National Cybersecurity Strategy and Regulatory Landscape

Chile has established two primary sources of regulation and public policy that steer the current national cybersecurity strategy. The first is the National Cybersecurity Policy 2023–2028, which aims to develop a robust and resilient information infrastructure capable of resisting and recovering from incidents. This policy promotes the protection of individual rights online and fosters a culture where education and best practices are central to digital engagement. It also emphasises national and international co-ordination and the promotion of the local cybersecurity industry and scientific research.

The strategy incorporates several transversal dimensions to ensure that its objectives are reached with a focus on protecting families and individuals. These include gender equality, the protection of children and adolescents, safeguards for the elderly, and the protection of the environment. By publishing a separate action plan, the government can periodically review progress and adjust measures based on the evolving threat landscape. This approach allows the authorities to emend actions that have been implemented deficiently while maintaining long-term strategic goals.

The Cybersecurity Framework Law (Law No 21,663)

The second pillar is the Cybersecurity Framework Law No 21,663, which entered into force in January 2025, along with the creation of the National Cybersecurity Agency (ANCI). This statute established a new institutional framework and general regulations to structure and co-ordinate cybersecurity actions among state agencies and between them and private entities. It mandates minimum requirements for the prevention, containment and resolution of incidents, significantly modernising the national approach. The law also creates the National Computer Security Incident Response Team (CSIRT Nacional) within the ANCI.

The legislature frames the purpose of these regulations as a fundamental duty of the state to safeguard security in cyberspace. Priorities are set using a risk management perspective, where measures must be necessary and proportional to the level of exposure and potential social impact. This framing ensures that computer systems and technologies are managed with security and privacy by design as core principles. It also grants special protection to those groups that are often the target of malicious cyber activities.

Legislative Scope and Sectoral Application

The scope of the Cybersecurity Framework Law extends to state agencies, including ministries, regional governments and the armed forces. It also covers public enterprises and private institutions that provide services qualified as essential. These essential services span various sectors such as electricity, telecommunications, banking, healthcare, digital services and digital infrastructure. The law applies even to private institutions that do not provide essential services but have acquired a critical role in the supply of goods or have a high degree of risk exposure.

Within these sectors, the ANCI has the authority to qualify specific providers as Operators of Vital Importance (OIV). This qualification is based on the dependence of the service on computer systems and the significant impact that any disruption would have on public order or safety. OIVs are subject to the strictest obligations, including the implementation of continuous information security management systems. They must also appoint a cybersecurity delegate to act as a formal counterpart to the ANCI.

Complementary Cybersecurity Legislation

Furthermore, the Computer Crimes Law No 21,459 seeks to adapt Chilean legislation to international standards like the Budapest Convention. It typifies specific offences such as attacks on the integrity of systems, unlawful interception and computer fraud. The law includes exemptions for responsible ethical hackers who register with the ANCI and report vulnerabilities promptly. The penalties for these crimes are increased if they result in the interruption of public utility services.

In the field of privacy, Law No 21,719 was recently enacted to reform the outdated data protection regime and will come into full effect in December 2026. It introduces a security principle requiring data controllers to guarantee adequate standards against unauthorised processing or loss. This legislation also creates the National Personal Data Protection Agency, which will act as the specialised supervisory body. The new framework establishes clear duties for reporting security breaches that put the rights of data subjects at risk.

Sector-Specific Regulations

Specific sectoral regulations also play a crucial role, such as the Ministry of Health’s instructions for the digital transformation of clinical processes. Financial entities must comply with the Fintech Law No 21,521 and the detailed general norms issued by the Financial Market Commission (CMF). These rules mandate robust risk management and incident reporting to ensure the operational resilience of the financial system. Similarly, the electricity sector follows specific standards like NERC-CIP to protect critical operational assets.

The Cybersecurity Framework Law No 21,663

The Cybersecurity Framework Law No 21,663, which entered into force in 2024, serves as the primary statute governing digital security in Chile. It established the ANCI as a specialised, decentralised technical body responsible for advising the President and co-ordinating cybersecurity actions across the State and private sectors. The law also created the CSIRT Nacional to handle significant incidents.

The subject-matter scope of this law includes the establishment of minimum-security requirements for the prevention, containment and response to incidents. It applies to all state administration bodies, including ministries, regional governments, municipalities and the armed forces. In the private sector, it targets providers of “essential services” and those qualified as OIV.

Regarding territorial reach, the law focuses on entities operating within Chile or providing services that impact national security and public order. It does not contain express rules for extraterritorial application beyond the domestic jurisdiction. Guidance and codes issued by the ANCI, such as mandatory protocols and technical standards, play a binding role for all regulated entities.

Personal Data Protection Law

The Personal Data Protection Law No 21,719, enacted in late 2024, significantly reformed the existing 1999 regime and is scheduled to enter into full force in December 2026. This statute introduces the “Security Principle”, which mandates that data controllers must guarantee adequate standards to protect data against unauthorised processing, loss or destruction. It also recognises the principles of data protection by design and by default.

