Chile has two sources of regulation and public policies that guide the country’s cybersecurity strategy.

The National Cybersecurity Policy 2023–2028

The National Cybersecurity Policy 2023–2028 has five main objectives.

• Resilient infrastructure – the country will have a robust and resilient information infrastructure, prepared to resist and recover from cybersecurity incidents and socio-environmental disasters, from a risk management perspective.
• Rights of people – the state will protect and promote the protection of people’s rights on the internet through strengthening the existing institutional framework in cybersecurity and generating, adopting and promoting the mechanisms and technological tools necessary for each person to integrate into society and develop and express themselves fully.
• Cybersecurity culture – Chile will develop a cybersecurity culture based on education, best practices, responsibility in the handling of digital technologies, and promotion and guarantee of people’s rights.
• National and international co-ordination – the state will create public governance to co-ordinate the necessary actions in cybersecurity. Public and private organisations will create, together, co-operation instances to communicate and disseminate their activities in cybersecurity, avoid duplication of work and loss of resources, and make efforts in this area efficient.
• In the international arena, the state will co-ordinate with countries, organisations, institutions and other international actors to allow the country to better face malicious activities and incidents in cyberspace.
• Promotion of industry and scientific research – the country will promote the development of a cybersecurity industry that protects people and organisations and serves its strategic objectives. For this, it will promote the focus of applied scientific research on cybersecurity issues, according to the country’s needs.

The transversal dimensions of this policy include:

• gender equality – giving preferential consideration to women, both to increase their safety in the digital environment, and to improve their inclusion through positive actions to correct existing inequalities in society;
• protection of children – all initiatives must give preferential consideration to the protection of girls, boys and adolescents;
• protection of the elderly – all initiatives must give preferential consideration to the protection of the elderly; and
• protection of the environment – all initiatives must minimise their negative impact on the environment.

The Cybersecurity Framework Law

For its part, the Cybersecurity Framework Law No 21.663, which entered into force together with the creation of the National Cybersecurity Agency (ANCI) in January 2025, aims to establish the institutional framework, principles and general regulations that allow structuring, regulating and co-ordinating cybersecurity actions of state agencies and between them and private parties. It also establishes the minimum requirements for the prevention, containment, resolution and response to cybersecurity incidents.

The guiding principles for this law are the following.

• Principle of damage control – in the face of a cyber-attack or cybersecurity incident, action must always be co-ordinated and diligent to prevent escalation or spread to other computer systems.
• Principle of co-operation with the authority – to resolve cybersecurity incidents, due co-operation with the competent authority must be provided, and if necessary, co-operation between different sectors is needed, considering the interconnection and interdependence of systems and services.
• Principle of co-ordination – the ANCI and sectorial authorities must co-ordinate their tasks, strive for unity of action, and avoid duplication or interference of functions.
• Principle of security in cyberspace – the state must safeguard security in cyberspace, ensuring that all people can participate in a safe cyberspace, and grant special protection to computer networks and systems that contain information of those groups that are often the object of cyber-attacks.
• Principle of responsible response – the application of measures to respond to cybersecurity incidents or cyber-attacks may not involve offensive operations.
• Principle of computer security – every person has the right to adopt the technical computer security measures they deem necessary, including encryption.
• Principle of rationality – measures for the management of cybersecurity incidents, cybersecurity obligations, and the exercise of the Agency’s powers must be necessary and proportional to the degree of exposure to risks and the potential social and economic impact.
• Principle of security and privacy by default and by design – computer systems, applications and information technologies must be designed, implemented, and managed considering the security and privacy of the personal data they process.

Cybersecurity Framework Law

The Cybersecurity Framework Law establishes the institutional framework, principles and general regulations to co-ordinate cybersecurity actions between state agencies and between them and private entities. It also sets out the minimum requirements for the prevention, containment and response to cybersecurity incidents. This law defines essential services and the procedure for qualifying among these essential service providers the operators of vital importance, who will be subject to stricter obligations.

The law also creates the ANCI, a decentralised public service responsible for advising the President on cybersecurity issues, co-ordinating competent institutions, and ensuring the protection of the right to computer security. The ANCI has the power to issue mandatory protocols and standards for public and private institutions.

In addition, the Cybersecurity Framework Law creates the National Computer Security Incident Response Team (CSIRT Nacional) within ANCI. This team is responsible for responding to significant cyber-attacks and co-ordinating other CSIRTs.

As of 1 January 2025, the Law and the ANCI came into force. Thus, the Agency can start exercising its regulatory powers, for example by issuing general instructions. In addition, it will have to set up and manage the National Incident Register and will also be able to set the standards to be met by institutions providing goods or services to the state, as well as cybersecurity standards and duties to inform the public about the security risks of digital devices available to end consumers. The Regulation on Notification of Cybersecurity Incidents with Significant Effects is already in force, and the Agency has enabled a web portal and APIs for both essential service providers and operators of vital importance to make reports to the National CSIRT.

