SkarpSkarp
Get the App

Chapter 3 of 9

Operators of Vital Importance: Qualification and Criteria

Explains how essential service providers are classified as Operators of Vital Importance (OVI/OIV), including the specific criteria and procedure led by ANCI.

15 min readen

1. Where OVIs Fit in Chile’s Cybersecurity Framework

In Chile’s Cybersecurity Framework Law (Law No. 21.663), published in 2024 and in force today (about 1–2 years old), the State builds a hierarchy:

  1. Essential services – activities that are critical for society (energy, water, health, banking, telecoms, etc.).
  2. Operators of Vital Importance (OVI / OIV – Operadores de Importancia Vital) – specific entities whose disruption would seriously affect those essential services or key State functions.

From earlier modules you know:

  • Essential services describe what must be protected.
  • OVI describe who has the highest level of obligations to protect them.

Under Law 21.663, the National Cybersecurity Agency (ANCI) is the central authority that:

  • Identifies and proposes which entities should be OVIs.
  • Coordinates with sectoral regulators.
  • Maintains and periodically updates the list of OVIs.

So, being an OVI is not automatic: even if you provide an essential service, you only become an OVI after a formal designation process led by ANCI.

2. Legal Definition and Purpose of OVIs

Under Chile’s cybersecurity framework, an Operator of Vital Importance (OVI) is, in simplified terms:

> An entity (public or private) whose operation is essential for the continuity of one or more essential services or for the performance of critical State functions, such that a serious cyber incident affecting it would have a high impact on society, the economy, public order, or national security.

Purpose of the OVI category

Designating OVIs allows the State to:

  • Prioritize protection of the most critical operators.
  • Impose stricter cybersecurity obligations (e.g., risk management, incident reporting, audits).
  • Ensure coordination during serious incidents (with ANCI, sectoral regulators, and other authorities).
  • Allocate resources and oversight where a failure would hurt the country the most.

Not all essential service providers are OVIs, and not all OVIs must be essential service providers (we will return to this nuance later). The OVI label is about impact and dependency on ICT, not just about the sector name.

3. Core Qualification Criteria: Technical and Impact-Based

ANCI uses technical and impact-based criteria to propose and justify that an entity should be classified as an OVI. In practice, these criteria can be grouped as follows:

A. Dependency on ICT Systems

ANCI examines how much the operator depends on information and communication technologies (ICT):

  • Are core processes (generation, distribution, transactions, control, service delivery) managed or monitored through ICT systems?
  • Would a cyber incident (e.g., ransomware, DDoS attack) be enough to interrupt or degrade the service?
  • Is there a strong dependence on industrial control systems (ICS), SCADA, IoT, or cloud services?

High ICT dependency increases the likelihood that a cyberattack can directly disrupt the operator’s activity.

B. Impact on Continuity of Essential Services

ANCI assesses the potential consequences if the operator’s ICT systems fail or are compromised:

  • Could this stop or seriously limit an essential service (e.g., electricity, water, health, banking, telecoms)?
  • Is the operator a single point of failure (no easy substitutes, no redundancy)?
  • How many people or organizations would be affected, and for how long?

C. Impact on Public Order and State Functions

Beyond service continuity, ANCI evaluates whether a cyber incident could:

  • Affect public order and citizen safety (e.g., traffic control, emergency services, public security systems).
  • Harm critical State functions (e.g., tax collection, identity management, elections, defense).
  • Create systemic economic risk (e.g., payment systems, major financial market infrastructures).

D. Size, Interconnection, and Substitution

ANCI also considers:

  • Scale of operations (national vs. regional vs. local).
  • Interconnections with other essential services (e.g., a data center hosting multiple critical sectors).
  • Substitutability: Can others quickly replace this operator if it fails?

An entity becomes a strong OVI candidate when high ICT dependency combines with high potential impact on essential services or State functions.

4. Concrete Examples: Who Typically Becomes an OVI?

To make the criteria more tangible, consider these illustrative examples (not an official list, but realistic given Law 21.663 and international practice):

Example 1 – National Electricity Transmission Operator

  • Controls the high-voltage grid that connects generation plants and distributors.
  • Uses SCADA and industrial control systems to manage power flows.
  • A cyberattack could cause blackouts across large regions.

Why OVI?

  • High ICT dependency (SCADA/ICS).
  • Direct impact on an essential service (electricity).
  • Huge impact on public order, economy, and safety.

Example 2 – Major Telecommunications Backbone Provider

  • Owns backbone networks and international links that carry a large share of Chile’s internet and voice traffic.
  • Hosts key DNS, routing, and interconnection infrastructure.

Why OVI?