This law applies to any natural or legal person, including public bodies, that carries out data processing. Unlike the Framework Law, it has a clear extraterritorial reach. It applies whenever a data controller is established in Chile or when processing is intended to offer goods or services to, or monitor the behaviour of, individuals within the national territory.

The law establishes the National Personal Data Protection Agency as the supervisory authority with the power to issue binding instructions. These instructions will define the technical and organisational measures necessary to ensure data confidentiality and resilience. Failure to comply with these security standards can result in severe financial penalties.

The Computer Crimes Law

The Computer Crimes Law No 21,459 was enacted to adapt domestic legislation to the international standards of the Budapest Convention. It typifies specific offences such as illegal access to computer systems, unlawful interception, computer forgery and computer fraud. The law covers actions directed against any computer system or data located in Chile, as well as those perpetrated from within the country.

One notable feature of this statute is the legal protection provided for ethical hacking. Individuals who access a computer system in a responsible manner to identify vulnerabilities may be exempt from criminal sanctions. This requires registration with the ANCI and immediate reporting of the findings to both the Agency and the system operator.

The subject-matter scope is strictly criminal, yet it interacts with cybersecurity management by imposing harsher penalties when an attack affects essential services. It also mandates that service providers must preserve data for criminal investigations upon request. This law applies transversally to all organisations and individuals.

The Fintech Law No 21,521

Law No 21,521, also known as the Fintech Law, aims to promote competition and financial inclusion through technological innovation. It regulates crowdfunding platforms, alternative transaction systems, investment advisers and custody services. The law is overseen by the CMF, which sets standards for information security and risk management.

The organisations in scope include all providers registered in the Registry of Financial Service Providers. For international companies, the law mandates the establishment of a legal domicile in Chile. The CMF is empowered to issue binding general instructions regarding cybersecurity and operational resilience.

This law also establishes the Open Finance System (SFA), which requires participants to implement secure interfaces (APIs) for data exchange. These interfaces must comply with strict security and authentication standards defined by the CMF.

Binding Standards and Sectoral Regulations

Chile currently maintains several sector-specific regulations that impose binding cybersecurity standards.

• Banking and finance – the CMF manages the “Updated Compilation of Standards” (RAN), particularly Chapters 20-7 to 20-10, which regulate operational risk and cybersecurity.
• Insurance – entities must comply with NCG No 454, which establishes principles for managing cybersecurity risks and reporting incidents.
• Energy – the electricity sector follows the NERC-CIP standards adopted by the National Electric Coordinator (CEN) to ensure the continuity of the National Electric System.
• Telecommunications – Resolution No 1,318 issued by the Undersecretariat of Telecommunications (Subtel) sets mandatory foundations for the design and operation of secure networks.
• Healthcare – the Ministry of Health has issued technical instructions (eg, Resolution No 853) regarding telemedicine and the protection of clinical records.
• Pensions – the Superintendency of Pensions maintains a Model for Information Security and Cybersecurity Management applicable to all pension fund managers.

Interplay Between Regulations and Co-ordination

The interplay between these regulations is governed by the co-ordination rules set out in the Cybersecurity Framework Law. The ANCI acts as the central technical authority, but it must request reports from sectoral regulators before issuing rules that affect their specific jurisdictions. This process ensures that sectoral expertise is respected while maintaining a unified national strategy.

A crucial rule of prevalence exists: if a sectoral authority issues cybersecurity instructions with effects at least equivalent to those of the ANCI, the sectoral rules shall prevail. This prevents duplication of obligations and allows industries with high technical requirements, such as energy or banking, to follow specialised standards. However, the ANCI and the sectoral body must jointly issue a rule to evaluate this equivalence.

ANCI

The principal authority responsible for enforcing cybersecurity regulations in Chile is the ANCI. Established by the Cybersecurity Framework Law No 21,663, the ANCI is a functionally decentralised public service with its own legal personality and assets. Its primary mandate involves advising the President of the Republic on cybersecurity matters, protecting national interests in cyberspace, and co-ordinating both public and private institutions to ensure computer security. The Agency officially commenced its activities on 1 January 2025, marking a significant milestone in the country’s digital governance.

The ANCI possesses broad regulatory and administrative powers to structure the national cybersecurity landscape. It is authorised to issue mandatory protocols, technical standards, and instructions that apply to state agencies and private entities providing essential services. Furthermore, the Agency has the power to qualify specific service providers as OIV, subjecting them to the most rigorous compliance requirements. Through its National Director, the ANCI can also homologate international technical certifications to align local practices with global standards.

Supervisory and Enforcement Powers

The Agency has the authority to oversee compliance with the law through regular inspections, security analyses, and the instruction of audits conducted either by its own staff or by authorised third parties. If a cybersecurity incident occurs, the ANCI may require the affected entity to provide truthful and timely information to potential victims. These powers ensure that institutions maintain the necessary standards of prevention, containment and response to digital threats.

The ANCI wields significant sanctioning power to penalise non-compliance with its regulations or general instructions. Infringements are classified as minor, serious or very serious, with fines varying based on the status of the offender and the nature of the breach. For instance, very serious infractions by an Operator of Vital Importance can result in fines of up to 40,000 Monthly Tax Units (UTM) or approximately USD3 million. This robust penalty structure is intended to incentivise a high level of institutional maturity and accountability across all regulated sectors.

