SkarpSkarp
Get the App

Chapter 9 of 9

Practical Implications for ICT and Managed Service Providers

Synthesizes the legal framework into concrete implications and action points for ICT, telecommunications, cloud, and managed service providers that may be classified as essential or OVI.

15 min readen

1. Where ICT and MSPs Fit in Chile’s Cybersecurity Law

Chile’s new Ley Marco de Ciberseguridad e Infraestructura Crítica de la Información (Framework Cybersecurity Law), published in 2024 and being implemented through 2025–2026, creates duties not only for power plants, banks, or hospitals, but also for ICT and managed service providers (MSPs).

Under this framework (and its forthcoming regulations), ICT/telecom/cloud providers can be:

  1. Essential Service Operators (operadores de servicios esenciales)
  • Example: A major telecom operator providing backbone connectivity for emergency services.
  • Example: A cloud provider hosting core banking systems for multiple banks.
  1. Operators of Vital Importance (OVI)
  • These are entities whose disruption would seriously affect national security, public order, or the economy.
  • An ICT or cloud provider can be designated as OVI if its services are critical enablers for essential sectors (energy, health, finance, transport, public administration, etc.).
  1. Critical suppliers to essential/OVI operators
  • Even if you are not directly classified as essential or OVI, you may be a key supplier and thus contractually bound to meet similar cybersecurity and reporting obligations.

For the rest of this module, assume you are advising an ICT or managed service provider that:

  • Offers connectivity, cloud, hosting, or managed security/IT services, and
  • Has at least some customers in regulated essential sectors (e.g., banks, utilities, government).

We will translate the law into practical steps: mapping your role, updating contracts and SLAs, aligning with other regimes (like data protection and financial rules), and building a 2025–2026 readiness roadmap.

2. Map Your Services and Customers to Essential Sectors

Your first task is to understand your exposure.

Activity: Quick Mapping Exercise

Take a fictitious MSP, AndesCloud SpA, offering:

  • IaaS and PaaS cloud services
  • Managed firewall and SOC (Security Operations Center)
  • MPLS/VPN connectivity

Its customers include:

  • Bank A (large retail bank)
  • HealthNet (hospital network)
  • CityGov (municipal government)
  • SmallShop (e-commerce SME)

Question 1 (thought exercise):

  1. Which customers are clearly in essential sectors under the cyber law?
  2. Which services are likely to be considered critical for those customers?

Write down your reasoning, then compare with this guide:

> Guide for reflection (do not peek until you’ve thought about it):

> - Essential sectors likely include Bank A, HealthNet, and possibly CityGov depending on its functions.

> - Critical services could be: hosting of core banking apps, hospital EMR systems, government portals, and the SOC services that monitor them.

Your Turn

Now apply this to a real or hypothetical ICT/MSP you know:

  1. List 3–5 key services (e.g., cloud hosting, managed backup, SD‑WAN, VoIP, SOC-as-a-Service).
  2. For each service, mark which client sectors it serves (finance, health, energy, government, transport, others).
  3. Highlight combinations where loss or compromise would:
  • Stop an essential service from operating, or
  • Seriously affect public order, safety, or the economy.

These highlighted combinations are your priority candidates for essential/OVI relevance and stricter obligations.

3. Determining If You Are Essential, OVI, or a Critical Supplier

The law and its regulations (decrees and technical norms issued since 2024 and evolving through 2025–2026) use criteria such as scale, criticality, and substitutability.

Typical Indicators You Might Be:

  1. An Essential Service Operator (ICT/telecom) if:
  • You provide national or regional backbone connectivity (fixed or mobile).
  • You operate core internet exchange or DNS infrastructure in Chile.
  • You host or operate primary platforms used by multiple essential sectors (e.g., payment clearing, national e‑ID, major government platforms).
  1. An OVI if:
  • Disruption of your services would have severe impact on national security, public order, or the economy.
  • Your infrastructure is part of critical information infrastructure as identified by the state.
  1. A Critical Supplier if:
  • You are not directly designated as essential/OVI, but:
  • Your services are embedded in essential operators’ critical processes (e.g., outsourced SOC, cloud hosting of core apps).
  • Your contracts are explicitly referenced in your customers’ cybersecurity obligations.