The first qualification process for Operators of Vital Importance is expected to be finalised during Q3 2025. This regulatory framework also includes other relevant regulations, such as the rules on the (i) Functioning of the Secure Connectivity State Network and Special Obligations of State Administration Bodies; (ii) Registry of Cybersecurity Standards Certification Entities; (iii) Functioning of the Interministerial Cybersecurity Committee; and (iv) one that establishes rules for the functioning of the Multisectoral Cybersecurity Council.

The Computer Crimes Law

The Computer Crimes Law No 21,459 establishes rules on computer crimes and their penalties. This law seeks to adapt Chilean legislation to the Budapest Convention. Some of the crimes it typifies are:

• attack on the integrity of a computer system;
• unlawful interception;
• computer forgery;
• handling of illegally obtained computer data;
• computer fraud;
• illicit disposition of devices or programs to commit computer crimes.

Regarding the crime of illegal access – ie, accessing a computer system without authorisation, the penalties are increased if the access is made with the intention of seizing or using information, or if the illegally obtained information is disclosed. However, there is an exemption from criminal sanctions for those who access a computer system in a responsible manner (ethical hacking), fulfilling certain requirements such as registration with the ANCI, prior notification of the access to the Agency and communication of the vulnerabilities to the system operator and the Agency.

The National Cybersecurity Agency (ANCI)

The ANCI is a functionally decentralised public service, endowed with its own legal personality and assets, and of a technical and specialised nature. Its primary goal is to advise the President of the Republic on cybersecurity matters, to collaborate in the protection of national interests in cyberspace, to co-ordinate the relevant institutions, and to ensure the protection of the right to computer security. The Agency reports to the President through the Ministry in charge of public security.

The functions and powers of ANCI are varied and aim to cover all relevant aspects of cybersecurity in the country.

• Advisory role – to advise the President in the development of the National Cybersecurity Policy and its implementation plans.
• Regulation – to issue mandatory protocols, standards and instructions for public and private institutions. The Agency also administratively applies and interprets laws and regulations regarding cybersecurity.
• Co-ordination – to co-ordinate and supervise the National CSIRT (Computer Security Incident Response Team) and other CSIRTs of the State Administration. It must also establish co-ordination with the CSIRT of National Defence.
• Registry – to create and manage a National Registry of Cybersecurity Incidents.
• Qualification – to classify and qualify essential services and operators of vital importance.
• Information to the public – to require entities affected by cybersecurity incidents to provide truthful and timely information to potential victims.
• Training and education – to design and implement citizen training and education plans in cybersecurity.
• Access to information – to require state agencies and private institutions to provide access to information necessary to prevent or manage incidents. The Agency may request the delivery of the activity log of computer networks and systems.
• Co-operation – to co-operate with public bodies and private institutions, as well as with foreign cybersecurity authorities and international organisations.
• Technical advice – to provide technical advice to state agencies and private institutions affected by cybersecurity incidents.
• State intelligence – to collaborate with the State Intelligence System in identifying threats.
• Oversight – to oversee compliance with the law, regulations, protocols and standards issued by the Agency. It can carry out inspections, audits and security analyses.
• Access to computer systems – the Agency may require access to computer systems, data and documents for its supervisory functions. It can also request tests to demonstrate the implementation of operational continuity and cybersecurity plans.
• Research and development – to promote research, innovation and training in cybersecurity.
• Incident reporting – to inform the CSIRTs of the National Defence and other state agencies about cybersecurity incidents and vulnerabilities.
• Certification – to certify compliance with cybersecurity standards by state agencies and to grant accreditations to certification centres.
• Setting standards – to establish cybersecurity standards for suppliers of goods and services to the state and for the development of computer systems used by state agencies. It can also establish standards for digital devices available to the public.
• State secure connectivity network – to administer the State Secure Connectivity Network.
• National exercise– to annually co-ordinate a national exercise to check cybersecurity capabilities.

ANCI, through its National Director, has the power to issue resolutions and administrative acts necessary for its operation, as well as to delegate powers to its officials. It also has the power to impose sanctions for breaches of the law.

Sectoral Authorities

ANCI is required to co-ordinate its actions with other sectoral authorities, and there are specific rules that govern this co-ordination. When ANCI issues protocols, technical standards or general instructions that affect the areas of competence of another sectoral entity, it must follow a particular procedure.

With regard to this duty of co-ordination, the following stands out.