Investigative Tools and System Access

The legislature has provided the ANCI with several investigative tools to perform its supervisory duties effectively. The Agency can require state and private institutions to provide access to any information strictly necessary to prevent or manage incidents, including activity logs of networks and computer systems. Additionally, the ANCI has the authority to summon partners, directors and employees of regulated entities to testify regarding facts relevant to its investigations.

In cases of incidents with significant impact where access to systems is deemed indispensable, the ANCI may require direct access to the affected infrastructure. If an institution denies this access, the Agency is empowered to seek a prior judicial authorisation from the Court of Appeal of Santiago.

National and Sectoral Incident Response Teams

Incident response is structured through a network of specialised teams co-ordinated by the ANCI. The CSIRT Nacional operates within the Agency as the central node for responding to significant cyberattacks. Its functions include supervising incidents at a national scale, performing dynamic risk analyses, and providing technical advice to other state CSIRTs. The CSIRT Nacionalalso serves as the international point of contact for exchanging information with foreign counterparts.

Role of Sectoral Regulators

While the ANCI is the primary authority, other sectoral regulators play a crucial role in enforcing cybersecurity within their specific domains. The CMF is particularly active, requiring banks and financial institutions to implement robust risk management systems and report incidents within very short time frames. Similarly, the Subtel issues technical standards for the design and operation of secure telecommunications networks.

The primary regulatory framework for cybersecurity in Chile is established by the Cybersecurity Framework Law No 21.663, published on 8 April 2024. This legislation created the ANCI as the lead technical and specialised regulator responsible for supervising both public and private entities. The Law structures its scope of application around two main categories of regulated subjects: providers of “essential services” and OIV.

Essential Services and Regulatory Uncertainties

Article 4 of the Cybersecurity Framework Law lists the sectors considered essential to the maintenance of vital societal functions, health, safety and economic well-being. These include electricity (generation, transmission, or distribution), fuels, drinking water, telecommunications, banking and financial services, transport, social security, postal services, institutional health provision and pharmaceutical research. State administration bodies, including ministries and municipalities, are also classified as essential service providers by default.

A significant uncertainty within this framework is that the Law does not provide exact definitions for several key categories, such as “digital services”, “digital infrastructure” or “information technology services managed by third parties”. While Article 4 identifies these broad sectors as essential, the lack of specific statutory definitions leaves the exact scope to be determined by administrative resolutions.

Designation Criteria for OIV

Not all providers of essential services are subject to the highest level of regulation; only those designated as OIV must meet the most stringent duties. Under Article 5 of the Law, ANCI qualifies an essential service provider as an OIV if the service depends significantly on computer networks and if its disruption would have a “significant impact” on public safety, the continuous provision of essential services or the functions of the state. Private institutions that do not provide essential services may also be qualified as OIVs if they hold a critical role in the supply of goods or have a high degree of risk exposure.

The specific procedure and risk criteria for this designation are detailed in Decree No 285, published in March 2025. Under Article 4 of this Decree, the Agency determines a “significant impact” by applying five specific criteria: the number of potentially affected persons and territorial coverage; the redundancy of the service; the existence of monoprovision; the interdependency between services; and the strategic relevance of the institution. This process requires ANCI to request founded reports from sectoral authorities, such as the CMF, before making a final determination.

Implementation Timeline and the Digital Sector Analysis

The qualification process followed a staggered calendar established by Resolution No 24 in May 2025. The first stage, which concluded in December 2025, focused on priority sectors including banking, energy, telecommunications and the digital sector. The second stage, scheduled to begin in November 2025, covers water, fuels, transport, social security and pharmaceuticals.

In Resolution No 87, published in December 2025, ANCI approved the final list of OIVs for the first stage and clarified how it analysed the digital sector. Given the lack of a sectoral regulator for digital services, ANCI identified potential OIVs using Internal Revenue Service (SII) activity codes related to software programming, data processing and IT consultancy. For the purpose of this qualification process, the Agency focused on entities with an annual turnover of CLF25,000 or higher (approximately USD1 million or above) or those acting as suppliers to the state.

Identification of Critical Digital Functions

Through its December 2025 resolution, ANCI identified 13 specific classes of services or “critical digital functions” that would fall within the scope of the Law. These include:

• data hosting and cloud administration (IaaS, PaaS, SaaS);
• security operation centres (SOC) and network operation centres (NOC);
• cybersecurity incident management and remote monitoring of applications;
• advanced electronic signature services and digital payment systems; and
• fintechs, points of sale (POS) hardware/software, and commercialised own software.

These sub-services are considered critical by ANCI because they often represent a single point of failure for other essential sectors that outsource their technology management. The Agency’s analysis particularly emphasised the “interdependency” criterion, noting that an incident in these digital providers can trigger cascading effects across the entire national infrastructure.

Companies classified as OIVs have the option to appeal ANCI’s decision administratively or judicially. On the other hand, the second stage of this initial classification process is expected to be completed during the first half of 2026.

