Chile does not currently have a single horizontal statute equivalent to the EU Digital Services Act regulating online harms, platform governance, systemic risks, notice-and-action mechanisms or general content moderation duties. Obligations arise from a layered framework, depending on the provider’s role, the service, the content or conduct involved, and whether the provider operates in a regulated sector.
The closest regime to intermediary liability is found in the Intellectual Property Law, which provides conditional liability limitations for internet service providers in copyright and related rights matters. It distinguishes transmission, caching, hosting, search, linking and reference services, and generally links takedown obligations to statutory procedures and judicial orders. This regime is limited to IP matters and does not create a general online safety framework.
Online marketplaces and e-commerce platforms are mainly regulated through consumer protection and e-commerce transparency rules. These require clear information on the seller, platform role, product or service, total price, terms, delivery, withdrawal rights and after-sales support. They are aimed at transparency and consumer protection, not general content moderation.
Other layers apply depending on the issue. The Computer Crimes Law is relevant for malicious activity, fraud, unlawful access and data interference. The Cybersecurity Framework Law applies to essential services and operators of vital importance. Data protection rules apply where platforms collect, profile, personalise, monitor or otherwise process user data.
Telecoms rules also matter where the provider acts as an internet access provider. Internet access is treated as a public telecommunications service, and net neutrality rules restrict arbitrary blocking or interference with lawful content, applications and services. In regulated sectors, such as fintech, payments, banking and outsourcing, additional CMF and Central Bank rules may apply.
Chile does not have a DSA-style classification of online platforms based on size, reach or systemic impact. There is no local equivalent to “very large online platforms” or “very large online search engines”. Chilean law classifies online actors mainly by function, service type and sector.
In intellectual property matters, the law distinguishes between transmission, caching, hosting, search, linking and reference services for purposes of the ISP safe harbour regime. This is relevant to copyright liability, but not a general platform governance classification.
In e-commerce, consumer rules distinguish between sellers, providers and platform operators. This affects information and transparency duties, including disclosure of seller identity, platform role, product or service features, price, delivery, availability, withdrawal rights and after-sales support.
Telecoms law separately regulates internet access providers, focusing on connectivity, quality, continuity and net neutrality. Cybersecurity law introduces a risk-based classification based on criticality, applying enhanced duties to essential services and operators of vital importance.
Financial regulation also creates functional categories, including fintech providers, open finance participants, payment initiation providers, card issuers, card operators, sub-acquirers and payment processing providers. Overall, Chile classifies digital actors by function, risk and regulatory role rather than platform scale.
Chile does not have a single regulator equivalent to an EU Digital Services Co-Ordinator. There is no authority with general jurisdiction over all online content, online safety and platform governance. Enforcement is distributed among regulators, courts and public authorities depending on the issue.
For online content, there is no administrative authority with general powers to supervise moderation policies or order removal of all illegal or harmful content. Copyright takedown is linked to the ISP safe harbour regime and judicial procedures. Online criminal conduct is enforced by the Public Prosecutor’s Office and criminal courts.
For e-commerce and marketplaces, SERNAC is relevant for consumer protection, platform transparency, advertising, information duties, online contracting and consumer complaints. For cybersecurity, ANCI supervises entities subject to the Cybersecurity Framework Law, including essential services and operators of vital importance.
For personal data, the new Data Protection Agency will supervise how online services collect, use, profile, share, secure and otherwise process personal data once the new regime becomes fully effective. For internet access and telecoms, SUBTEL supervises telecoms networks, spectrum, quality, continuity and net neutrality.
For digital financial services, fintech, open finance, payments and technology outsourcing in the financial sector, the CMF is the key regulator, with the Central Bank also issuing important payment rules. A platform may therefore interact with SERNAC, ANCI, the Data Protection Agency, SUBTEL, CMF, the Central Bank, prosecutors or courts depending on the service and risk.
Chile does not have a single e-commerce code. The main framework for e-commerce and online contracting combines contract law, consumer protection, electronic signatures, data protection and sector-specific rules where the online service involves payments, financial services, telecoms or other regulated activities.
