Cybersecurity
Legal framework, regulators and obligations under the Chilean cybersecurity regime.
Cybersecurity in Chile: regulatory overview
Cybersecurity has moved from a technical concern to a legal obligation in Chile. The adoption of Law 21.663 (the Framework Law on Cybersecurity, published in 2024) and the creation of the National Cybersecurity Agency (ANCI) establish a unified regime of duties, supervision and sanctions for both public institutions and private operators whose services are considered essential or critical.
The regime applies on two tracks. The first covers operators of vital importance (OIV), typically large providers of telecommunications, energy, water, banking, health, transport and digital services whose disruption would affect the provision of essential services. These entities face heightened duties around risk management, incident reporting, continuity plans and the appointment of a cybersecurity delegate. The second track reaches every institution subject to the general framework, which must implement a minimum cybersecurity standard, report significant incidents to ANCI within defined windows and cooperate with the agency’s instructions.
Sector regulators remain active in parallel. The CMF supervises the financial sector through rules such as NCG 454 and RAN 20-10 for banks; the SEC oversees the electricity and fuels sector; and data-protection rules interact with the cybersecurity regime whenever personal data is affected by an incident. Understanding how these layers overlap, and when each one applies, is the core of any serious compliance programme.
The pages below expand on each element of the Chilean cybersecurity framework and the obligations that flow from it.
Legal framework
- Cybersecurity Framework Law 21.663 — obligations, ANCI and supervisory powers.
- National Cybersecurity Policy — strategic objectives and institutional architecture.
- Operators of Vital Importance (OIV) — designation criteria and reinforced duties.
Regulated sectors
- Financial sector — CMF rules (NCG 454, RAN 20-10) and banking.
- Energy sector — SEC supervision and electricity industry.
- Corporate sector — corporate criminal liability and prevention models.
Further reading
The cybersecurity regime interacts closely with data protection. Incidents affecting personal data trigger parallel obligations under Law 21.719.
Frequently asked questions
What does Law 21.663 on Cybersecurity regulate?
The Cybersecurity Framework Law (Law 21.663, 2024) establishes the national institutional framework on the matter: it creates the National Cybersecurity Agency (ANCI), defines the regime for essential service operators (OSE) and operators of vital importance (OIV), regulates risk management, incident notification and sanctions. It replaces and elevates the previous regime based on sector administrative instructions.
What is ANCI and what powers does it have?
The National Cybersecurity Agency (ANCI) is the technical body responsible for coordinating, supervising and overseeing the implementation of Law 21.663. Its powers include: issuing mandatory technical standards; designating entities as OIVs; receiving notifications of significant cybersecurity incidents; conducting investigations; imposing administrative sanctions (fines up to 40,000 UTM); and coordinating the national response to major incidents. It began operations during the first half of 2025.
What is an Operator of Vital Importance (OIV) and what obligations does it have?
An OIV is an entity — public or private — designated by ANCI whose operational disruption would have a significant impact on national security, public health, the economy or the well-being of the population. Its obligations include: implementing an information security management system; designating a cybersecurity officer; maintaining business-continuity and incident-response plans; notifying significant incidents to ANCI within short deadlines; performing periodic audits; and reporting compliance. The criteria are refined through ANCI resolutions.
How do Law 21.663 and Law 21.719 (data protection) interact?
Both regimes operate in parallel and intersect in cybersecurity incidents that affect personal data. Law 21.663 focuses on the availability and integrity of services and reports to ANCI; Law 21.719 focuses on the confidentiality of personal data and reports to the Data Protection Agency. The same incident may trigger both notification obligations simultaneously, with different deadlines and authorities, which requires an incident response protocol covering both regimes from day zero.
What sanctions does ANCI apply for non-compliance?
Law 21.663 establishes administrative sanctions graduated according to severity and whether the infringer is an OIV. Fines may reach 40,000 UTM per very serious infringement. Repeated infringements may lead to suspension of the cybersecurity officer or corrective measures. The sanctioning regime is complementary — it does not exclude — sectoral sanctions (CMF for banks, SEC for energy) nor potential criminal liability (Law 21.595, economic crimes and cyber crimes).
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
