The Multi-Regulator Framework of the Electrical Sector

Energy sector companies operate in a highly complex regulatory ecosystem. Law 21.663 overlaps with the powers of sectoral regulators, creating a supervisory matrix with four key actors:

An incident at a power plant can simultaneously be a security failure (SEC), an operational disruption (CEN) and a cybersecurity incident (ANCI), triggering reports and oversight through multiple channels.

The Strategic Challenge of OT/IT Convergence

Digitalization has dissolved the barrier between **Information Technologies (IT)** and **Operational Technologies (OT)**, which control physical processes (SCADA, ICS). This convergence is a central point of risk and regulatory scrutiny.

Risk Vectors in Critical Infrastructure:

• **IT to OT threat propagation:** An attack on the corporate network can impact control systems, with potential to cause physical damage and massive disruptions.
• **OT supply chain attacks:** Compromise of industrial equipment suppliers (PLC, RTU).
• **Industrial protocol exploitation:** Vulnerabilities in protocols such as Modbus, DNP3 or IEC 61850.

Regulation demands an integrated security vision. Lack of adequate segmentation between IT and OT is considered a serious deficiency that may constitute corporate liability.

Alignment with International Standards: NERC-CIP

The **NERC-CIP** standards are the global reference for electrical cybersecurity. CEN already requires their compliance. Law 21.663 and future technical standards will align with their principles.

Companies must integrate these technical controls into a **corporate governance** framework. NERC-CIP compliance becomes the technical evidence to demonstrate due diligence before ANCI and SEC.

Critical Obligations and the Double Reporting Challenge

The main operational complexity for the sector is managing incident notification to multiple authorities with different focuses and deadlines:

• **0-3 hours (ANCI):** Notification to the National CSIRT for cybersecurity incident.
• **Immediate / Variable (CEN):** Report to the Electrical CSIRT for operational unavailability.
• **Variable (SEC):** Report if it affects supply continuity or security.

Uncoordinated management of these reports increases the risk of inconsistencies and legal exposure.

Strategic Action Lines for the Energy Sector

To manage this scenario, sector companies should focus on the following analysis areas:

Design of an Integrated Regulatory Framework

Creating a compliance framework that unifies obligations before SEC, CNE, CEN and ANCI to respond to all regulators coherently and efficiently.

Risk Governance Analysis in OT/IT Environments

Reviewing the Board's responsibilities in supervising OT/IT convergence risks, aligning technical management with legal compliance strategy.

Multi-Agency Crisis Management Strategies

Developing incident management protocols that coordinate communication flows to all involved regulators.