General Obligations for Regulated Entities

All institutions covered by the Cybersecurity Framework Law, including both essential service providers and OIV, share a core set of duties aimed at preserving the integrity of the national digital ecosystem. These entities must permanently apply technical and organisational measures to prevent, report and resolve cybersecurity incidents. These measures must be consistent with the protocols and standards issued by the ANCI.

Accountability begins with the mandatory registration in the ANCI electronic platform. All regulated institutions must designate a specific person in charge of reporting incidents to the CSIRT Nacional.

Governance and Accountability for OIVs

OIVs must designate a Cybersecurity Delegate who serves as the official technical counterpart to ANCI. General Instruction No 3 specifies that this delegate must have specialised training or certification and a direct reporting line to the institution’s highest authority.

To ensure objectivity, the delegate must possess functional independence from the operational IT departments. The institution must provide the delegate with the necessary faculties and resources to fulfil their legal obligations.

Asset Management and Risk Assessment

Risk management is a continuous requirement for OIVs, which must implement a formal Information Security Management System (ISMS). This system is used to identify and evaluate the likelihood and potential impact of risks that could affect networks, computer systems and data. OIVs are also required to maintain a detailed record of all security actions that comprise their ISMS.

OIVs are also mandated to perform continuous review operations, exercises and simulations to detect actions or programs that might compromise cybersecurity.

Business Continuity and Disaster Recovery

OIVs have an explicit duty to develop and implement operational continuity and cybersecurity plans. These plans must undergo mandatory certification and be reviewed by the entity at least every two years.

In the event of a significant incident, OIVs must implement a specific Plan of Action within seven days of becoming aware of the event. This plan must include an information recovery programme, a clear definition of technical and administrative responsibilities, and an estimate of the time required to restore the interrupted services.

Technical Measures and Mitigation for OIVs

General Instruction No 4 provides a detailed set of technical requirements that OIVs must deploy immediately when an incident is detected. These include isolating affected segments of the network and restricting access to compromised systems or user accounts. Institutions must change all passwords for administrative accounts within three hours of detecting an incident that impacts confidentiality or integrity.

Network security is further reinforced through mandatory segmentation, both logical and physical, to limit the lateral movement of an attack between different environments. OIVs must also install and operate firewalls configured under the principle of whitelisting, meaning all incoming connections are blocked by default unless explicitly allowed.

Supply-Chain Security and Outsourcing Controls

When reporting incidents with “significant effects”, entities must consider if the event was capable of interrupting the service provided by their own suppliers. This perspective forces OIVs to extend their risk management to the third parties that support their essential functions.

Incident Classification and Thresholds

The obligation to report is triggered when a cybersecurity incident is classified as having “significant effects”. Under Article 27 of the Cybersecurity Framework Law, an incident meets this threshold if it is capable of interrupting the continuity of an essential service or affecting the physical health or integrity of individuals. Furthermore, any event affecting computer systems that contain personal data is automatically deemed to have a significant effect.

To determine the magnitude of an incident, regulated entities must evaluate specific criteria including the number of persons affected, the duration of the event and its geographical extent. The Agency has further refined these thresholds through a formal Taxonomy of Incident, which categorises events based on observable effects such as unauthorised use of resources, exfiltration of data or total loss of service availability.

Timelines for Notification

The notification process follows a strict, multi-stage timeline intended to keep the CSIRT Nacional informed as a threat evolves.

• Early warning – regulated entities must submit an initial alert within a maximum period of three hours after becoming aware of the incident or cyberattack.
• Second report (update) – a more detailed update is required within 72 hours of initial awareness. However, if the affected entity is an OIV and the incident has interrupted its essential service, this deadline is significantly reduced to 24 hours.
• Plan of action – specifically, for OIVs, a formal plan of action must be implemented and communicated to the CSIRT Nacional within seven days of the incident discovery.
• Final report – a comprehensive final report is due within 15 days of the initial early warning, provided the incident has been managed. If the incident remains active, entities must provide status updates every 15 days until final resolution.

Notification Channels and Supervisory Authorities

The primary competent authority for receiving and co-ordinating incident responses is the CSIRT Nacional, which operates under the ANCI. The official and mandatory channel for all notifications is the electronic platform provided by the Agency.

Access to the reporting platform requires robust authentication, typically through the use of a Unique Key (Clave Única) and a mandatory second factor of authentication, such as TOTP or passkeys. Entities are required to designate a specific person in charge of reporting who serves as the formal counterpart to the Agency.

Required Content of Reports

The content of the reports becomes progressively more technical as the notification stages advance.

• Initial alert – focuses on the identification of the institution, contact details for the delegate, the date and time of discovery and the initial symptoms or indicators of the incident.
• Secondary reports – must include an assessment of severity and impact, evidence of potential criminal activity and specific indicators of compromise.
• Final report – must detail the root causes, the specific vulnerabilities exploited and the technical controls that failed or were absent. For OIVs, this report must also include a definitive estimate of the time taken to restore services.

