures are, the closer you are to real-world compliance thinking.

10. Review Key Terms

Flip the cards (mentally) to review the most important concepts from this module.

National Cybersecurity Policy 2023–2028 (Chile)
A strategic document that defines Chile’s cybersecurity goals and priorities for 2023–2028. It is not a law but a policy roadmap that guides later legislation, including Law No. 21.663.
Law No. 21.663 (Cybersecurity Framework Law / Ley Marco de Ciberseguridad)
A Chilean law published in 2024 that creates a national cybersecurity framework, establishes governance structures, and sets mandatory cybersecurity obligations for critical and essential services and their key ICT providers.
Critical / Essential Services
Services whose disruption would seriously affect national security, public order, the economy, or the basic functioning of society (e.g., energy, water, health, banking, telecoms, public administration).
In-scope ICT / Digital Service Provider
An ICT or digital service provider whose services are necessary for the operation or security of a critical or essential service, such that a cyber incident affecting the provider could significantly disrupt that service.
Incident Reporting Obligation
A legal requirement for in-scope organizations to notify the national cybersecurity authority and/or sector regulator within defined timeframes when certain types of cyber incidents occur, especially those affecting critical or essential services.
Risk-Based Approach
A method where cybersecurity measures are selected and prioritized based on the likelihood and impact of different threats, rather than applying the same controls everywhere regardless of context.

Key Terms

National CSIRT
A national Computer Security Incident Response Team that coordinates the technical response to cybersecurity incidents at the country level, often working with sectoral CSIRTs and affected organizations.
In-scope Entity
An organization (public or private) that falls under the obligations of Law No. 21.663 because it provides a critical/essential service or a key ICT/digital service that supports such a service.
Incident Reporting
The process of formally notifying competent authorities about cybersecurity incidents that meet defined criteria (e.g., severity, impact on critical services) within legally specified timeframes.
Minimum Security Measures
Baseline technical and organizational controls that entities in scope must implement to comply with cybersecurity regulations, such as access control, logging, backup, network security, and patch management.
Critical / Essential Services
Services considered vital for national security, public order, economic stability, or the basic functioning of society, such as energy, water, health, finance, telecommunications, transport, and key public administration services.
Cybersecurity Risk Management
A continuous process of identifying, analyzing, evaluating, and treating cyber risks to systems and services, and monitoring the effectiveness of the controls implemented.
ICT and Digital Service Provider
An organization that offers information and communication technology services (e.g., cloud, data centers, networks, platforms, managed security) or digital platforms that other entities use to deliver their services.
Business Continuity and Resilience
The capability of an organization to continue delivering products or services at acceptable predefined levels following a disruption, including cyber incidents.
Law No. 21.663 (Cybersecurity Framework Law)
A Chilean law, in force since 2024, that establishes a national cybersecurity framework, defines governance structures, and sets cybersecurity obligations for critical and essential services and their supporting ICT providers.
National Cybersecurity Policy 2023–2028 (Chile)
Chile’s medium-term cybersecurity strategy that defines objectives and lines of action but does not itself impose legal obligations. It guides the development of laws and regulations, including Law No. 21.663.