• Prior report request – ANCI must send relevant information to the sectoral entity and request a report before issuing any regulations that affect their areas of competence. This aims to prevent regulatory conflicts and ensure co-ordination and collaboration.
• Sectoral administrative acts – if a sectoral authority issues administrative acts that affect ANCI’s areas of competence, it must also send the relevant information to ANCI and request a report.
• Consideration of ANCI regulations – sectoral authorities, when issuing their administrative acts, must take into account the protocols, standards and general instructions that ANCI has previously issued.
• Prevalence of sectoral regulations – it should be noted that, in addition, a sectoral authority would be competent to monitor, take cognisance of and sanction infringements, as well as to execute the sanctions to the cybersecurity regulations that it has issued and whose effects are at least equivalent to those of the regulations issued by the ANCI. This does not affect the duties of co-ordination. However, if sectoral regulations do not cover all entities in the sector, ANCI protocols still apply. For this, the Agency and the sectoral authority must issue a joint rule to evaluate the equivalence of the effects.

Among the main sectoral authorities with competences in cybersecurity, and which have to co-ordinate with the ANCI, are the Undersecretariat of Telecommunications; the Ministry of Health; the future Personal Data Protection Agency (when it takes office in December 2026), and the Financial Market Commission (CMF). See 3. Financial Sector Operational Resilience Regulation.

General Scope of Application

The Cybersecurity Framework Law applies to state agencies, including ministries, presidential delegations, regional governments, municipalities, armed forces, law enforcement agencies, public enterprises and other public bodies and services.

It also applies to state enterprises and companies in which the state has a shareholding of more than 50% or a majority on the board of directors.

In addition, the law applies to institutions that provide services qualified as essential and to those that are qualified as operators of vital importance.

Essential Services

The list of essential services outlined in the Framework Law is as follows:

• those services provided by the agencies of the State Administration and by the National Electricity Co-Ordinator;
• those services provided under a public service concession; and
• those services provided by private institutions that carry out the following activities:
1. electricity generation, transmission or distribution;
2. transportation, storage or distribution of fuels;
3. provision of drinking water or sanitation;
4. telecommunications;
5. digital services;
6. digital infrastructure;
7. information technology services managed by third parties;
8. land, air, rail or maritime transport, as well as the operation of their respective infrastructure;
9. banking, financial services and means of payment;
10. administration of social security benefits;
11. postal and courier services;
12. institutional provision of health by entities such as hospitals, clinics, doctors’ offices and medical centres; and
13. production and/or research of pharmaceutical products.

The ANCI can issue a resolution through which it will identify which specific activities and functions will be considered as essential services (eg, the ANCI could eventually identify the provision of domain name systems as a specific activity within the category “digital infrastructure”).

Operators of Vital Importance

The ANCI must, at least every three years, through an administrative procedure in which sectoral authorities must also participate, identify those essential service providers that will be classified as operators of vital importance. The procedure includes a public consultation process and in addition, the ANCI’s decision could be claimed through administrative appeals and a judicial claim, if applicable.

The ANCI may classify as operators of vital importance those essential service providers which meet the following requirements:

• that the provision of such service depends on computer networks and systems; and
• that the affecting, interception, interruption or destruction of its services has a significant impact on security and public order, the continuous and regular provision of essential services, the effective performance of the functions of the state, or, in general, of the services that it must provide or guarantee.

In addition, the ANCI may classify as operators of vital importance private institutions that, although they do not have the quality of providers of essential services, meet the requirements indicated previously and whose qualification is essential because they have acquired a critical role in the supply of the population, the distribution of goods or the production of a good/service that is indispensable or strategic for the country; or by the degree of exposure of the entity to risks and the likelihood of cybersecurity incidents, including their severity and the associated social and economic consequences.

General Cybersecurity Obligations

Both essential service providers and operators of vital importance will need to permanently apply the measures to prevent, report and resolve cybersecurity incidents. These measures may be technological, organisational, physical or informational in nature, as the case may be.

Compliance with these obligations requires the proper implementation of the protocols and standards that will be established by the ANCI, as well as the particular cybersecurity standards issued in accordance with the respective sectoral regulation. The purpose of these protocols and standards will be the prevention and management of risks associated with cybersecurity, as well as the containment and mitigation of the impact that incidents may have on the operational continuity of the service provided or the confidentiality and integrity of information or computer networks or systems in accordance with the provisions of the Framework Law.

Specific Cybersecurity Obligations of Operators of Vital Importance

Public or private entities that are classified by the ANCI as operators of vital importance, must comply with a series of obligations that will be complemented and detailed in the Regulations of the Framework Law.

