Governance and Institutions: ANCI, CSIRTs, and Sectoral Authorities - Chile’s Cybersecurity Framework Law and Essential ICT Service Operators

1. The New Cybersecurity Architecture in Chile

Chile’s new Cybersecurity Framework Law (Ley Marco de Ciberseguridad) was approved in 2023 and entered into force in 2024–2025 through a phased implementation, creating a modern institutional architecture for cybersecurity.

This module focuses on three main pillars of that architecture:

ANCI – Agencia Nacional de Ciberseguridad (National Cybersecurity Agency)
CSIRTs – Computer Security Incident Response Teams at national, sectoral, and defense level
Sectoral Authorities/Regulators – existing regulators that now have specific cybersecurity coordination duties

You should connect this with what you already learned:

Essential services: services whose interruption seriously affects society (e.g., telecom networks, cloud infrastructure, financial services).
Operators of Vital Importance (OVI/OIV): high‑criticality operators designated through an ANCI‑led procedure.

In this new model, ANCI is the central authority, but it does not work alone. It coordinates with CSIRTs and sectoral regulators to supervise essential ICT and digital service providers.

Keep in mind as of today (early 2026):

The institutional design is already defined in law.
Implementation is ongoing, with ANCI and the CSIRTs progressively assuming full powers and issuing secondary regulations.

2. ANCI: Mandate and Core Powers

ANCI is the central civilian cybersecurity authority. Its mandate under the Cybersecurity Framework Law can be grouped into four big functions:

1. Regulatory function

ANCI issues binding cybersecurity rules for:

Essential service operators (including ICT, telecoms, digital infrastructure, cloud, managed services when they are essential).
OVI/OIV operators.

These rules typically cover:

Minimum security measures (risk management, access control, logging, encryption, etc.).
Incident reporting obligations (what, how, and how fast to report).
Business continuity and resilience requirements.

2. Supervisory and sanctioning powers

ANCI can:

Audit and inspect essential operators and OVI.
Request technical and organizational information (e.g., security policies, network diagrams, incident logs).
Order corrective measures and set deadlines.
Apply sanctions (fines and other measures) when operators do not comply.

3. Coordination and strategic role

ANCI also:

Coordinates the National CSIRT and sectoral CSIRTs.
Leads the National Cybersecurity Strategy and national cybersecurity policies.
Acts as the national point of contact with foreign and international cybersecurity bodies.

4. OVI/OIV designation and oversight

As you saw in the previous module, ANCI:

Proposes and manages the list of OVI/OIV based on criticality criteria.
Imposes stricter obligations on OVI (e.g., more rigorous risk assessments, shorter incident reporting deadlines).

Key idea: ANCI is both a regulator and a supervisor, with a strong coordination role across the public and private sectors.

3. Example: ANCI Regulating a Cloud Provider

Imagine CloudAndes, a Chilean cloud provider that hosts critical systems for several hospitals and government agencies.

The Ministry of Health and other bodies identify that if CloudAndes fails, essential health services and some state digital services would be severely disrupted.
Based on this, ANCI, following the law and its criteria, may:

Classify CloudAndes as an essential service operator (and possibly as an OVI if its impact is very high).

Once classified, CloudAndes must:

Implement minimum cybersecurity measures defined by ANCI.
Establish an incident response plan aligned with ANCI’s regulations.
Report incidents to the National CSIRT within the time limits set by ANCI.

ANCI can:

Conduct a remote or on‑site audit of CloudAndes.
Order improvements (e.g., stronger multi‑factor authentication, better backup procedures).
Apply sanctions if CloudAndes repeatedly fails to fix critical vulnerabilities.

This example shows how ANCI’s regulatory and supervisory powers directly affect ICT and digital service providers that support essential services.

4. CSIRTs: National, Sectoral, and Defense

Under the Cybersecurity Framework Law, Chile adopts a multi‑layer CSIRT ecosystem:

1. CSIRT Nacional (National CSIRT)

Civilian central incident response team for the country.
Works under the overall coordination of ANCI.
Main tasks:
Receive and analyze incident reports from essential operators and OVI.
Provide technical support during incidents (e.g., malware analysis, indicators of compromise).
Issue alerts and advisories to sectors and the public.
Coordinate cross‑sector responses to large‑scale incidents.

2. Sectoral CSIRTs

Some sectors (e.g., telecommunications, energy, finance, health) may have or create their own sectoral CSIRTs that:

Focus on sector‑specific threats and incidents.
Act as a bridge between operators in the sector and the National CSIRT.
Share specialized knowledge (e.g., SCADA/ICS threats in energy, SWIFT fraud in banking).

