General Framework Analysis of the Cybersecurity Law N° 21.663

The New Cybersecurity Regulatory Scenario

Law N° 21.663 is Chile's Framework Law on Cybersecurity and Critical Information Infrastructure, published on April 8, 2024. Together with the creation of the National Cybersecurity Agency (ANCI), it reorganizes Chilean cybersecurity regulation along lines the market had not seen before: a sectoral authority with direct enforcement powers, mandatory incident reporting to a central body, and tiered obligations that distinguish ordinary Essential Services (ES) from Operators of Vital Importance (OVI). The first OVI qualification procedure opened in May 2025, and its outcome will determine which organizations operate under the heavier compliance regime.

Regulatory Framework in Development

The implementation of the law is articulated through supreme decrees and ANCI resolutions:

• Supreme Decree N° 285/2024: Regulation of the OVI qualification procedure
• Supreme Decree N° 295/2024: Regulation of cybersecurity incident reports
• ANCI Resolution N° 024/2025: Initiates first OVI qualification procedure (May 2025)
• ANCI Resolution N° 7/2025: Official taxonomy of cybersecurity incidents
• General Instruction N° 1: Registration of ES in reporting platform

Entities Subject to Law 21.663

According to Article 2° of the law, Essential Services (ES) are those provided by:

Public Agencies

• State Administration agencies
• National Electric Coordinator
• Providers under public service concession

Private Institutions in Specific Activities

• Energy: Generation, transmission or electrical distribution
• Fuels: Transportation, storage or fuel distribution
• Water: Drinking water supply or sanitation
• Telecommunications
• Digital infrastructure
• Digital and IT services: Managed by third parties
• Transport: Land, air, rail or maritime, as well as infrastructure operation
• Financial: Banking, financial services and payment methods
• Social security: Benefit administration
• Postal: Postal and courier services
• Health: Institutional provision by hospitals, clinics, medical centers
• Pharmaceutical: Production and/or research of pharmaceutical products

Other Services

ANCI may qualify other services as essential through reasoned resolution when their disruption could cause serious harm to:

• Life or physical integrity of the population
• Population supply
• Relevant sectors of economic activities
• Environment
• Normal functioning of society and/or State Administration
• National defense
• Security and public order

National Cybersecurity Agency (ANCI)

The ANCI was established by Law 21.663 as the sectoral authority for cybersecurity in Chile. Unlike the advisory bodies that preceded it, it is not consultative in nature: it issues binding regulations, supervises Essential Services and Operators of Vital Importance, and can impose fines of up to 40,000 UTM for serious infractions.

Powers and main functions

• Issuing binding technical regulations on cybersecurity duties (the first ANCI Resolution N° 024/2025 has already been published).
• Supervising Essential Services and Operators of Vital Importance, with powers of inspection, information requests, and audits.
• Conducting sanctioning procedures and imposing fines for infractions of Law 21.663 and its regulations.
• Coordinating the National CSIRT and acting as the central point for cybersecurity incident reporting.
• Representing Chile before international cybersecurity organizations.

Registration and reporting to the ANCI

Essential Services must register on the ANCI platform under General Instruction N° 1 and designate a Reporting Officer. Critical incidents must be notified to the National CSIRT within the first three hours of detection. This reporting duty coexists with —and does not replace— sectoral obligations before the CMF, the SEC, and other authorities.

Fundamental Obligations for Regulated Entities

The law defines a set of permanent duties that form the basis of compliance, which are intensified for organizations qualified as OVI.

General Duties (Applicable to ES and OVI)

• Continuous Risk Management: Implement and maintain technical and organizational measures to manage risks affecting network and system security.
• Response Capabilities: Develop necessary capabilities to prevent, detect, manage and respond to cybersecurity incidents.
• Mandatory Incident Reporting: Notify the National CSIRT of significant incidents within strict deadlines (initial alert in less than 3 hours, detailed report in 72 hours, final report in 30 days).

Specific Duties for Operators of Vital Importance (OVI)

The most critical organizations for the country must, additionally:

• Implement an Information Security Management System (ISMS).
• Develop and certify Operational Continuity and Cybersecurity Plans.
• Conduct periodic audits, evaluations and drills.
• Designate a Cybersecurity Delegate.

Current Implementation Status

Law 21.663 is in active implementation process with specific deadlines for different obligations:

OVI Qualification Process Underway

Through Exempt Resolution N° 024 of May 2025, ANCI initiated the first qualification procedure for Operators of Vital Importance. This process:

• Is governed by Supreme Decree N° 285/2024
• Has a 90-day deadline from entry into force
• Must be reviewed every 3 years according to Article 6° of the law
• Determines which ES remain subject to additional obligations under Article 8°

Official Incident Taxonomy

ANCI Resolution N° 7/2025 established the official taxonomy with four alert categories:

• Forgery alerts: Sites impersonating others
• Incident alerts: Vulnerabilities under active exploitation
• Compromise indicators: Malware, phishing, vishing, smishing
• Vulnerability alerts: Software and application flaws

Operational Platforms

ANCI systems are operational through:

• National CSIRT: csirt.gob.cl
• Institutional ANCI: anci.gob.cl
• Registration platform: For registration according to General Instruction N° 1

Regulations to Law 21.663 (Reglamento)

Status: Pending official publication

The Regulations to Law 21.663 are currently in process. Once published in the Diario Oficial, this section will incorporate the technical analysis of its provisions, the adaptation deadlines for Essential Services and Operators of Vital Importance, and the interactions with Supreme Decrees N° 285/2024 and N° 295/2024.

Sectoral Analysis: Regulatory Concurrence

Law 21.663 operates as a general framework, but its greatest complexity arises in sectors that already have their own cybersecurity regulation, creating regulatory concurrence scenarios.

Implementation Frameworks

Law 21.663 establishes functional obligations without prescribing specific technical frameworks. Applicable standards will be defined by sectoral regulation:

Essential Services (ES)

• Risk management: Technical and organizational measures (frameworks like NIST CSF can serve as reference).
• ANCI Registration: Mandatory registration according to General Instruction N°1.
• Reporting Officer: Designation for coordination with ANCI.

Operators of Vital Importance (OVI)

• ISMS: Information security management system (ISO 27001 is example of recognized standard).
• Certified plans: Operational continuity and cybersecurity with independent evaluation.
• Cybersecurity Officer: Technical functions according to pending regulation.
• Periodic evaluations: Audits and drills according to methodology to be defined.

Frequently Asked Questions about Law 21.663

Summary of the most common inquiries about Chile's Cybersecurity Law.

Related Reading

Other regulatory pillars that connect with Law 21.663 in Chilean corporate practice.

• Law 21.719: Personal Data Protection and DPO obligations
• Law 21.521 (Ley Fintec): operational cybersecurity in financial services
• NCG 454: risk management and cybersecurity for General Fund Managers
• Data Protection Officer: counterpart to the Cybersecurity Delegate

Official sources

• Law 21.663 — full text on BCN/LeyChile
• National Cybersecurity Agency (ANCI)