• Implement a continuous information security management system in order to determine those risks that may affect the security of networks, computer systems and data, and the operational continuity of the service. This system should make it possible to assess both the likelihood and potential impact of a cybersecurity incident.
• Maintain a record of the actions carried out that make up the information security management system, in accordance with the provisions of the Regulation.
• Prepare and implement operational continuity and cybersecurity plans, which must be certified and must be subject to periodic reviews by the obliged entities, at least every two years.
• Continuously carry out review operations, exercises and analyses of networks, computer systems or computer programs that compromise cybersecurity and communicate the information related to such actions or programs to the National CSIRT, in the manner determined by the Regulation.
• Take the necessary measures in a timely and expeditious manner to reduce the impact and spread of a cybersecurity incident, including restricting the use of or access to computer systems, if necessary.
• Have the certifications provided for in the Regulation.
• Have training, education and continuing education programmes for its workers and collaborators, including cyber-hygiene campaigns.
• Designate a cybersecurity delegate which will act as a counterpart to the ANCI and who will report to the authority or head of the body or service of the state administration or to the directors, managers, administrators or principal executives, as defined by private institutions.

Infringements

General infringements

• Minor – minor breaches such as submitting information after the deadline or not following ANCI’s general instructions.
• Serious – failure to implement security protocols, submitting false information to ANCI, failure to report incidents to the National CSIRT, among others.
• Very serious – submitting false information in incidents with significant effects, failing to follow ANCI instructions in serious incidents or recidivating serious infringements.

Infringements for operators of vital importance

These operators have additional responsibilities, and the infringements are also classified as minor, serious and very serious depending on the breach of their specific obligations.

• Minor – failure to maintain records, failure to report security drills to the CSIRT, failure to train workers, etc.
• Serious – failure to implement security management systems, failure to draw up business continuity plans, failure to inform those affected by incidents, etc.
• Very serious – failure to take measures to reduce the impact of incidents with significant effects or recidivism of serious infringements.

Sanctions

Penalties vary according to the seriousness of the infringements.

• Minor infringements – warning or fine of up to 1,000 Monthly Tax Units (UTM).
• Serious infringements – fine of up to 10,000 UTM (approximately USD725,000).
• Very serious infringements:
1. fine of up to 20,000 UTM (approximately USD1,450,000); or
2. if the offender is a vital operator, the fine can be up to 40,000 UTM (approximately USD2.9 million).

Cybersecurity Incident

The Framework Law defines a cybersecurity incident as any event that impairs or compromises the confidentiality or integrity of information, the availability or resilience of computer networks and systems, or the authentication of processes executed or implemented in computer networks and systems.

The Framework Law establishes the duty for providers of essential services and operators of vital importance to report cybersecurity incidents with significant effects to the National CSIRT.

The Regulation on Reporting of Incidents of Significant Effects in force from 1 March 2025 states that a cybersecurity incident shall be considered to have a significant impact if it is capable of producing any of the following effects:

• disrupting the continuity of an essential service. In such a case, both the services provided by providers, as well as the supply chain, of an institution providing essential services or of an operator of vital importance shall be considered; 
• affecting the physical integrity or health of persons;
• affecting the integrity or confidentiality of IT assets, or the availability of any network or IT system, even if this does not or would not have had an immediate impact on the provision of the service;
• unauthorised use of or unauthorised access to networks or computer systems, even if this does not or has not immediately affected the provision of the service; or
• affecting computer systems containing personal data.

In determining the significance of the effects of an incident, the following criteria shall be taken into account:

• the number of persons affected;
• the duration of the incident; and
• the geographical extent of the area affected by the incident.

The Framework Law establishes a procedure for reporting cybersecurity incidents with significant effects as soon as possible and in accordance with a scheme which considers a series of different stages:

• an early warning within three hours of becoming aware of the cyber-attack or cybersecurity incident;
• a report of the incident within 72 hours, including an initial assessment of its severity and impact, including indicators of compromise;
• a final report within 15 days of the early warning containing a detailed description of the incident, the type of cause or threat likely to have caused the incident, mitigation measures to be implemented and in progress, and the cross-border impact (if any) of the incident;
• in the event that the incident is still ongoing after the final report, a status update must be made; and
• again, after a period of 15 days from that update, a new final report must be made.

Notwithstanding the foregoing, both the National CSIRT and the competent sectoral authority may request relevant updates on the situation.

The Regulation on Reporting of Incidents with Significant Effects in force since 1 March 2025 sets out the specific content that each report and early warning must contain. In addition, it should be noted that an incident will be considered as managed when the background information provided by the affected institutions allows the Agency to declare it as closed.

In the Cybersecurity Framework Law

The heads of service of the state administration agencies shall require information technology service providers to share information on vulnerabilities and incidents that may affect the computer networks and systems of state agencies, and provided that doing so is intended to prevent, detect, respond to, recover from or reduce incidents; or strengthen the level of cybersecurity, while ensuring that the potentially sensitive nature of the information shared is respected.