Multi-Agency and Parallel Reporting Obligations

Chilean law acknowledges that many entities, such as those in the financial and telecommunications sectors, are subject to parallel reporting obligations. Article 9 of the Framework Law mandates that the ANCI coordinate with sectoral regulators to implement a “single window” (ventanilla única) system. Although the transition to this unified platform is currently underway, its full implementation is still pending for most sectors.

Until the single window is fully operational, entities must navigate sectoral rules, such as those from the CMF or the Subtel). Under Article 37, sectoral regulations prevail if they provide equivalent or stricter protections, such as the 30-minute reporting window required by the CMF for certain banking incidents.

In the Cybersecurity Framework Law

The heads of service of the state administration agencies shall require information technology service providers to share information on vulnerabilities and incidents that may affect the computer networks and systems of state agencies, and provided that doing so is intended to prevent, detect, respond to, recover from or reduce incidents; or strengthen the level of cybersecurity, while ensuring that the potentially sensitive nature of the information shared is respected.

In order to comply with the above, the contracts for the provision of services may not contain any clause that could restrict or hinder in any way the communication of information about threats by the service provider, as long as this does not compromise the security and protection of data, including confidentiality and protection of intellectual property.

Public-Private Co-Operation Framework

Co-operation is a guiding principle of the Framework Law, acknowledging that cybersecurity depends on the interdependency of systems. The state has created the Multi-Sectoral Council on Cybersecurity as a consultative body where representatives from industry, academia and civil society advise the ANCI on threat mitigation. Additionally, the Inter-Ministerial Committee on Cybersecurity co-ordinates public policy implementation across different ministries to ensure a unified national strategy

In the State Digital Transformation Law No 21,180

The “Technical Standard for Information Security and Cybersecurity” of the State Digital Transformation Law establishes guidelines and responsibilities for Chilean government bodies regarding information security and cybersecurity.

Responsibilities are structured around key functions:

• identification – bodies must identify and manage security risks associated with their processes, personnel, and electronic platforms;
• protection – implement security measures to ensure proper, timely and secure service delivery;
• detection – develop processes for timely detection of security incidents;
• response – implement technical and organisational measures in response to security incidents; and
• recovery – maintain recovery plans and restore any capacity or service affected by a security incident.

Additionally, each body must:

• conduct an initial cybersecurity assessment;
• develop an Information Security and Cybersecurity Policy;
• appoint individuals responsible for information security and information assets; and
• participate in the gradual implementation of this technical standard depending on the type of entity and the gradual implementation schedule, which will extend until 2028.

In banking and financial matters, Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes the obligation for financial institutions (mainly banks) to define an organisational structure with specialised and dedicated personnel, with the necessary powers and competencies to manage IT security and cybersecurity. In addition, the function of an information security and cybersecurity officer in charge of these matters must be part of this organisational structure.

The Board of Directors of banking and financial institutions subject to Chapter 20-10 of the RAN shall establish the above and other matters in relation to their information security and cybersecurity management systems, such as:

• policies for the management of information security and cybersecurity risks;
• promotion of risk-awareness in terms of information security and cybersecurity;
• permanent monitoring of the infrastructure connected with external providers, and analysis and implementation of measures to detect and mitigate potential threats to the cybersecurity of the entity; and
• internal behaviour policy.

There is a large number of other specific operational risk and cybersecurity regulations applicable to other entities participating in the banking and financial system – eg, mutual fund administrators; entities providing fintech services, including investment advisers or alternative transaction platforms; and even entities that will participate in the Open Finance System, which is being implemented gradually until 2027.

Thus, Chapter 20-10 is of general application to certain financial entities (banks; payment card operators and issuers) but shares several provisions with the specific regulations mentioned above.

The Chilean regulatory landscape for Information and Communication Technology (ICT) and third-party service providers in the financial sector is primarily governed by the CMF. The core requirements are established in the Updated Compilation of Standards (RAN), specifically Chapter 20-7 on the Outsourcing of Services and Chapter 20-10 on Information Security and Cybersecurity Management. Furthermore, the Fintech Law (Law No 21.521) and its supplementary regulations, such as General Rule No 514 for the Open Finance System (SFA), impose rigorous technical and oversight duties on new technological actors.

Definition of ICT Service Providers

Under Chapter 20-7 of the RAN, a service provider is broadly defined as any entity, whether related to the contracting institution or not, that provides services or supplies goods and facilities to the bank. This definition applies to banking institutions and payment card operators. Within the Open Finance System established by the Fintech Law, the regulation specifically identifies Information-based Service Providers (PSBI) and Payment Initiation Service Providers (PSIP) as participants that interact with traditional financial institutions through Interfaced Programming Applications (APIs).

Criteria for Criticality and Strategic Activities

Activities are classified as strategic or critical under Chapter 20-7 of the RAN when any failure in the service provision would significantly impact regulatory compliance, business continuity, information security, or the quality of the entity’s image. Strategic criticality is also automatically triggered for any activity involving the processing of data subject to banking secrecy under Article 154 of the General Banking Law.