Practical Tip

Even before formal designation:

  • Assume that if you host, secure, or connect systems necessary for essential/OVI functions, you will be:
  • Required to meet minimum cybersecurity standards, and
  • Bound by incident reporting and cooperation duties (often through contracts).

This is why contract and SLA design is central for ICT/MSPs under the Chilean framework.

4. Contract and SLA Adjustments: Concrete Examples

Imagine you are revising a managed service contract in 2025 between your MSP (AndesCloud) and Bank A, which is clearly an essential operator.

Before the Cybersecurity Law

The SLA might say:

  • Uptime: 99.5% monthly for core banking platform.
  • Security: "Industry best practices" (vague).
  • Incidents: Notify client of major incidents within a "reasonable time".
  • Cooperation: "Parties will cooperate in good faith".

After the Cybersecurity Law (2025–2026 reality)

The SLA now needs to reflect:

  1. Security Standards
  • Reference specific frameworks (e.g., ISO/IEC 27001, ISO 27017/27018 for cloud, NIST CSF) and any ANCI technical norms applicable to essential/OVI operators.
  • Example clause:

> The Provider shall maintain an Information Security Management System (ISMS) aligned with ISO/IEC 27001 and comply with applicable technical standards issued by ANCI and the sectoral regulator for essential service operators.

  1. Incident Detection and Reporting
  • Align with mandatory reporting timelines (e.g., serious incidents within hours, not days).
  • Example clause:

> The Provider shall notify the Client’s incident response contact within 1 hour of detecting any cybersecurity incident that affects or may reasonably affect the availability, integrity, or confidentiality of the Services supporting the Client’s essential functions.

  1. Cooperation Duties
  • Explicit obligations to support investigations, provide logs, and cooperate with ANCI and sectoral authorities (through the client).
  • Example clause:

> The Provider shall, at no additional cost, support the Client in fulfilling its legal obligations to notify and cooperate with ANCI and the competent sectoral authority, including providing relevant logs, forensic data, and technical expertise, subject to applicable data protection and confidentiality rules.

  1. Business Continuity and Resilience
  • Require tested backup, DR, and redundancy for critical systems.
  • Example clause:

> The Provider shall maintain and annually test Business Continuity and Disaster Recovery plans ensuring a maximum Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 15 minutes for the Services listed in Annex X.

  1. Sub‑processors and Supply Chain
  • The client must know and approve sub‑providers, who must also meet security and reporting standards.
  • Example clause:

> The Provider shall not engage sub‑contractors for critical components of the Services without prior written approval from the Client and shall ensure such sub‑contractors are bound by equivalent cybersecurity, reporting, and cooperation obligations.

These changes translate legal duties into operational and contractual requirements for ICT/MSPs.

5. Quick Check: Contract Priorities

Test your understanding of which contractual elements are most critical under the Chilean cybersecurity framework for ICT/MSPs.

Which of the following **most directly** helps an essential operator meet its legal incident reporting obligations when using an MSP?

  1. A generic clause saying the MSP will use 'industry best practices' for security.
  2. A detailed SLA clause requiring the MSP to notify the client within a defined number of hours of detecting incidents affecting essential services.
  3. A marketing annex describing the MSP’s cybersecurity certifications without any response times.
Show Answer

Answer: B) A detailed SLA clause requiring the MSP to notify the client within a defined number of hours of detecting incidents affecting essential services.

The law focuses on **timely detection and reporting** of incidents. A clause that sets a **clear notification deadline** for relevant incidents directly supports the client’s legal duty to report to ANCI/sectoral regulators. 'Best practices' language or marketing claims are too vague to ensure compliance.

6. Aligning With Other Regimes: Data Protection, Financial, and Telecom Rules

The Chilean cybersecurity framework does not exist in isolation. ICT/MSPs must align with other regulatory regimes that are also being updated.