In order to comply with the above, the contracts for the provision of services may not contain any clause that could restrict or hinder in any way the communication of information about threats by the service provider, as long as this does not compromise the security and protection of data, including confidentiality and protection of intellectual property.

In the State Digital Transformation Law No 21,180

The “Technical Standard for Information Security and Cybersecurity” of the State Digital Transformation Law establishes guidelines and responsibilities for Chilean government bodies regarding information security and cybersecurity.

Responsibilities are structured around key functions:

• identification – bodies must identify and manage security risks associated with their processes, personnel, and electronic platforms;
• protection – implement security measures to ensure proper, timely and secure service delivery;
• detection – develop processes for timely detection of security incidents;
• response – implement technical and organisational measures in response to security incidents; and
• recovery – maintain recovery plans and restore any capacity or service affected by a security incident.

Additionally, each body must:

• conduct an initial cybersecurity assessment;
• develop an Information Security and Cybersecurity Policy;
• appoint individuals responsible for information security and information assets; and
• participate in the gradual implementation of this technical standard depending on the type of entity and the gradual implementation schedule, which will extend until 2028.

In banking and financial matters, Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes the obligation for financial institutions (mainly banks) to define an organisational structure with specialised and dedicated personnel, with the necessary powers and competencies to manage IT security and cybersecurity. In addition, the function of an information security and cybersecurity officer in charge of these matters must be part of this organisational structure.

The board of directors of banking and financial institutions subject to Chapter 20-10 of the Updated Compilation of Standards (RAN) shall establish the above and other matters in relation to their information security and cybersecurity management systems, such as:

• policies for the management of information security and cybersecurity risks;
• promotion of risk-awareness in terms of information security and cybersecurity;
• permanent monitoring of the infrastructure connected with external providers, and analysis and implementation of measures to detect and mitigate potential threats to the cybersecurity of the entity; and
• internal behaviour policy.

There are a large number of other specific operational risk and cybersecurity regulations applicable to other entities participating in the banking and financial system – eg, mutual fund administrators; entities providing fintech services, including investment advisers or alternative transaction platforms; and even entities that will participate in the Open Finance System, which is being implemented gradually until 2027.

Thus, Chapter 20-10 is of general application to certain financial entities (banks, payment card operators and issuers) but shares several provisions with the specific regulations mentioned above.

The contractual requirements for Information and Communication Technology (ICT) service providers are detailed in Chapters 20-7 and 20-10 of the Updated Compilation of Standards (RAN). The most relevant aspects are described below.

Definition of ICT Service Providers

According to the regulations, a service provider is any entity, related or not to the contracting institution, that provides services or supplies goods and facilities. This includes ICT service providers. ICT services can range from data processing to the provision of cloud infrastructure.

General Contractual Requirements

• Clear definition of rights and obligations – the contract must clearly specify the responsibilities of both parties.
• Service level agreements (SLAs) – clear and measurable service levels must be established.
• Early termination clauses – the contract must include conditions for the early termination of the contractual relationship.
• Pricing method – the contract must detail an appropriate method for pricing, with a breakdown for each service if several are purchased for a single price.
• Business continuity – the contract must include clauses that guarantee business continuity.
• Information security – clauses must be established on the ownership and confidentiality of information, restrictions on the use of software and the secure deletion of customer data.
• Audits – the CMF and the audited entity must be allowed to examine on-site or remotely all aspects of the contracted service.
• Subcontracting – there must be veto clauses for subcontracting to third parties by the main provider. Also, the subcontracted company must comply with the conditions agreed between the entity and the initial service provider.
• Personnel – the suitability and responsibility of the provider’s personnel, as well as the applicable legal and labour aspects, must be clearly established.
• Language – contracts, subcontracts and annexes must be in Spanish or translated into this language.
• Documentation – the operational, administrative and technological procedures of the contracted service must be documented, updated and available for review.
• Location – data, platforms and applications must be in specific processing sites and, in the case of processing abroad, in a defined and known jurisdiction. The city where the data centres operate must be known.

Critical ICT Services

Significant or strategic (critical) activities are considered to be those in which a failure in the provision of the service has a significant impact on regulatory compliance, business continuity, information security, or the quality of the entity’s services.

Also considered critical are activities that involve the processing of data subject to secrecy or banking secrecy, activities with a significant impact on risk management, and those with high systemic interaction in the market.

Cloud Service Providers

Not all cloud service providers are automatically classified as critical. The classification depends on the criticality of the service being outsourced to the cloud.