Mandatory Contractual and Oversight Requirements

Financial institutions must ensure that contracts with ICT providers clearly define the rights and obligations of both parties, including measurable Service Level Agreements (SLAs) and early termination clauses. Contracts must include provisions for business continuity and the ownership and confidentiality of information. It is a mandatory requirement that providers securely delete customer data once the contractual relationship ends or the data is no longer necessary for the intended purpose.

Treatment of Subcontracting and Chain Outsourcing

Chapter 20-7 of the RAN requires that risks arising from chain outsourcing be addressed in the primary contract. Financial entities must include veto clauses that allow them to control the selection of subcontractors by their main service provider. Subcontracted companies are contractually obligated to comply with the same security conditions and standards agreed upon between the financial institution and the initial provider.

Location of Data and Services

The RAN establishes that data, platforms and applications used in outsourced services must reside at specific and known processing sites. If data processing occurs in a foreign jurisdiction, the financial institution must know the specific city where the data centres are located. Institutions outsourcing critical processing abroad must maintain a contingency data centre within Chile and demonstrate a recovery time compatible with the service’s criticality, unless they obtain a specific exemption from the CMF based on robust risk management.

Exit Strategies

Financial institutions are required to develop exit plans that allow them to resume operations internally or through another provider in the event of a contract termination or provider failure. These strategies must be included in the institution’s Plan of Business Continuity and Disaster Recovery.

Concentration Risk Management

The board of directors is responsible for managing risks associated with a high concentration of services with a single provider. Concentration risk is evaluated both at the institutional and industry level, as a failure in a provider used by multiple banks could trigger a systemic crisis. Institutions must establish formal procedures to identify and mitigate risks related to high barriers to exit, such as excessive dependency on a provider’s specific technology or the potential loss of internal technical expertise.

According to Chapter 20-10, the implementation of an adequate risk management process should include as a minimum:

• a risk analysis process, which considers elements such as the assessment of the probability of occurrence of incidents and their consequence or impact on information assets, based on the degree of damage or costs caused by an information security and cybersecurity event, thus determining its level of risk;
• a risk assessment process;
• a risk treatment plan; and
• at least an annual review of the information security and cyber security risk management process.

Moreover, Chapter 20-10 contains a robust set of cybersecurity defensive measures. Within the measures, it is important to highlight the following:

• inventory of critical cybersecurity assets;
• change management process that allows modifications made to the ICT infrastructure to be carried out in a secure and controlled manner;
• capabilities management process;
• technological obsolescence management process;
• configuration management process that ensures adequate controls to the configurable elements of the ICT infrastructure;
• patch management programme to ensure that patches are applied to both software and firmware in a timely manner;
• implementation of tools such as firewalls, web application firewalls (WAF), intrusion prevention systems (IPS), data loss prevention systems (DLP), anti-denial of service systems, email filtering, anti-virus and anti-malware;
• back-up management process to ensure the integrity and availability of information and processing media in the event of an incident or disaster;
• mechanisms to cover the costs associated with possible cyber-attacks; and
• a Security Operation Centre (SOC), either in-house or through an external service, which operates 24 hours a day, with facilities, technological tools, processes and dedicated and trained personnel.

Incident Reporting

The CMF in Chile has established a regulatory framework for the management of operational and cybersecurity incidents in the financial sector, with the aim of protecting users and the stability of the system. This framework applies to various entities, including banks, card issuers, insurers and fintechs, with specific regulations for each type of entity.

With the entry into force of the Cybersecurity Framework Law, it is expected that there will be coordination between the CMF and the ANCI, and a multi-window platform will likely have to be created to facilitate incident reporting.

• Sanctions – failure to comply with these regulations can result in fines of up to 15,000 UF (approximately USD420,000), which can increase fivefold in the case of repeat offences.
• Incident reporting – all entities regulated by the CMF are required to report operational incidents, although deadlines vary. For example, banks and insurers must do so within 30 minutes of the incident, while specific fintech activities have a deadline of two hours. These reports must include detailed information about the incident, such as its description, date and time, causes, impact on customers and services, and measures taken for mitigation.
• Communication – in general terms, entities should consider the need to inform their customers about incidents that affect the quality of services or that are publicly known. In addition, they should share relevant information about cybersecurity incidents with the rest of the industry, encouraging collaboration and prevention.

The CMF requires entities to guarantee access to the information and records of suppliers, both on-site and remotely, even if the supplier is abroad. The CMF reviews the audit reports carried out by the suppliers.

Entities must report to the CMF any operational incident that affects an outsourced service, allowing the CMF to supervise the incident response capacity and recovery plans.

In the event of non-compliance with the regulations, the CMF may require that the services be carried out in the country or that the entity execute them internally, ensuring that the entity maintains a plan that allows it to comply with these requirements.

According to Chapters 20-7 and 20-10 of the RAN, entities must have defined specific data processing sites. In the case of processing abroad, the jurisdiction must be defined and known. The city where the data centres operate must be known.

Moreover, if an entity outsources data processing services outside the country, it must have a contingency data processing centre located in Chile and demonstrate a recovery time compatible with the criticality of the outsourced service. There is the possibility of exemption from this requirement if the entity maintains adequate operational risk management and can ensure preventive measures such as a recovery time objective (RTO) approved by the board of directors, sites with adequate availability time, and sites in different locations that mitigate both geographical and political risks.