3. CSIRT de Defensa Nacional (National Defense CSIRT)

Dedicated to defense and military networks and systems.
Operates under the Ministry of Defense / Armed Forces structure, not under ANCI’s operational control.
However, the law requires coordination with the civilian side (ANCI and National CSIRT) when:
An incident has mixed civilian–military impact.
A major national‑level cyber crisis requires joint situational awareness.

Important distinction:

ANCI = policy, regulation, supervision, and overall coordination.
CSIRTs = technical and operational response teams.

5. Mapping Incidents to CSIRTs (Thought Exercise)

Read each scenario and decide which CSIRT would be primarily involved. Think before checking the suggested mapping.

Scenario A: A DDoS attack takes down the websites of multiple Chilean banks at the same time.
Scenario B: A ransomware attack hits a military logistics system, but the malware later spreads to a civilian port operator.
Scenario C: A critical vulnerability is discovered in a widely used Chilean cloud platform supporting several ministries and municipalities.

Suggested mapping (compare with your reasoning):

Scenario A: The sectoral CSIRT for finance (if established) coordinates directly with affected banks and reports/coordinates with the National CSIRT.
Scenario B: The CSIRT de Defensa Nacional leads on the military system, while the National CSIRT coordinates with civilian operators; ANCI ensures overall policy coordination.
Scenario C: The National CSIRT is central (cross‑sector impact), with sectoral CSIRTs and ANCI involved in notifications, mitigation guidance, and possible regulatory follow‑up.

Reflect: In all scenarios, ANCI is not the team doing forensics on servers; instead, it sets the rules, ensures reporting, and oversees how operators and CSIRTs handle the incidents.

6. Sectoral Authorities and Their Coordination with ANCI

Chile’s Cybersecurity Framework Law does not replace existing regulators. Instead, it adds cybersecurity coordination duties to them.

Who are sectoral authorities?

Examples (names may vary slightly depending on current Chilean administrative structure):

Telecommunications regulator (e.g., SUBTEL / Ministry of Transport and Telecommunications).
Energy regulator (e.g., SEC / CNE framework).
Financial regulators (e.g., CMF for banks, insurers, capital markets).
Health authority (e.g., Ministry of Health / Superintendencia de Salud).
Transport, water, digital government authorities, etc.

Their role under the new law

Sectoral authorities:

Identify essential services in their sector and work with ANCI on OVI designation.
Integrate cybersecurity requirements into sectoral rules, aligning with ANCI’s framework.
May conduct joint or coordinated inspections with ANCI.
Share incident information with ANCI and the National CSIRT, respecting confidentiality and data protection.

Coordination mechanisms

The law and subsequent regulations provide for:

Formal cooperation agreements (convenios) between ANCI and regulators.
Inter‑institutional committees or working groups.
Shared incident reporting channels and standardized formats.

Key point: Sectoral regulators keep their sector expertise and economic/technical oversight, while ANCI ensures horizontal cybersecurity consistency across all sectors.

7. Example: Joint Oversight of a Telecom Operator

Consider RedTel, a major telecom operator providing mobile, fixed internet, and backbone connectivity.

Sectoral authority (Telecom regulator):

Oversees service quality, spectrum use, competition, and consumer protection.
May require network availability and basic security practices.

Under the Cybersecurity Framework Law:

RedTel is classified as an essential service operator and possibly as an OVI, due to its role in national connectivity.
ANCI issues specific cybersecurity requirements (e.g., network segmentation, DDoS mitigation capabilities, secure routing practices).

Incident scenario: A major BGP misconfiguration exposes RedTel’s network to hijacking attempts.

RedTel must report the incident to the National CSIRT within the ANCI‑defined deadline.
The Telecom regulator evaluates service continuity and user impact.
ANCI evaluates whether RedTel complied with cybersecurity obligations (e.g., route validation, incident handling procedures).
If systemic weaknesses are found, ANCI and the telecom regulator may conduct a joint inspection and coordinate corrective measures.

This shows how technical regulation (telecom) and horizontal cybersecurity regulation (ANCI) interact in practice.

8. Public–Private Collaboration in Cybersecurity

The law explicitly promotes a public–private collaboration model, recognizing that most critical digital infrastructure is privately operated.

Main collaboration mechanisms

Information sharing:
Operators share incident data, indicators of compromise, and vulnerabilities with CSIRTs and ANCI.
ANCI and CSIRTs share alerts, best practices, and threat intelligence back to operators.

Consultation in regulation:
Before issuing major cybersecurity regulations, ANCI usually conducts public consultations with industry, academia, and civil society.

Joint exercises and training:
Cyber drills and simulations involving government agencies, utilities, telecoms, banks, and cloud providers.

Sectoral working groups:
Regular meetings where ANCI, CSIRTs, and industry representatives discuss emerging threats, implementation challenges, and standards.