• Non-critical services – can be outsourced in the public or private cloud without additional considerations to those already mentioned in the preceding titles.
• Critical services – in the event that a strategic or critical activity is outsourced to the cloud, enhanced due diligence of the provider and the service must be carried out, which includes:
1. prestige and experience of the provider – the provider must be of recognised prestige and experience;
2. certifications – the provider must have independent and internationally recognised certifications in information security management, business continuity and quality of services;
3. direct contracts – contracts must be entered into directly between the institution and the provider;
4. legal reports – the entity must have legal reports on the regulation of privacy and access to information in the jurisdictions where the service is provided;
5. audits – the provider must make audit reports available to the contracting entity and the CMF;
6. security – there must be physical and logical security mechanisms that isolate the entity’s infrastructure from that of other clients; and
7. encryption – sensitive data must have strong encryption mechanisms.

According to Chapter 20-10, the implementation of an adequate risk management process should include as a minimum:

• a risk analysis process, which considers elements such as the assessment of the probability of occurrence of incidents and their consequence or impact on information assets, based on the degree of damage or costs caused by an information security and cybersecurity event, thus determining its level of risk;
• a risk assessment process;
• a risk treatment plan; and
• at least an annual review of the information security and cyber security risk management process.

Moreover, Chapter 20-10 contains a robust set of cybersecurity defensive measures. Within the measures, it is important to highlight the following:

• inventory of critical cybersecurity assets;
• change management process that allows modifications made to the ICT infrastructure to be carried out in a secure and controlled manner;
• capabilities management process;
• technological obsolescence management process;
• configuration management process that ensures adequate controls to the configurable elements of the ICT infrastructure;
• patch management programme to ensure that patches are applied to both software and firmware in a timely manner;
• implementation of tools such as firewalls, web application firewalls (WAF), intrusion prevention systems (IPS), data loss prevention systems (DLP), anti-denial of service systems, email filtering, anti-virus and anti-malware;
• back-up management process to ensure the integrity and availability of information and processing media in the event of an incident or disaster;
• mechanisms to cover the costs associated with possible cyber-attacks; and
• a Security Operation Centre (SOC), either in-house or through an external service, which operates 24 hours a day, with facilities, technological tools, processes and dedicated and trained personnel.

Incident Reporting

The CMF in Chile has established a regulatory framework for the management of operational and cybersecurity incidents in the financial sector, with the aim of protecting users and the stability of the system. This framework applies to various entities, including banks, card issuers, insurers and fintechs, with specific regulations for each type of entity.

With the entry into force of the Cybersecurity Framework Law, it is expected that there will be co-ordination between the CMF and the ANCI.

• Sanctions – failure to comply with these regulations can result in fines of up to 15,000 UF (approximately USD420,000), which can increase fivefold in the case of repeat offences.
• Incident reporting – all entities regulated by the CMF are required to report operational incidents, although deadlines vary. For example, banks and insurers must do so within 30 minutes of the incident, while some fintech service providers have a deadline of two hours. These reports must include detailed information about the incident, such as its description, date and time, causes, impact on customers and services, and measures taken for mitigation.
• Communication – in general terms, entities should consider the need to inform their customers about incidents that affect the quality of services or that are publicly known. In addition, they should share relevant information about cybersecurity incidents with the rest of the industry, encouraging collaboration and prevention.

The CMF requires entities to guarantee access to the information and records of suppliers, both on-site and remotely, even if the supplier is abroad. The CMF reviews the audit reports carried out by the suppliers.

Entities must report to the CMF any operational incident that affects an outsourced service, allowing the CMF to supervise the incident response capacity and recovery plans.

In the event of non-compliance with the regulations, the CMF may require that the services be carried out in the country or that the entity execute them internally, ensuring that the entity maintains a plan that allows it to comply with these requirements.

According to Chapters 20-7 and 20-10 of the RAN, entities must have defined specific data processing sites. In the case of processing abroad, the jurisdiction must be defined and known. The city where the data centres operate must be known.

Moreover, if an entity outsources data processing services outside the country, it must have a contingency data processing centre located in Chile and demonstrate a recovery time compatible with the criticality of the outsourced service. There is the possibility of exemption from this requirement if the entity maintains adequate operational risk management and can ensure preventive measures such as a recovery time objective (RTO) approved by the board of directors, sites with adequate availability time, and sites in different locations that mitigate both geographical and political risks.

In addition, if the outsourced service includes the transmission of data outside the country that is subject to secrecy or banking secrecy (according to Article 154 of the General Banking Law), prior authorisation from each client is required.

Regarding country risk, services can only be outsourced in jurisdictions that have an investment grade country risk rating. If the country does not have this rating, the board of directors may make an exception to this requirement as long as the country has adequate personal data protection and security laws.