1. Data Protection Reform (Personal Data)

  • Chile has been moving toward a modernized data protection regime, closer to the EU GDPR model, with stronger security and breach notification duties.
  • For MSPs handling personal data (cloud hosting, SaaS, SOC logs, etc.):
  • A security incident under the cyber law may also be a personal data breach.
  • You may have parallel notification duties: to clients (data controllers), data protection authority (once fully operational), and possibly to ANCI via the essential/OVI operator.

Practical implication:

  • Harmonize your incident classification so that a single event is tagged both as a cybersecurity incident and, where relevant, a personal data breach, triggering the right workflows.

2. Financial Regulation (Banks, Payment Systems)

  • The CMF (Comisión para el Mercado Financiero) has its own rules on operational risk, outsourcing, and cybersecurity for banks and financial institutions.
  • If you serve banks or financial market infrastructures:
  • Expect detailed technical and reporting requirements, including penetration tests, resilience tests, and strict outsourcing conditions.
  • Your contracts may be reviewed by the bank’s compliance/legal teams to ensure they meet CMF expectations and the cyber law.

Practical implication:

  • Design a standard “regulated finance” service package that explicitly meets CMF + cyber law expectations (e.g., specific encryption, logging, segregation, audit rights).

3. Telecom Regulation (Subtel and Others)

  • Telecom operators already face availability and quality of service obligations, plus security requirements for networks and critical infrastructure.
  • Under the new framework, network outages or major security incidents can now have both telecom and cybersecurity consequences, including coordination with ANCI.

Practical implication:

  • Integrate telecom NOC processes with SOC/cyber incident processes, ensuring that network incidents are evaluated for cybersecurity relevance and escalated accordingly.

The key skill for ICT/MSPs is to avoid siloed compliance: build one coherent risk and incident management system that addresses all applicable regimes.

7. Prioritizing Readiness Steps for 2025–2026

Regulations and technical norms are being phased in across 2025–2026. You cannot do everything at once, so you need a priority roadmap.

Thought Exercise: 90‑Day, 1‑Year, 2‑Year Plan

Assume you are the security manager of AndesCloud (mid‑size cloud/MSP) in early 2026. Draft a prioritized plan:

#### A. First 90 Days

List 3–5 actions you would take immediately. Examples to consider:

  • Identify which customers are essential/OVI or likely to become so.
  • Review existing contracts with those customers for security and incident clauses.
  • Map current incident detection and reporting capabilities to the timelines expected by ANCI/sectoral regulators.
  • Start an internal gap assessment against one reference framework (e.g., ISO 27001 or NIST CSF).

#### B. Within 1 Year

List 3–5 medium‑term actions. Examples:

  • Update and re‑negotiate SLAs and DPAs with essential/OVI customers.
  • Implement or strengthen centralized logging, SIEM, and SOC processes.
  • Define and test business continuity and disaster recovery for critical services.
  • Train staff on incident response, legal duties, and evidence preservation.

#### C. Within 2 Years

List 3–5 longer‑term maturity goals. Examples:

  • Achieve formal certification (e.g., ISO 27001) where commercially or regulatorily necessary.
  • Implement supply chain security program for your own vendors and sub‑providers.
  • Develop sector‑specific service offerings (e.g., "Cyber‑ready cloud for healthcare" aligned with health sector norms).

Write down your plan in bullet points. Then compare it with this suggested priority order:

  1. Know your critical customers and services (mapping).
  2. Fix incident reporting and cooperation clauses in contracts.
  3. Ensure you can actually detect and respond within required timelines.
  4. Harden and document your security controls and continuity plans.
  5. Formalize and certify where needed for trust and regulatory alignment.

8. Simple Service–Risk Mapping Template (for ICT/MSPs)

You can use a structured template (in JSON or a spreadsheet) to map services, clients, and criticality. This helps you decide where cyber‑law obligations bite hardest.

Below is a JSON-like structure you could adapt in a GRC tool or script:

9. Scenario Quiz: What Should the MSP Do?

Apply what you have learned to a realistic incident scenario.

Your SOC detects a ransomware attack on a virtual machine hosting part of **HealthNet’s** hospital system. You contain it quickly, but there is a high risk that some patient records were accessed. HealthNet is an essential operator. What is your **most appropriate first move** as the MSP, considering Chile’s cybersecurity and data protection context?