  • ICT is the core business.
  • Failure would disrupt multiple essential services (health, banking, public administration, etc.).
  • Single point of failure in some regions.

Example 3 – Critical State Platform for Identity Management

  • Centralized system that manages national ID, civil registry, and digital identity for citizens.
  • Used by many public and private services to verify identity.

Why OVI?

  • Supports critical State functions and many essential services.
  • Cyber incidents could affect public trust, elections, and access to services.

Example 4 – A Cloud Provider Hosting Multiple Essential Services

  • A private company offering cloud infrastructure (IaaS/PaaS).
  • Hosts systems for hospitals, banks, utilities, and government platforms.

Why OVI (even if not itself an essential service)?

  • High ICT dependency by definition.
  • A major incident would have cascading impacts across sectors.
  • This illustrates how non-essential-service providers can still be OVIs due to their systemic importance.

5. ANCI’s Administrative Procedure to Qualify an OVI

The process to classify an entity as an OVI under Law 21.663 follows an administrative, evidence-based procedure coordinated by ANCI. While specific procedural details are fleshed out in secondary regulations, the main stages are:

  1. Identification Phase
  • ANCI maps essential services (based on the law and sector regulations).
  • It then identifies operators whose disruption would have high impact using the criteria in Step 3.
  1. Risk and Impact Assessment
  • ANCI, often with sectoral regulators (e.g., energy, health, finance), evaluates:
  • Threats and vulnerabilities.
  • Possible cascade effects on other sectors.
  • Past incidents and near-misses (in Chile and abroad).
  • This step is largely technical, involving cybersecurity, engineering, and risk analysis.
  1. Consultation with Affected Entities
  • Candidate operators are usually informed and consulted.
  • They may provide data on ICT architecture, redundancy, and incident history.
  • ANCI can refine its assessment based on this input.
  1. Formal Designation Decision
  • ANCI prepares a reasoned proposal identifying the entity as an OVI, explaining the criteria and evidence.
  • The designation is adopted through an administrative act (e.g., resolution or decree, depending on the detailed regulation).
  • The operator is then officially listed as an OVI and notified.
  1. Notification of Obligations
  • Once designated, the operator must comply with enhanced cybersecurity obligations (e.g., risk management frameworks, incident reporting timelines, audits).
  • Sectoral regulators and ANCI coordinate supervision and enforcement.

This procedure is designed to be transparent, evidence-based, and technically grounded, rather than purely political.

6. Thought Exercise: Would This Operator Be an OVI?

Use the criteria from Steps 3–5 to reason through these scenarios. For each, decide: Likely OVI, Possibly OVI, or Unlikely OVI? Then compare with the suggested reasoning.

Scenario A – Regional Hospital Network

  • Runs several hospitals in one region.
  • Uses integrated electronic health records, networked medical devices, and telemedicine platforms.
  • There are no equivalent alternative providers in the region.

Your classification? Why?

Suggested reasoning:

  • High ICT dependency (EHR, connected devices).
  • Critical for an essential service (health).
  • Low substitutability in the region.
  • Likely OVI.

---

Scenario B – Small Local ISP in a City with Many Providers

  • Provides internet to a few neighborhoods.
  • Several other ISPs also operate in the same area.
  • Outage would inconvenience customers but others can take over or users can switch.

Your classification? Why?

Suggested reasoning:

  • ICT dependency is high (it’s an ISP), but:
  • Impact is limited and substitutable.
  • Probably not a single point of failure.
  • Unlikely OVI, unless it hosts or interconnects critical infrastructure.

---

Scenario C – Payment Clearing System for Interbank Transfers

  • Operates the core clearing and settlement system for major banks.
  • If it stops, salary payments, large transfers, and some card transactions are delayed or blocked.

Your classification? Why?

Suggested reasoning:

  • Highly ICT-dependent.
  • Failure has systemic financial impact.
  • Affects multiple essential services and economic stability.
  • Very likely OVI.

Reflect: in each case, the decision is not just about the sector, but about impact, ICT dependency, and substitutability.

7. Three-Year Review Cycle and Public Consultation

Law 21.663 builds in periodic review so the OVI list stays aligned with technological and economic changes.

A. Three-Year Review Cycle

  • At least every three years, ANCI must review and update:
  • The list of essential services (previous module).
  • The list of OVIs associated with those services.
  • This matters because:
  • New technologies (e.g., cloud, IoT, AI-based services) can become systemically important.
  • Market structures change (e.g., mergers, new dominant providers).
  • Emerging threats may reveal previously underestimated dependencies.

An operator that was not an OVI three years ago may become one today, and vice versa.

B. Public Consultation

For significant updates, ANCI must carry out public consultations. These usually involve:

  • Publishing draft lists and criteria for comment.
  • Allowing operators, industry associations, academia, and civil society to provide feedback.
  • Adjusting the final lists and guidance based on technical and practical input.

