Legal Alert: Five essential aspects of the future Cybersecurity and Critical Information Infrastructure Framework Act
On December 12, 2023, the Senate approved and dispatched the Bill on Cybersecurity and Critical Information Infrastructure to the Constitutional Court for its passage into law.
The regulation will apply to institutions that provide services qualified by the National Cybersecurity Agency (ANCI) as essential (ES) or vital operators (VO). All obligated institutions must report cyber-attacks and cybersecurity incidents that may have significant effects on the National CSIRT as soon as possible and in accordance with the deadlines established therein.
I. Institutions considered as providers of Essential Services (ES)
a. Services provided by the State Administration and National Electric Coordinator agencies.
b. Services offered through a public service concession.
c. Services provided by private entities involved in activities including: generation, transmission or distribution of electricity; transportation and storage of fuels; supply of drinking water or sanitation; telecommunications; digital infrastructure; digital services; information technology services managed by third parties; land, air, rail or maritime transportation; operation of infrastructure, banking, financial or payments services; administration of social security benefits; postal and courier services; institutional healthcare providers; and pharmaceutical research or production.
The ANCI may designate other services, infrastructures, processes, or functions as essential services when their impact may cause severe damage to: the survival or physical integrity of the population; supply services; critical sectors of economic activity; the environment; or the normal functioning of society, the State Administration, national defense, or security and public order. This designation will be subject to public consultation.
II. Institutions considered to be Vital Operators (VO)
Vital Operators are ESs that meet the following requirements:
a. They operate on networks and computer systems.
b. Any interception, interruption, or destruction of their services could have a significant impact on security and public order; the continuous and regular provision of essential services; the effective fulfillment of the State’s functions; or in general, on the services that the State must provide or guarantee.
Additionally, the ANCI may qualify as VO organizations that fulfill the aforementioned criteria and have a crucial role in supplying the population, distributing goods, or producing vital or strategic goods for the nation, among other factors.
Among other obligations, VOs must implement an ongoing information security management system; develop, implement and certify business continuity and cybersecurity plans; and designate a cybersecurity delegate.
III. Creation of the ANCI
The future Act lays out plans for the establishment of a decentralized public authority to ensure regulatory coherence in cybersecurity matters.
Its primary function will be to advise the President in formulating and approving the National Cybersecurity Policy, supervising plans, and issuing mandatory protocols for public and private institutions. Among its responsibilities, it will qualify ESs and VOs, initiate sanctioning procedures, and apply sanctions for non-compliance by obligated parties.
IV. New regime of infractions and fines
Violations of the obligations established by the future Act will be classified into three categories: minor, severe, and very severe. Minor violations include the late delivery of information necessary to manage a cybersecurity incident, while very severe violations would apply to outright failure to comply with a reporting obligation, or the provision of false or erroneous information in cases involving a cybersecurity incident.
Fines for infringement of the future Act’s obligations will range 5,000 and 40,000 UTM (208,875 USD up to 1,671,000 USD), depending on the entity of the infringement and the obliged subject (fines will be more significant for VOs).
V. Entry into force
According to the provisions of the first transitory article, the President of the Republic is granted the power to issue, within one year, one or more decrees with force of law. The purpose of these decrees will be to set a date for the commencement of activities of the ANCI and establish a period of validity for the regulations contemplated by the act, which may not be less than six months from the date of its publication.
For more information, please contact:
* This report provides general information on certain legal or commercial issues in Chile, and is not intended to analyze in detail the matters contained herein, nor is it intended to provide specific legal advice on such matters. The reader is advised to seek legal advice before making any decision regarding the matters contained in this report. This report may not be reproduced by any means or in any part without the prior consent of DLA Piper Chile.