Why this matters for essential ICT and digital service operators

They get early warning on threats and coordinated support during crises.
They influence realistic regulatory requirements (e.g., phased timelines, feasible controls).
They contribute to national resilience, which also protects their own business continuity.

Takeaway: Compliance is not purely top‑down; the system is designed as a continuous dialogue between the state and operators.

9. Quick Check: Who Does What?

Test your understanding of the division of roles among ANCI, CSIRTs, and sectoral authorities.

An essential cloud provider suffers a major data‑breach incident. Which statement best describes the institutional roles under Chile’s Cybersecurity Framework Law?

The National CSIRT handles the technical incident response; ANCI oversees compliance with cybersecurity obligations and may sanction; sectoral authorities address sector‑specific impacts and coordinate with ANCI.
ANCI directly takes over the cloud provider’s systems and performs all technical forensics, while sectoral authorities only observe.
Only the sectoral authority is involved because ANCI’s mandate covers public entities, not private essential operators.

Show Answer

Answer: A) The National CSIRT handles the technical incident response; ANCI oversees compliance with cybersecurity obligations and may sanction; sectoral authorities address sector‑specific impacts and coordinate with ANCI.

Option 1 is correct: CSIRTs (especially the National CSIRT) focus on technical incident response and coordination; ANCI sets rules, ensures reporting, and supervises compliance (including sanctions); sectoral authorities handle sector‑specific regulatory issues and coordinate with ANCI. ANCI does not usually perform hands‑on forensics, and its mandate clearly covers private essential operators and OVI.

10. Key Terms Review

Use these flashcards to reinforce the main institutions and concepts from this module.

ANCI (Agencia Nacional de Ciberseguridad): Chile’s central civilian cybersecurity authority created by the Cybersecurity Framework Law. It issues binding cybersecurity rules, supervises essential and OVI operators, coordinates CSIRTs, and leads national cybersecurity policy.
CSIRT Nacional (National CSIRT): The main national incident response team responsible for receiving incident reports, providing technical support, issuing alerts, and coordinating cross‑sector responses to cyber incidents.
Sectoral CSIRTs: Incident response teams focused on specific sectors (e.g., finance, energy, telecom). They handle sector‑specific incidents and coordinate with the National CSIRT and ANCI.
CSIRT de Defensa Nacional: The incident response team dedicated to defense and military systems. It coordinates with the civilian cybersecurity architecture when incidents have mixed or national‑level impact.
Sectoral Authorities/Regulators: Existing regulators for specific sectors (e.g., telecom, energy, finance, health) that now have explicit duties to coordinate with ANCI on cybersecurity, integrate cybersecurity into sector rules, and share incident information.
Operator of Vital Importance (OVI/OIV): An essential service operator whose failure would have particularly severe impact on national security, public safety, or the economy. Designated through an ANCI‑led process and subject to stricter cybersecurity obligations.
Public–Private Collaboration Model: The framework in which ANCI, CSIRTs, and sectoral authorities work together with private operators through information sharing, consultations, joint exercises, and working groups to improve national cybersecurity.

Key Terms

CSIRT Nacional: Chile’s National CSIRT. The primary national incident response team that receives incident reports, issues alerts, and coordinates cross‑sector responses.
Sectoral CSIRT: CSIRT dedicated to a specific sector (e.g., finance, energy, telecom), focusing on that sector’s threats and incidents and coordinating with the National CSIRT.
Essential Service: A service whose interruption would significantly impact national security, public order, public health, or the economy. Defined by the Cybersecurity Framework Law and further detailed in regulations.
Incident Reporting: The legal obligation for essential and OVI operators to notify relevant CSIRTs (and indirectly ANCI) of significant cybersecurity incidents within set time limits.
CSIRT de Defensa Nacional: National Defense CSIRT responsible for cybersecurity incidents affecting military and defense systems, coordinating with civilian institutions when necessary.
Sectoral Authority/Regulator: Public body responsible for regulating and supervising a specific sector (e.g., telecom, energy, finance). Under the new law, it must coordinate with ANCI on cybersecurity matters.
Public–Private Collaboration: Ongoing cooperation between government entities (ANCI, CSIRTs, regulators) and private operators through information sharing, consultations, and joint activities to enhance cybersecurity.
Operator of Vital Importance (OVI/OIV): An essential service operator whose systems are so critical that their disruption would cause especially severe effects. Subject to stricter cybersecurity and reporting obligations.
ANCI (Agencia Nacional de Ciberseguridad): National Cybersecurity Agency of Chile. Central authority created by the Cybersecurity Framework Law, responsible for cybersecurity regulation, supervision of essential and OVI operators, and coordination of the national cybersecurity system.
CSIRT (Computer Security Incident Response Team): A specialized team that manages and responds to cybersecurity incidents, providing technical analysis, coordination, and guidance.