Why this matters for you (as a future professional):

  • You may work for an organization that participates in these consultations.
  • Understanding the criteria allows you to argue for or against OVI classification with solid reasoning.
  • It shows how cybersecurity regulation is iterative, not static.

8. When Non-Essential Service Providers Become OVIs

A key nuance in Chile’s framework is that some private entities can be classified as OVIs even if they are not, themselves, essential service providers.

This typically happens when:

  • They provide critical enabling services (e.g., cloud, data centers, managed security, identity providers) to multiple essential services or State bodies.
  • Their systems form a technical or operational backbone for other critical sectors.
  • A failure would cause cascading effects across many essential services.

Examples (conceptual):

  • A national cloud provider hosting platforms for health, banking, and public administration.
  • A DNS or routing provider whose infrastructure is essential for the functioning of the national internet.
  • A managed security operations center (SOC) that monitors and responds to incidents for multiple OVIs.

In these cases, ANCI can justify OVI classification by showing that:

  1. The provider’s ICT infrastructure is critical for essential services or State functions.
  2. There is no easy substitute in the short term.
  3. A major incident would have high systemic impact.

For ICT and digital service providers, this means you might be an OVI even if your sector is not traditionally labeled “critical infrastructure”. What matters is the real-world impact of your failure.

9. Quick Check: Applying the Criteria

Answer the question below to test your understanding of OVI qualification under Chile’s Law 21.663.

Which combination best captures the main criteria ANCI uses to qualify an entity as an Operator of Vital Importance (OVI)?

  1. Sector name (e.g., energy, health) and company size (number of employees).
  2. Dependency on ICT systems, potential impact on essential services and State functions, and degree of substitutability.
  3. Level of cybersecurity investment and whether the company is public or private.
Show Answer

Answer: B) Dependency on ICT systems, potential impact on essential services and State functions, and degree of substitutability.

ANCI focuses on: (1) how dependent the operator is on ICT systems, (2) the potential impact of a cyber incident on essential services, public order, and State functions, and (3) how easily the operator can be substituted. Sector labels and ownership type may be relevant context but are not the core legal criteria.

10. Flashcards: Key Concepts on OVIs

Use these flashcards to reinforce the most important terms from this module.

Operator of Vital Importance (OVI / OIV)
An entity (public or private) whose operation is so critical that a serious cyber incident affecting it would significantly impact essential services, public order, the economy, or critical State functions. Designated through an administrative process led by ANCI under Law No. 21.663.
Essential Service
A service identified in Chile’s cybersecurity framework as necessary for the functioning of society, the economy, or the State (e.g., electricity, water, health, banking, telecoms). OVIs are operators whose disruption would severely affect these services.
ANCI (National Cybersecurity Agency)
The central authority created by Law No. 21.663 responsible for coordinating cybersecurity policy, identifying and proposing OVIs, supervising compliance, and reviewing the lists of essential services and OVIs.
Impact-Based Criteria
Criteria that assess the potential consequences of a cyber incident on service continuity, public order, economic stability, and State functions, rather than just the sector label or company size.
Three-Year Review Cycle
The periodic process (at least every three years) in which ANCI reviews and updates the lists of essential services and OVIs, including through public consultation, to reflect technological, market, and threat changes.
Non-Essential Provider as OVI
A private entity that is not itself an essential service provider but can be classified as an OVI because its ICT infrastructure (e.g., cloud, data center, DNS, SOC) is critical for multiple essential services or State functions.

Key Terms

Substitutability
The extent to which another operator can quickly and effectively replace the services of a given operator if it fails; low substitutability increases the likelihood of OVI designation.
Essential Service
A service defined by law and regulation as critical for society, the economy, or the State (e.g., energy, water, health, banking, telecoms), forming the basis for identifying OVIs.
Impact-Based Criteria
A set of criteria focusing on the consequences of a cyber incident (on service continuity, public order, economy, and State functions) and on ICT dependency and substitutability, used to justify OVI designation.
Three-Year Review Cycle
The mandatory periodic review, at least every three years, during which ANCI reassesses and updates the lists of essential services and OVIs, typically involving public consultation.
Operator of Vital Importance (OVI / OIV)
An operator designated under Chile’s Cybersecurity Framework Law (Law No. 21.663) whose disruption due to a cyber incident would have a severe impact on essential services, public order, the economy, or critical State functions.
ANCI (Agencia Nacional de Ciberseguridad)
Chile’s National Cybersecurity Agency, responsible for coordinating national cybersecurity policy, identifying and supervising Operators of Vital Importance, and managing the review of essential services and OVIs.