In addition, if the outsourced service includes the transmission of data outside the country that is subject to secrecy or banking secrecy (according to Article 154 of the General Banking Law), prior authorisation from each client is required.

Regarding country risk, services can only be outsourced in jurisdictions that have an investment grade country risk rating. If the country does not have this rating, the board of directors may make an exception to this requirement as long as the country has adequate personal data protection and security laws.

Finally, it stands out that communication connections between the entity and the provider must have a level of encryption that ensures the confidentiality and integrity of data from end to end. The processed information must be stored and transported in encrypted form, with the decryption keys held by the entity.

This issue has not arisen in this jurisdiction.

The Cybersecurity Framework Law refers to the concept of resilience, defining it as the ability of networks and computer systems to maintain their availability and operation, as well as to recover quickly from cybersecurity incidents.

For its part, the National Cybersecurity Policy 2023–2028 establishes as one of its five fundamental objectives the development of a “resilient infrastructure” in the country. This implies that the country must have a robust information infrastructure prepared to withstand and recover from cybersecurity incidents and socio-environmental disasters. To advance this objective, the need to strengthen essential services and improve the response capacity to incidents, both in the public and private sectors, is established.

However, neither the National Cybersecurity Policy nor the Cybersecurity Framework Law specifically establish detailed obligations related to cyber resilience. It is expected that in the future the National Cybersecurity Agency will issue general and specific instructions to promote cyber resilience in the country, especially taking into account the advancement of this type of regulation in the world and the fact that the Cybersecurity Framework Law is especially inspired by the Network and Information Security Directives 1 and 2 of the European Union.

For more information, see 4.1. Cyber-Resilience Legislation.

The Cybersecurity Framework Law establishes a cybersecurity standards certification scheme, mainly focused on operators of vital importance, although it also affects state bodies.

• Mandatory certification – operators of vital importance must obtain cybersecurity certifications as determined by law and the regulations of the ANCI.
• Authorised certification centres – valid certifications can only be issued by bodies that are registered and authorised by the ANCI. To be part of this register, entities must prove compliance with the requirements established in the regulations and, to remain so, comply with the aforementioned requirements. The Regulation on accredited Certification Centres was published in the Official Gazette during the first quarter of 2025.
• International certifications – the ANCI may approve international or foreign technical certifications on cybersecurity, by means of a reasoned resolution of its director.
• Certification of operational continuity and cybersecurity plans – operators of vital importance must prepare and implement operational continuity and cybersecurity plans. These plans must be certified and must be subject to periodic reviews by the obligated parties, with a minimum frequency of two years. The Agency also has the power to request certifications in shorter terms if there are serious supervening reasons.
• Cybersecurity standards for the state – the ANCI will be in charge of certifying compliance with cybersecurity standards by the bodies of the State Administration.

It is expected that there will be greater clarity on the specific certifications that operators of vital importance must have during the 1st half of 2026, after the ANCI issues the respective secondary regulations.

In matters of personal data protection, Law No 19,628 on the Protection of Private Life from 1999 is currently in force. This law does not specifically establish cybersecurity obligations. At most, it contains a provision stating that the party responsible for records or databases where personal data is stored after collection must take due care, making them liable for any damages.

Currently, there is not a single supervisory authority for personal data protection.  The Undersecretariat of Telecommunications, the Financial Market Commission, and the Council for Transparency in the public sector have issued regulations or recommendations that, in some sense, also consider the adoption of cybersecurity measures.

One of the most relevant of these authorities is the National Consumer Service (SERNAC), which, thanks to the Pro-Consumer Law, is – temporarily – the supervisory authority for personal data protection within consumer relations. This is until the new Personal Data Protection Law and the new Data Protection Agency come into effect in December 2026.

SERNAC has issued interpretative circulars on the law, which, while not binding for providers, are binding for SERNAC officials in charge of oversight. This could lead to infringement complaints before the courts (SERNAC does not have direct sanctioning powers). Among the most important circulars are the following.

Interpretative circular on good practices in electronic commerce – security in electronic contracting: SERNAC believes that providers of services and products through electronic means must inform and adopt necessary technical measures to guarantee consumer security, integrity and confidentiality of transactions, payment methods and personal data. This includes indicating the levels of protection applied to each. Additionally, SERNAC considers that companies must take corresponding safeguards in cases of electronic contracting by minors, vulnerable consumers, or those who lack the capacity to understand the information provided on the website.

Interpretative circular on criteria of equity in the stipulations contained in adhesion contracts referring to the collection and processing of personal data of consumers – abusive clauses that make the consumer responsible for the effects of possible deficiencies, omissions, or errors, such as limiting the liability of the supplier in case of unauthorised access, losses, alterations, or leaks of the consumer’s personal data: SERNAC maintains that the duty of professionalism falling on suppliers, considering the obligation of security in data processing, entails applying comprehensive security measures. This includes technical, organisational and human capital formation to safeguard the confidentiality, integrity, and availability of consumers’ personal data to prevent alteration, loss, transmission and unauthorised access.