For B2C e-commerce, the Consumer Protection Law and the E-Commerce Regulation are central. They regulate online contracting, advertising, pricing, unfair terms, warranties, withdrawal rights, consumer information, platform roles and SERNAC enforcement.
Online contracts are supported by the Electronic Signature Law, which recognises electronic documents and signatures, functional equivalence with paper documents and the distinction between simple and advanced electronic signatures, subject to statutory exceptions.
General civil and commercial contract rules continue to apply, including consent, offer and acceptance, capacity, object, cause, performance, breach and evidence, unless special consumer, electronic signature, payment or sector rules apply.
Data protection is another key layer for customer registration, profiling, marketing, analytics and automated processing. Where online contracting involves payments or regulated financial services, additional rules apply on unauthorised transactions, fintech services, open finance, card payments, payment systems and CMF/Central Bank supervision.
Businesses contracting online in Chile must comply with consumer protection, e-commerce, contract, electronic signature, data protection and payment rules. The key obligation is practical: consumers must receive clear, complete and timely information before purchasing, the online acceptance process must be clear, and the consumer must receive confirmation once the contract is concluded.
In B2C transactions, sellers and platform operators must provide accessible information on the seller, contact details, platform role, product or service, total price, charges, delivery costs, availability, delivery or performance conditions, payment methods, after-sales support and legal or contractual guarantees.
A consumer’s mere visit to a platform does not create an obligation to contract. The consumer must unequivocally accept the terms and conditions, and businesses should ensure that online terms, advertising, promotions and displayed offers are consistent. Misleading information may trigger consumer liability.
Electronic contracting is generally valid, but businesses should design flows that evidence consent, identity, date, accepted terms, contract version, notices and confirmation. Advanced electronic signatures may be needed or advisable where stronger evidence is required.
Online businesses must also comply with data protection obligations for account creation, purchases, delivery, support, marketing, profiling, analytics, fraud prevention and automated processing. Where payments or regulated financial services are involved, further rules apply on payment channels, unauthorised transactions, security, authentication and regulatory supervision.
Online contracts are generally valid and enforceable in Chile. There is no special formality merely because a contract is entered into online. The starting point is ordinary contract law: capacity, consent, lawful object and lawful cause, plus commercial rules on offer and acceptance where relevant.
The Electronic Signature Law recognises electronic documents and signatures and is based on technological neutrality, functional equivalence and international compatibility. Acts and contracts executed electronically generally produce the same effects as paper-based contracts, subject to statutory exceptions.
For most private online contracts, a simple electronic signature or electronic acceptance mechanism is sufficient if consent can be evidenced. This may include click-through acceptance, platform workflows, electronic execution or other processes that identify the user and preserve the accepted terms.
Advanced electronic signature is required where the electronic document has the status of a public instrument and is often used where stronger evidence of identity, integrity, date and non-repudiation is advisable. Certain acts remain excluded, such as those requiring non-electronic solemnities, personal appearance or family law formalities.
In B2C e-commerce, consumers must have clear prior access to terms and the ability to store or print them. Before payment, a transaction summary must be displayed, and after conclusion the seller must send written confirmation. The main practical issue is therefore not validity alone, but evidence of consent, terms, notices and confirmation.
Customers in Chile do not usually require on-premise licensing because SaaS is legally restricted. SaaS and cloud models are widely used. However, regulated, critical or legacy-heavy customers may prefer on-premise models because they offer greater control over infrastructure, data, security, continuity and customisation.
A first driver is regulatory and operational control. Banks, payment companies, utilities, telecoms operators, healthcare providers and other sensitive businesses may need to demonstrate control over technology environments, outsourced services, auditability, incident response and business continuity.
Data control is also important. Customers may prefer on-premise deployment where they process sensitive, confidential, regulated or strategically important data, especially where they have concerns about data location, cross-border access, subcontracting, encryption or regulator and court requests.
