Does Law 21.663 Apply to My Company Even If It Is Not an OIV?

Probably yes. The most common misreading of the Cybersecurity Framework is to treat OIV status as the on-off switch. The law binds all essential services; OIV is only the reinforced tier within them. Not being an OIV usually means lighter duties, not no duties.

This page corrects a common scoping error: that only OIV are bound. It sets out the essential-services category the law actually targets, the duties that apply even without OIV status, how the OIV tier differs, and how to place your company in the right box. It closes with the questions boards and IT leads ask first.

OIV is a tier, not the on switch

The law works in two layers: a broad category that carries general duties, and a designated subset that carries reinforced ones.

Essential service, not OIV

The business falls within the essential services of Article 4 (energy, telecom, banking, health, transport, digital infrastructure, among others). It owes the general duties of Article 7 and the reporting duties of Article 9: prevent, report and resolve incidents on a permanent basis.

Operator of Vital Importance

Qualified by the Agency under Article 5, because a disruption would significantly affect security or the continuity of the service. It owes the eight reinforced duties of Article 8, on top of the general ones. See OIV qualification.

The practical takeaway is what a non-OIV essential service actually has to do.

The duties that apply without OIV status

Article 7 is not a symbolic clause. It requires a real, permanent cybersecurity posture, proportionate to the organization.

  • Permanent measures to prevent, report and resolve cybersecurity incidents, by technological, organizational, physical or information means (Article 7).
  • Reporting of incidents to the authority within the terms the law sets (Article 9).
  • Coordination with sectoral rules where they apply, such as the CMF framework for supervised entities. See cybersecurity in the financial sector.

And there is a further reason not to rely on being outside: the perimeter can move.

The perimeter is not static

Two moving parts make this a question to revisit, not settle once.

Article 4

The list can grow

The Agency may add other services as essential by reasoned resolution. A business outside the perimeter today can be brought in tomorrow.

Article 5

OIV status can change

Qualification as OIV is an Agency decision that can be reviewed as the sector and the company evolve. Track the OIV list.

Not sure which tier your company is in?

Assuming you are outside because you are not an OIV is the most expensive misreading of this law. We assess whether your business is an essential service, which duties apply today, and how exposed you are to a future OIV qualification.

Review our cybersecurity practice

Frequently asked questions

Does Law 21.663 only bind Operators of Vital Importance?

No. The law reaches essential services, a broad category defined in Article 4 that includes sectors such as energy, telecommunications, banking, healthcare, transport and digital infrastructure, among others. OIV are a qualified subset within that universe. Not being an OIV does not mean being outside the law.

What duties do I have as an essential service that is not an OIV?

The general duties of Article 7: permanently implementing measures to prevent, report and resolve cybersecurity incidents, by technological, organizational, physical or information means. To these add the reporting duties of Article 9. It is a lighter standard than an OIV's, but an enforceable one.

How do an OIV's obligations differ?

Article 8 imposes eight reinforced duties on OIV: an information-security management system, incident documentation, certified operational-continuity plans, continuous reviews, expedited mitigation, certifications, notification of affected parties, training and appointing a cybersecurity delegate. It is the strictest regime in the law.

How do I know which category my company is in?

First, determine whether the business falls within the essential services of Article 4. If it does, the general duties apply. Then assess whether the company was, or may be, qualified as OIV by the Agency (Article 5), which triggers the reinforced duties. They are two successive questions, not one.

Can the Agency add services not currently listed?

Yes. Article 4 lets the Agency add other services as essential by reasoned resolution. That is why the analysis is not static: a business that seems outside the perimeter today can be brought in, and it is worth tracking how qualifications evolve.

Official sources

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.