New Personal Data Protection Law

After extensive legislative discussion that took over seven years, Law No 21,719 was enacted, reforming Law No 19,628. This new law will come into force in December 2026, along with the creation of the National Personal Data Protection Agency. From that moment on, SERNAC will cease to be the controlling authority in this matter.

The new law establishes a Security Principle, according to which the processing of personal data must guarantee adequate security standards, protecting it against unauthorised or illicit processing, loss, leakage, accidental damage or destruction. In addition, security measures must be appropriate and consistent with the type of processing and the nature of the data.

Furthermore, the new law recognises the principle of data protection by design and by default, according to which the data controller must implement technical and organisational measures from the design of the processing of personal data and during its execution, taking into account the state of the art, the costs of implementation, the nature of the data, the context and purposes of the processing, as well as the associated risks. Likewise, by default, only the specific personal data strictly necessary for the activity should be processed.

The new law also includes various obligations related to information security and cybersecurity. Thus, the data controller must adopt the necessary measures to guarantee compliance with the security principle, ensuring the confidentiality, integrity, availability and resilience of data processing systems. They must also prevent the alteration, destruction, loss, processing or unauthorised access to data.

Security measures may include:

• pseudonymisation and encryption of personal data;
• guaranteeing the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• ability to restore the availability and access to data quickly in case of incidents; and
• regular processes for verification, evaluation and assessment of the effectiveness of security measures.

In addition, the data controller must report to the Agency any security breach that results in the destruction, leakage, loss or unlawful alteration of data, or unauthorised access to it, especially if there is a risk to the rights of data subjects.

There are no specific regulations in Chile on the subject of cybersecurity and AI. Therefore, general rules apply, including the Cybersecurity Framework Law and any specific or general instructions that the National Cybersecurity Agency may issue in this regard.

However, the SERNAC, the temporary controlling authority for personal data protection in the context of consumer relations, issued an interpretative circular regarding AI systems and consumer safety. It is important to remember that these circulars are not generally binding but only apply to SERNAC officials in the context of supervisory activities, which could result in a complaint being filed with the courts (SERNAC does not have direct sanctioning powers).

In the Interpretative Circular on consumer protection against the use of AI systems – consumer safety, SERNAC has interpreted that, in view of the general obligation incumbent on suppliers to provide security to consumers, AI systems in the context of a consumer relationship must present adequate standards of precision, reliability and technical effectiveness to obtain well-founded results and to avoid causing harm to consumers of a material or immaterial nature.

Specifically, SERNAC interprets this duty as translating into the need to apply appropriate technical and organisational security measures, which guarantee the confidentiality, integrity and availability of the personal data in question, considering especially the risks involved in the processing activities and the nature of the data stored (including, among other elements, their level of sensitivity).

The healthcare sector in Chile is considered one of the most vulnerable and critical sectors due to the high sensitivity of patient data and the essential nature of its clinical operations. To address these challenges, the Ministry of Health (MINSAL) issued Resolution 853 in April 2025, which approves the updated Cybersecurity Instruction for the Health Sector. This regulatory framework integrates with the Cybersecurity Framework Law No 21.663 to ensure that the entire health ecosystem maintains the confidentiality, integrity, and availability of its systems.

Scope and General Obligations

Cybersecurity obligations apply to all institutions within the health sector, including the Ministry, its sub secretariats, SEREMI, hospital services, and Primary Health Care centres. The Cybersecurity Framework Law specifically classifies health services provided by hospitals, clinics, and medical centres as essential services. Consequently, many of these entities have been qualified as OIV, which subjects them to the highest level of regulatory scrutiny and more stringent defensive requirements.

Health sector entities are required to implement a continuous Information Security Management System (ISMS) based on international standards such as ISO/IEC 27001. This system must be supported by a robust governance structure, including the appointment of a Chief Information Security Officer (CISO) and the active involvement of the board of directors. Furthermore, institutions must maintain a documented Strategic Security Plan and perform regular risk assessments to identify vulnerabilities in their critical assets.

Medical Devices and IoT Requirements

Connected medical devices and the IoT are identified as essential components of the technological infrastructure in modern healthcare. These devices, which include infusion pumps, monitors and pacemakers, must comply with specific technical and organisational security controls. The current regulations require entities to maintain a detailed inventory of all IoT assets and to implement network segmentation (VLANs) to isolate these devices from other critical systems.

Access controls for medical devices must be strictly managed, involving the removal of default factory credentials and the implementation of multi-factor authentication where feasible. Manufacturers and providers are obligated to deliver regular security patches and firmware updates, accompanied by documentation of any security tests performed. Before any IoT device is put into operation, the institution must conduct penetration testing and evaluate the potential impact on clinical interoperability.

Procurement Requirements

Procurement processes for information technology services must also incorporate specific cybersecurity requirements. Contracts with third-party providers must include explicit clauses requiring the provider to comply with MINSAL security guidelines and the Framework Law. When using cloud services, health institutions must perform enhanced due diligence to ensure that the provider maintains security levels at least equivalent to national regulations, particularly regarding data encryption and sovereign data handling.