Continuity, legacy integration and customisation also matter. Some systems must remain available during connectivity failures, provider outages or cloud disruptions, and many large companies still operate core systems that were not designed for cloud-native integration.
Vendor lock-in and pricing may also influence the decision. SaaS gives suppliers more control over hosting, upgrades, pricing, feature changes and end-of-life decisions. Some customers also prefer capital expenditure or perpetual licences over recurring subscriptions. Hybrid models remain common.
Suspension rights in Chilean software, SaaS and technology services agreements are mainly contractual. There is no single statutory list of triggers. Providers typically seek suspension rights for non-payment, unauthorised use, security risks, legal or regulatory requirements, and conduct affecting the platform or other customers.
The most common trigger is non-payment after notice and a cure period. Customers, especially regulated or operationally sensitive customers, usually negotiate prior notice, escalation, partial suspension, continued data access and exceptions for disputed invoices or critical services.
Providers also seek suspension for unauthorised use, such as exceeding users, environments, API calls or volumes, sharing credentials, reverse engineering, scraping, misuse, breach of acceptable use policies, or interference with service performance.
Security triggers are increasingly important. Providers often request immediate suspension where the customer creates a real or suspected security risk, introduces malware, compromises credentials, affects platform integrity or threatens other customers.
Legal, regulatory and data-related triggers are also common. Providers may suspend where continued service would breach law, a court order, regulatory instruction, sanctions, IP, privacy or cybersecurity requirements. Regulated customers normally seek proportionality, co-operation, emergency data access, transition assistance and clear reinstatement procedures.
Audit rights are increasingly important in Chilean software, SaaS, cloud and technology services agreements, especially where the customer is regulated or the service involves personal data, cybersecurity, payments, critical operations or outsourcing.
Customers typically request audit rights covering security, availability, data protection, continuity, disaster recovery, subcontracting and regulatory compliance. This may include policies, certifications, penetration testing summaries, incident records, access controls, encryption, backups, service levels, data processing terms and subcontractor controls.
Regulated financial institutions and payment companies are especially focused on auditability. For them, audit rights are part of regulatory risk management, and providers may need to support audits, regulatory inspections, subcontractor disclosure, continuity reviews and exit planning.
Cloud and multi-tenant SaaS providers usually resist broad on-site audits. Market practice often relies on SOC reports, ISO certifications, security questionnaires, third-party audit reports, compliance portals, penetration testing summaries and customer-specific audit meetings.
Providers also request audit rights to verify licence compliance, users, environments, installations, API usage, storage, transaction volumes and misuse. Modern clauses define scope, frequency, notice, permitted auditors, confidentiality, records, remediation, costs and regulatory access.
Escrow clauses are not standard in all Chilean software contracts. They are relatively uncommon in ordinary SaaS agreements, especially multi-tenant cloud services where the customer does not receive, install or operate the software. In those cases, customers usually negotiate data export, transition assistance, continuity commitments, termination support and backups instead of source code escrow.
Escrow remains relevant for critical software, bespoke developments, on-premise deployments, private cloud, core systems and technology supplied by smaller or highly specialised vendors. Customers may request it where the software is difficult to replace, deeply integrated or essential for regulated or sensitive operations.
Typical deposits include source code, build instructions, technical documentation, configuration files, deployment scripts and materials needed to maintain or operate the software. More sophisticated arrangements require periodic updates and verification that the code can be compiled and used.
Release triggers commonly include insolvency, cessation of business, discontinuation of support, material breach of support obligations, critical service failure or termination where the customer needs continued access to operate the software.
Escrow must be carefully drafted from an IP perspective. Deposit does not transfer ownership. The contract should define the customer’s licence upon release, permitted users, confidentiality, trade secrets, third-party components, open source and restrictions on commercial exploitation.
SaaS availability commitments in Chile are mainly contractual, but increasingly influenced by cybersecurity, data protection, business continuity and sector regulation. Customers typically expect uptime commitments, maintenance rules, support, incident management, backups, recovery and remedies for missed service levels.