Finally, it stands out that communication connections between the entity and the provider must have a level of encryption that ensures the confidentiality and integrity of data from end to end. The processed information must be stored and transported in encrypted form, with the decryption keys held by the entity.

Threat-led penetration testing has not arisen in this jurisdiction.

The Cybersecurity Framework Law refers to the concept of resilience, defining it as the ability of networks and computer systems to maintain their availability and operation, as well as to recover quickly from cybersecurity incidents.

For its part, the National Cybersecurity Policy 2023–2028 establishes as one of its five fundamental objectives the development of a “resilient infrastructure” in the country. This implies that the country must have a robust information infrastructure prepared to withstand and recover from cybersecurity incidents and socio-environmental disasters. To advance this objective, the need to strengthen essential services and improve the response capacity to incidents, both in the public and private sectors, is established.

However, neither the National Cybersecurity Policy nor the Cybersecurity Framework Law specifically establish detailed obligations related to cyber-resilience. It is expected that in the future, the National Cybersecurity Agency will issue general and specific instructions to promote cyber-resilience in the country, especially taking into account the advancement of this type of regulation in the world and the fact that the Cybersecurity Framework Law is especially inspired by the Network and Information Security Directives 1 and 2 of the European Union.

For more information, see 4.1. Cyber-Resilience Legislation.

The Cybersecurity Framework Law establishes a cybersecurity standards certification scheme, mainly focused on operators of vital importance, although it also affects state bodies.

• Mandatory certification – operators of vital importance must obtain cybersecurity certifications as determined by law and the regulations of the ANCI.
• Authorised certification centres – valid certifications can only be issued by bodies that are registered and authorised by the ANCI. To be part of this register, entities must prove compliance with the requirements established in the regulations and, to remain so, comply with the aforementioned requirements. The Regulation on accredited Certification Centres is expected to be published in the Official Gazette during 2025.
• International certifications – the ANCI may approve international or foreign technical certifications on cybersecurity, by means of a reasoned resolution of its Director.
• Certification of operational continuity and cybersecurity plans – operators of vital importance must prepare and implement operational continuity and cybersecurity plans. These plans must be certified and must be subject to periodic reviews by the obligated parties, with a minimum frequency of two years. The Agency also has the power to request certifications in shorter terms if there are serious supervening reasons.
• Cybersecurity standards for the state – the ANCI will be in charge of certifying compliance with cybersecurity standards by the bodies of the State Administration.

It is expected that there will be greater clarity on the specific certifications that operators of vital importance must have during the first semester of 2025, after the ANCI issues the respective secondary regulations.

In matters of personal data protection, Law No 19,628 on the Protection of Private Life from 1999 is currently in force. This law does not specifically establish cybersecurity obligations. At most, it contains a provision stating that the party responsible for records or databases where personal data is stored after collection must take due care, making them liable for any damages.

Currently, there isn't a single supervisory authority for personal data protection. The Undersecretariat of Telecommunications, the Financial Market Commission, and the Council for Transparency in the public sector have issued regulations or recommendations that, in some sense, also consider the adoption of cybersecurity measures.

One of the most relevant of these authorities is the National Consumer Service (SERNAC), which, thanks to the Pro-Consumer Law, is – temporarily – the supervisory authority for personal data protection within consumer relations. This is until the new Personal Data Protection Law and the new Data Protection Agency come into effect in December 2026.

SERNAC has issued interpretative circulars on the law, which, while not binding for providers, are binding for SERNAC officials in charge of oversight. This could lead to infringement complaints before the courts (SERNAC does not have direct sanctioning powers). Among the most important circulars are the following.

• Interpretative Circular on good practices in electronic commerce – security in electronic contracting. SERNAC stated that providers of services and products through electronic means must inform and adopt necessary technical measures to guarantee consumer security, integrity and confidentiality of transactions, payment methods and personal data. This includes indicating the levels of protection applied to each. Additionally, SERNAC considers that companies must take corresponding safeguards in cases of electronic contracting by minors, vulnerable consumers, or those who lack the capacity to understand the information provided on the website.
• Interpretative circular on criteria of equity in the stipulations contained in adhesion contracts referring to the collection and processing of personal data of consumers – abusive clauses that make the consumer responsible for the effects of possible deficiencies, omissions, or errors, such as limiting the liability of the supplier in case of unauthorised access, losses, alterations, or leaks of the consumer’s personal data. SERNAC considers that the duty of professionalism falling on suppliers, considering the obligation of security in data processing, entails applying comprehensive security measures. This includes technical, organisational and human capital formation to safeguard the confidentiality, integrity, and availability of consumers’personal data to prevent alteration, loss, transmission and unauthorised access.

