On April 8, 2024, the Official Gazette published the Framework Law on Cybersecurity and Critical Information Infrastructure, aimed at establishing the institutional framework, principles, and general regulations to structure, regulate, and coordinate cybersecurity actions of state agencies, as well as between them and private entities. The law also sets minimum requirements for the prevention, containment, resolution, and response to cybersecurity incidents, as well as the duties and obligations of state agencies and institutions mandated by the law, and the mechanisms for control, supervision, and accountability for violations.

Furthermore, the law creates several bodies, including the National Computer Security Incident Response Team (CSIRT National) and the National Cybersecurity Agency (ANCI). The latter will be responsible for regulating, overseeing, and sanctioning all public and private institutions obligated by the Cybersecurity Framework Law.

APPLICATION

Under this regulation, the law specifically applies to entities offering essential services (Essential Services) and those designated as operators of vital importance (OIV).

On one hand, the following are considered Essential Services:

• Those provided by State Administration agencies and by the National Electrical Coordinator.
• Services provided under public service concessions.
• Services offered by private entities engaged in activities such as electricity generation, transmission, or distribution; transportation, storage, or distribution of fuels; water supply or sanitation; telecommunications; digital infrastructure; digital services; IT services managed by third parties; transportation by land, air, rail, or sea, as well as the operation of respective infrastructure; banking, financial services, and payment methods; social security benefit administration; postal and courier services; institutional health provision by entities such as hospitals, clinics, medical centers, and pharmaceutical production and/or research.

Additionally, the agency has the authority to classify other services as essential through a reasoned resolution by the national director. This could apply, for example, to institutions whose provision of essential services depends on networks and computer systems, or whose affecting, intercepting, interrupting, or destroying services has a significant impact on public security, the continuous and regular provision of essential services, or the effective fulfillment of the State's functions.

Likewise, private institutions that play a critical role in supplying the population, distributing goods, or producing those essential or strategic for the country are considered within this category.

CYBERSECURITY OBLIGATIONS

Regarding the cybersecurity obligations stipulated by the Framework Law, there are general duties applicable to all entities obligated by the law and specific obligations established for Inspection and Oversight Agencies.

The general duties established in the Law are as follows:

1. The obligated institutions must continuously apply measures to prevent, report, and resolve cybersecurity incidents. These measures may encompass technological, organizational, physical, or informational aspects, as appropriate.
2. To comply with these obligations, it is necessary to properly implement the protocols and standards established by the Agency, as well as the specific cybersecurity standards dictated in accordance with the corresponding sectoral regulation. These protocols and standards primarily aim to prevent and manage cybersecurity risks, as well as contain and mitigate the impact that incidents may have on the operational continuity of the service provided or on the confidentiality and integrity of information or computer networks and systems.
3. Furthermore, there is an obligation to report to the National CSIRT (Computer Security Incident Response Team) any cyberattacks and cybersecurity incidents that may have significant consequences as established in Article 27 of the Law, as soon as possible and in accordance with the scheme and deadlines set forth in the Law.

The specific duties of the OIVs can be summarized as follows:

1. Implement a continuous information security management system aimed at identifying risks that may affect the security of networks, computer systems, and data, as well as the operational continuity of the service. This system should allow for the evaluation of both the probability and potential impact of a cybersecurity incident.
2. Maintain a detailed record of the actions taken as part of the information security management system, in accordance with the regulations.
3. Develop and implement operational continuity and cybersecurity plans, which must be certified in accordance with Article 28 and undergo regular reviews at least every two years. The Agency may require certification of these plans within shorter deadlines in duly justified exceptional cases.
4. Continuously conduct reviews, exercises, drills, and analysis of networks, computer systems, and systems to detect actions or computer programs compromising cybersecurity, communicating the relevant information to the National CSIRT as determined by the regulation.
5. Timely and efficiently adopt necessary measures to reduce the impact and spread of a cybersecurity incident, including restricting the use or access to computer systems if necessary.
6. Obtain the required certifications as established in Article 28.
7. Inform potential affected parties, to the extent possible, about incidents or cyberattacks that may severely compromise their information, networks, and computer systems, especially when it concerns personal data and there is no other legal requirement for notification, or when necessary to prevent new incidents or manage those already occurred.
8. Implement training, education, and continuous development programs for employees and collaborators, including cybersecurity awareness campaigns.
9. Designate a cybersecurity delegate to act as a counterpart to the Agency and inform relevant authorities in the state administration or to the directors, managers, or top executives in the case of private institutions.

REPORTING DUTY

The Framework Law also includes the obligation for all public and private institutions mentioned in Article 4 to report to the National CSIRT about cyberattacks and cybersecurity incidents that may have significant effects. This duty unfolds in different stages:

1. Within a maximum period of 3 hours from becoming aware of the cyberattack or cybersecurity incident, an early alert about the event must be sent.
2. Within a maximum period of 72 hours, an update of the initial information must be provided, including an initial assessment of the incident, its severity and impact, as well as compromise indicators if available. In the case of vital operators whose essential services are affected, the update must be provided within a maximum period of 24 hours.
3. Within a maximum period of fifteen days from sending the early alert, a final report must be submitted, including a detailed description of the incident, the type of threat or main cause, the mitigation measures applied, and any cross-border repercussions, if any.
4. If the incident continues after the submission of the final report, it is replaced by a report on the current situation, which must be submitted within fifteen days following the handling of the incident.

Additionally, the OIVs must inform the CSIRT Nacional about their action plan as soon as they adopt it, with a maximum period of 7 days from the time they became aware of the incident.

The Agency will provide the necessary instructions for the preparation and receipt of the reports, and a single-window system will be established to notify the relevant authorities. A regulation will define the content of the different types of reports required in this article.

INFRACTIONS

The Law regulates infringements of the obligations established therein for the obligated parties and classifies them as minor, serious, and extremely serious. Likewise, it regulates the penalties for such infringements, establishing a fine for the benefit of the public treasury according to the following scale:

Type of Infraction	Penalty	Sanction for OIV
Minor Infringements	Up to 5,000 UTM	Up to 10,000 UTM
Serious Infringements	Up to 10,000 UTM	Up to 20,000 UTM
Extremely Serious Infringements	Up to 20,000 UTM	Up to 40,000 UTM

Notwithstanding the scale of penalties presented, this provision does not preclude the possibility of applying more severe sanctions. According to the law, if an offender can be penalized for the same acts and legal grounds under both the Cybersecurity Framework Law and other legal regulations, the most severe penalty available among the options will be imposed.

EFFECTIVENESS

According to the transitional provisions, the President will have a period of one year to establish, through decrees with the force of law, the necessary rules to regulate the following matters:

1. Determine the start date for the Agency's activities, which may include a period for its implementation and one from which it will begin operations.
2. Establish a period for the validity of the rules set forth by this law, which shall not be less than 6 months from its publication.
3. Set the staffing structure of the Agency and the necessary rules for determining remuneration.

Additionally, the Ministry of Interior and Public Security must issue the regulations outlined in this law within 180 days.

 

Should you require additional information on this matter, please contact Macarena Naranjo (mnaranjo@jdf.cl) and María Gracia Oyarce (mgoyarce@jdf.cl)