The core commitment is usually an availability SLA measured monthly or annually. The clause should define how availability is calculated, exclusions from downtime, measurement tools, and whether the SLA applies to the platform, modules, APIs or critical functions. Scheduled maintenance, emergency maintenance, customer-caused downtime and third-party network failures are common exclusions.
Maintenance and support commitments are also important. Customers often request prior notice, defined maintenance windows, limits on disruption, support channels, severity levels, response times, escalation, incident communications and remediation obligations.
For continuity, customers seek backup, restoration, redundancy, disaster recovery, recovery time and recovery point commitments. Regulated or critical customers may also require tested continuity plans, evidence of testing and support for their own regulatory obligations.
Remedies are usually service credits, but customers often resist making credits the sole remedy for repeated failures, prolonged outages, data loss, confidentiality breaches or failures affecting critical regulated services. Termination rights, audit, regulatory access, data export and transition assistance are increasingly negotiated.
Chile does not yet have a fully enacted general statute regulating the use or development of AI solutions. AI systems are currently governed through general and sector-specific laws, including data protection, consumer protection, cybersecurity, IP, civil liability, employment, financial regulation and public sector rules, depending on the use case.
Chile is actively moving toward a general AI regime. A bill regulating AI systems is under legislative discussion and follows a risk-based structure influenced by international AI governance trends, including the EU AI Act, OECD principles and UNESCO recommendations.
The bill would apply to providers placing AI systems on the Chilean market or putting them into service in Chile, implementers domiciled in Chile, and foreign providers or implementers where the output is used in Chile. It defines key actors across the AI value chain.
The proposed framework classifies AI systems by foreseeable risk: unacceptable risk, high risk, limited risk and no evident risk. High-risk systems would be subject to risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness and cybersecurity obligations.
The bill also includes governance and enforcement mechanisms, serious incident reporting, sandboxes, confidentiality, administrative sanctions and civil liability. Until enacted, AI compliance in Chile remains a layered exercise based on data, cybersecurity, sector regulation, IP, contracts and risk management.
Chile does not yet have a complete set of AI-specific lower-level regulations issued under a general AI statute. The current landscape combines soft-law instruments, public sector guidance and sector-driven rules that apply where AI involves personal data, cybersecurity, outsourcing, finance, payments, public procurement or public sector decision-making.
The most AI-specific instrument currently in place is the public sector circular issued by SEGPRES and the Ministry of Science in December 2023. It provides recommended guidelines for public bodies on responsible, ethical, safe and transparent use of AI tools.
The circular covers suitability of AI, avoidance of arbitrary discrimination, citizen participation where rights may be affected, transparency and explainability, privacy and data use, restrictions on entering personal or sensitive data into non-approved generative AI tools, training and cybersecurity.
The National AI Policy Action Plan is also relevant, although not binding. It includes initiatives on data governance, the Data Protection Agency, cybersecurity, algorithmic transparency, standards for critical AI applications, anonymisation, public sector AI, procurement criteria and sandboxes.
In the private sector, AI-specific rules remain fragmented. Financial, cybersecurity and data protection rules are highly relevant when AI is used in regulated services, outsourcing, payment infrastructure, profiling, scoring, fraud prevention, automated analysis or decision support.
AI self-regulation in Chile exists but remains uneven and developing. There is no general statutory obligation requiring all companies to adopt an internal AI governance programme, but larger companies, regulated entities, multinational groups and technology-intensive businesses are increasingly doing so.
This trend is driven by the pending AI bill, the new data protection framework, cybersecurity requirements, sector regulation, group-level compliance policies and international standards. Financial services, technology, retail, healthcare, telecoms and utilities are more likely to treat AI governance as part of compliance, privacy, cybersecurity, outsourcing and operational risk.
Common measures include AI acceptable-use policies, approval processes for new tools, restrictions on public generative AI platforms, prohibitions on uploading personal, sensitive, confidential or client data into non-approved tools, and internal AI registers.