In the field of consumption, SERNAC has interpreted that providers responsible for processing consumers’ personal data must compensate for damage caused by collection, processing, use, disclosure or other processing operations when they have not met the security and professionalism standards of Law No 19,496 on the protection of consumer rights and 19,628 on the protection of privacy.

New Personal Data Protection Law

After extensive legislative discussion that took over seven years, Law No 21,719 was enacted, reforming Law No 19,628. This new law will come into force in December 2026, along with the creation of the National Personal Data Protection Agency. From that moment on, SERNAC will cease to be the controlling authority in this matter.

The new law establishes a Security Principle, according to which the processing of personal data must guarantee adequate security standards, protecting it against unauthorised or illicit processing, loss, leakage, accidental damage or destruction. In addition, security measures must be appropriate and consistent with the type of processing and the nature of the data.

Furthermore, the new law recognises the principle of data protection by design and by default, according to which the data controller must implement technical and organisational measures from the design of the processing of personal data and during its execution, taking into account the state of the art, the costs of implementation, the nature of the data, the context and purposes of the processing, as well as the associated risks. Likewise, by default, only the specific personal data strictly necessary for the activity should be processed.

The new law also includes various obligations related to information security and cybersecurity. Thus, the data controller must adopt the necessary measures to guarantee compliance with the security principle, ensuring the confidentiality, integrity, availability and resilience of data processing systems. They must also prevent the alteration, destruction, loss, processing or unauthorised access to data.

Security measures may include:

• pseudonymisation and encryption of personal data;
• guaranteeing the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• ability to restore the availability and access to data quickly in case of incidents; and
• regular processes for verification, evaluation and assessment of the effectiveness of security measures.

In addition, the data controller must report to the Agency any security breach that results in the destruction, leakage, loss or unlawful alteration of data, or unauthorised access to it, especially if there is a risk to the rights of data subjects.

• These communications must be recorded, detailing the nature of the breach, its effects, categories of data, the approximate number of data subjects affected and the measures taken.
• If the breach affects sensitive personal data, data of children under 14 years of age or relating to financial obligations, the data controller must notify the data subjects. If individual notification is not possible, it must be done through a mass media outlet with national reach.

Finally, the data controller must prove the existence and functioning of the implemented security measures in case of dispute.

On the subject of cybersecurity and AI, there are no specific regulations in Chile. Therefore, general rules apply, including the Cybersecurity Framework Law and any specific or general instructions that the National Cybersecurity Agency may issue in this regard.

However, the National Consumer Service (SERNAC), the – temporary – controlling authority for personal data protection in the context of consumer relations, issued an interpretative circular regarding AI systems and consumer safety. It is important to remember that these circulars are not generally binding but only apply to SERNAC officials in the context of supervisory activities, which could result in a complaint being filed with the courts (SERNAC does not have direct sanctioning powers).

In the Interpretative Circular on consumer protection against the use of AI systems – consumer safety, SERNAC has interpreted that, in view of the general obligation incumbent on suppliers to provide security to consumers, AI systems in the context of a consumer relationship must present adequate standards of precision, reliability and technical effectiveness to obtain well-founded results and to avoid causing harm to consumers of a material or immaterial nature.

Thus, suppliers must act responsibly and with due diligence, which implies the need for a prior and continuous assessment of the risks that may arise for consumers from the use of AI systems. In the context of the protection of personal data, SERNAC interprets that in accordance with the regulations on protection of personal data, the data controller responsible for the processing must undertake this processing with “due diligence” (Article 11, Law No 19,628), assuming responsibility for the damages caused.

Specifically, SERNAC interprets this duty as translating into the need to apply appropriate technical and organisational security measures, which guarantee the confidentiality, integrity and availability of the personal data in question, considering especially the risks involved in the processing activities and the nature of the data stored (including, among other elements, their level of sensitivity).

In matters of health services, the Decree No 6/2022 of the Ministry of Health established the “Regulation on actions related to health care carried out remotely”, which is applicable to both public and private health providers. Thus, health providers who provide their services remotely must:

• guarantee the secure transmission of data and clinical information necessary for the granting of the benefit, using reliable mechanisms and reusable formats that integrate rules for the protection of personal data, the reservation of the clinical record, biomedical ethics, and the rights and duties of patients;
• ensure the traceability and registration of actions carried out with the support of ICTs;
• have specific procedures for ensuring confidentiality, according to the action or benefit granted;
• have privacy risk management plans, which allow the provider to minimise the risks associated with security breaches, especially if it is feared that this has resulted in some improper access or disclosure, alteration or modification of personal data relating to patients;
• keep a record of information security incidents; and
• report cyber-incidents to the Information Security Committee (CSI) of the Ministry of Health.