  1. Wait 24–48 hours to confirm exactly what happened before telling HealthNet, to avoid false alarms.
  2. Immediately notify HealthNet through the agreed incident channel, share initial technical details and logs, and coordinate next steps, including their notifications to ANCI and data protection authorities.
  3. Only notify your cloud infrastructure vendor, since they own the underlying hardware, and let them handle any external reporting.
Show Answer

Answer: B) Immediately notify HealthNet through the agreed incident channel, share initial technical details and logs, and coordinate next steps, including their notifications to ANCI and data protection authorities.

Under the cybersecurity framework, **timely notification and cooperation** with essential operators is crucial. You must alert HealthNet quickly so they can meet their own obligations to notify **ANCI** and any other competent authorities (including data protection authorities for a potential personal data breach). Waiting too long or delegating solely to your infrastructure vendor would undermine compliance and increase risk.

10. Key Term Review

Flip these cards (mentally) to reinforce core concepts for ICT and managed service providers under Chile’s cybersecurity framework.

Essential Service Operator (ICT context)
An entity whose services are necessary for the maintenance of critical societal or economic functions (e.g., major telecom operator, cloud platform hosting core banking or e‑government systems). Subject to strict cybersecurity, risk management, and incident reporting duties.
OVI (Operador de Importancia Vital)
An operator whose disruption would seriously affect national security, public order, or the economy. ICT or cloud providers can be designated OVI if their infrastructure or services are critical enablers for essential sectors.
Critical Supplier
A provider whose services are embedded in an essential/OVI operator’s critical processes (e.g., outsourced SOC, hosting of core apps). Even if not formally designated, they are often bound by similar cybersecurity and reporting duties via contracts and SLAs.
Incident Reporting Obligation
The duty of essential/OVI operators to notify ANCI and sectoral regulators of certain cybersecurity incidents within defined timeframes. MSPs must support this through rapid client notification and cooperation clauses in contracts.
Regime Alignment
The process of ensuring that cybersecurity measures and incident workflows comply not only with the cyber law but also with related regimes such as data protection, financial regulation (CMF), and telecom regulation (Subtel).
2025–2026 Readiness Roadmap
A prioritized plan for ICT/MSPs that typically includes: mapping critical services and clients, updating contracts/SLAs, strengthening detection and response, testing continuity plans, and pursuing relevant certifications as regulations and ANCI norms are phased in.

Key Terms

ANCI
Agencia Nacional de Ciberseguridad de Chile, the national authority created by the 2024 cybersecurity framework law, responsible for coordinating, supervising, and enforcing cybersecurity obligations for essential and OVI operators.
Subtel
Subsecretaría de Telecomunicaciones de Chile, the authority overseeing telecommunications services, including network quality and certain security aspects.
Critical Supplier
A third-party provider whose services are integral to the operations of an essential or OVI operator. Often required by contract to meet equivalent cybersecurity, reporting, and cooperation standards.
Incident Reporting
The process of notifying competent authorities (such as ANCI and sectoral regulators) about cybersecurity incidents within specific timeframes and with defined content, as required by law.
Data Protection Regime
The set of laws and regulations governing the processing and protection of personal data in Chile, which is being modernized to strengthen security and breach notification duties.
Essential Service Operator
An organization that provides services considered essential for the functioning of society or the economy (e.g., energy, finance, health, telecommunications, public administration). In the ICT context, this can include major telecom and cloud providers.
SLA (Service Level Agreement)
A contractual document defining performance, availability, security, and incident response commitments between a service provider (e.g., MSP) and its customer.
OVI (Operador de Importancia Vital)
Operator of Vital Importance; an entity whose disruption would have severe impacts on national security, public order, or the economy. Subject to the highest cybersecurity and resilience requirements under the Chilean framework.
CMF (Comisión para el Mercado Financiero)
Chile’s Financial Market Commission, which regulates banks and other financial entities, including their cybersecurity and outsourcing practices.
Business Continuity and Disaster Recovery (BC/DR)
Plans and technical measures to ensure that critical services can continue or be quickly restored after a disruption, a key expectation for essential and OVI operators and their ICT/MSPs.