Companies also use vendor due diligence, contractual controls, cybersecurity review, data protection assessments, human oversight, staff training and escalation procedures. For AI used in scoring, HR, fraud detection, marketing, compliance or document automation, documentation, explainability, bias controls, data quality and auditability are increasingly important.
International frameworks such as OECD, UNESCO, the EU AI Act, NIST AI RMF and ISO AI standards are used as references even when not binding. The market is moving from informal controls toward more formal AI governance, especially in regulated, multinational and high-risk environments.
Customers in Chile increasingly seek AI-specific contractual protections, especially for generative AI, decision-support tools, personal data, regulated activities, cybersecurity risk and customer-facing uses. They no longer treat AI simply as ordinary software.
A first requirement is a clear description of the AI use case and roles. Contracts should distinguish general-purpose AI, SaaS with embedded AI, bespoke development, fine-tuning, APIs, decision-support tools and managed services, because obligations on performance, explainability, data, outputs and liability vary.
Data clauses are central. Customers seek commitments that customer data, prompts, files, outputs, personal data, confidential information and business data will not be used to train or improve models unless expressly authorised. They also regulate retention, access, location, subcontracting, transfers, deletion, anonymisation and security.
Customers also request transparency, documentation and auditability, including capabilities and limitations, model versioning, testing, data sources at a high level, accuracy, bias controls, human oversight, logs and explainability. For higher-risk uses, impact assessments and risk management may be required.
IP, security and output risk are heavily negotiated. Customers seek clarity on prompts, outputs, fine-tuned models, embeddings, datasets and bespoke developments; indemnities for third-party IP claims; safeguards against hallucinations, bias, harmful content and prompt injection; and future-proofing clauses for regulatory change.
AI-related liability in Chile is currently addressed mainly by contract because there is not yet a fully enacted general AI liability regime. Parties allocate risk through warranties, disclaimers, indemnities, liability caps, carve-outs, compliance duties, human review, data protection, cybersecurity, IP and incident response clauses.
A common approach is to distinguish liability for the AI tool from liability for the customer’s use of it. Suppliers state that outputs may be probabilistic or inaccurate and should be reviewed. Customers seek commitments that the system is tested, documented and configured for the agreed purpose.
Generative AI contracts increasingly address hallucinations, inaccurate outputs and customer decisions based on outputs. Customers try to narrow disclaimers where the supplier made specific performance claims, provided a bespoke or fine-tuned model, controlled the workflow or marketed the tool for a regulated or high-impact use.
Data and IP liability are major negotiation points. Contracts allocate responsibility for lawful input data, prompts, training data and fine-tuning datasets. Customers seek protection against unauthorised training, disclosure, unlawful transfers, security incidents and third-party IP claims.
Liability caps are becoming more differentiated. Suppliers seek aggregate caps and exclusions, while customers request carve-outs or higher caps for confidentiality, data protection, IP, cybersecurity, fraud, wilful misconduct, gross negligence, regulatory fines caused by the supplier and failures affecting critical services.
AI providers in Chile are mainly concerned with avoiding an excessive transfer of risk, especially while the AI regime and market standards are still evolving. Their concerns usually relate to outputs, customer misuse, data rights, IP, confidentiality, cybersecurity, auditability and future regulatory change.
A key concern is liability for outputs. Providers resist full responsibility for hallucinations, inaccurate or biased results, or decisions made by the customer where the customer controls the use case, inputs, prompts, configuration, workflow or final decision. They usually require human review and acceptable-use restrictions.
Providers are also concerned about misuse, including unlawful, discriminatory, infringing, abusive or high-risk uses outside scope, scraping, reverse engineering, model extraction, prompt injection, bypassing safety controls, or uses affecting third parties or other customers.
Data and IP are heavily negotiated. Providers want customers to be responsible for the lawfulness and quality of inputs, prompts, training data and fine-tuning datasets. They also seek to preserve ownership of models, algorithms, pre-existing technology, documentation, know-how, embeddings, generic improvements and platform developments.
