The New Cybersecurity Regulatory Scenario

Law N° 21.663, together with the creation of the National Cybersecurity Agency (ANCI), establishes the new institutional and regulatory architecture for cybersecurity in Chile. The law imposes duties on a broad spectrum of organizations, with particular focus on Essential Services (ES) and Operators of Vital Importance (OVI).

Regulatory Framework in Development

The implementation of the law is articulated through supreme decrees and ANCI resolutions:

• Supreme Decree N° 285/2024: Regulation of the OVI qualification procedure
• Supreme Decree N° 295/2024: Regulation of cybersecurity incident reports
• ANCI Resolution N° 024/2025: Initiates first OVI qualification procedure (May 2025)
• ANCI Resolution N° 7/2025: Official taxonomy of cybersecurity incidents
• General Instruction N° 1: Registration of ES in reporting platform

Entities Subject to Law 21.663

According to Article 2° of the law, Essential Services (ES) are those provided by:

Public Agencies

• State Administration agencies
• National Electric Coordinator
• Providers under public service concession

Private Institutions in Specific Activities

• Energy: Generation, transmission or electrical distribution
• Fuels: Transportation, storage or fuel distribution
• Water: Drinking water supply or sanitation
• Telecommunications
• Digital infrastructure
• Digital and IT services: Managed by third parties
• Transport: Land, air, rail or maritime, as well as infrastructure operation
• Financial: Banking, financial services and payment methods
• Social security: Benefit administration
• Postal: Postal and courier services
• Health: Institutional provision by hospitals, clinics, medical centers
• Pharmaceutical: Production and/or research of pharmaceutical products

Other Services

ANCI may qualify other services as essential through reasoned resolution when their disruption could cause serious harm to:

• Life or physical integrity of the population
• Population supply
• Relevant sectors of economic activities
• Environment
• Normal functioning of society and/or State Administration
• National defense
• Security and public order

Fundamental Obligations for Regulated Entities

The law defines a set of permanent duties that form the basis of compliance, which are intensified for organizations qualified as OVI.

General Duties (Applicable to ES and OVI)

• Continuous Risk Management: Implement and maintain technical and organizational measures to manage risks affecting network and system security.
• Response Capabilities: Develop necessary capabilities to prevent, detect, manage and respond to cybersecurity incidents.
• Mandatory Incident Reporting: Notify the National CSIRT of significant incidents within strict deadlines (initial alert in less than 3 hours, detailed report in 72 hours, final report in 30 days).

Specific Duties for Operators of Vital Importance (OVI)

The most critical organizations for the country must, additionally:

• Implement an Information Security Management System (ISMS).
• Develop and certify Operational Continuity and Cybersecurity Plans.
• Conduct periodic audits, evaluations and drills.
• Designate a Cybersecurity Delegate.

Current Implementation Status

Law 21.663 is in active implementation process with specific deadlines for different obligations:

OVI Qualification Process Underway

Through Exempt Resolution N° 024 of May 2025, ANCI initiated the first qualification procedure for Operators of Vital Importance. This process:

• Is governed by Supreme Decree N° 285/2024
• Has a 90-day deadline from entry into force
• Must be reviewed every 3 years according to Article 6° of the law
• Determines which ES remain subject to additional obligations under Article 8°

Official Incident Taxonomy

ANCI Resolution N° 7/2025 established the official taxonomy with four alert categories:

• Forgery alerts: Sites impersonating others
• Incident alerts: Vulnerabilities under active exploitation
• Compromise indicators: Malware, phishing, vishing, smishing
• Vulnerability alerts: Software and application flaws

Operational Platforms

ANCI systems are operational through:

• National CSIRT: csirt.gob.cl
• Institutional ANCI: anci.gob.cl
• Registration platform: For registration according to General Instruction N° 1

Sectoral Analysis: Regulatory Concurrence

Law 21.663 operates as a general framework, but its greatest complexity arises in sectors that already have their own cybersecurity regulation, creating regulatory concurrence scenarios.

Implementation Frameworks

Law 21.663 establishes functional obligations without prescribing specific technical frameworks. Applicable standards will be defined by sectoral regulation:

Essential Services (ES)

• Risk management: Technical and organizational measures (frameworks like NIST CSF can serve as reference).
• ANCI Registration: Mandatory registration according to General Instruction N°1.
• Reporting Officer: Designation for coordination with ANCI.

Operators of Vital Importance (OVI)

• ISMS: Information security management system (ISO 27001 is example of recognized standard).
• Certified plans: Operational continuity and cybersecurity with independent evaluation.
• Cybersecurity Officer: Technical functions according to pending regulation.
• Periodic evaluations: Audits and drills according to methodology to be defined.