Transparency, audit and cybersecurity requests are another concern. Providers must balance customer and regulator demands against confidentiality, trade secrets, security and obligations to other customers. They also seek suspension, investigation, cooperation and change-control rights where customer use creates platform or compliance risk.
Chile does not have a single statute comprehensively regulating IT services. The framework is layered: contract law applies first, then cross-cutting and sector-specific rules depending on the service, customer, data, infrastructure and regulated sector.
General civil and commercial rules govern consent, obligations, liability, termination and damages. Where the service involves software licensing, development, implementation, support, maintenance or assignment of rights, IP rules are relevant for software, source code, documentation, databases, licences, permitted use and infringement risk.
Data protection is a key overlay because IT providers often process, host, access or support systems containing personal data. Contracts must address lawful basis, controller/processor roles, confidentiality, security, rights, subcontractors, international transfers, breach management, retention, deletion and auditability.
Cybersecurity is another important layer, especially where IT services support essential services, critical infrastructure, managed IT, telecoms, financial services, payments, healthcare, energy, water or transport. Customers increasingly expect security-by-design, privacy-by-design, incident response, vulnerability management, logging, continuity and reporting.
Regulated financial entities face a stronger overlay on outsourcing, security, continuity, incidents, provider controls, audit, subcontracting, data location, exit plans and regulatory access. Public-sector IT is affected by public procurement and digital government rules, while B2C services must also consider consumer protection and e-commerce requirements.
A typical IT services liability clause in Chile combines a general liability cap, exclusions for certain damages, specific indemnities and carve-outs for higher-risk breaches. It should be tailored to the service, customer sector, data, system criticality and regulatory requirements.
The starting point is usually an aggregate cap linked to fees paid or payable over a defined period. For ordinary failures, delays, implementation issues, support failures or non-critical downtime, suppliers seek to limit liability to direct damages. SaaS and managed services often use service credits for availability failures.
Contracts commonly exclude indirect, consequential, punitive or special damages, loss of profit, revenue, business opportunity, goodwill, anticipated savings and business interruption. Customers resist broad exclusions where the service is critical, regulated or supports customer-facing operations, payments or core systems.
Specific indemnities usually cover third-party IP claims, confidentiality breaches, unauthorised use of customer data, data protection violations, supplier-caused cybersecurity incidents, employment or subcontractor claims, and damage caused by supplier personnel or subcontractors.
Carve-outs are heavily negotiated. Customers seek uncapped or higher-capped liability for fraud, wilful misconduct, gross negligence, confidentiality, personal data, IP, security breaches, supplier-caused regulatory fines, audit/compliance breaches, data loss and failures affecting critical regulated services.
Warranties in Chilean IT services contracts are mainly contractual and should be tailored to the service, sector, customer profile and data or systems involved. A standard package covers professional performance, specifications, personnel, legal compliance, IP, security, confidentiality, data protection and, where relevant, service levels, interoperability and continuity.
A basic warranty is that services will be performed professionally and diligently, in accordance with the contract, statement of work, specifications, documentation, project plan and industry standards. Implementation, support and managed services contracts also include milestones, deliverables, acceptance criteria, response times and SLAs.
Personnel warranties usually cover qualified staff, supervision, key personnel continuity, and supplier responsibility for employees, subcontractors and affiliates. On-site or staff augmentation arrangements may also cover labour, health and safety, access, confidentiality and customer policies.
IP warranties are important in software and technology services. Suppliers are expected to warrant that they have sufficient rights to provide software, tools, documentation, deliverables and services, and that authorised use will not infringe third-party IP rights, subject to common supplier exclusions.
Security, data and confidentiality warranties are increasingly central. Customers expect reasonable technical and organisational measures, no intentional malware or backdoors, confidentiality controls, data processing only under instructions, breach assistance, subprocessor control, deletion or return of data, and continuity or support commitments for SaaS, cloud and managed services.
Agile methodology is increasingly used in Chilean IT projects, particularly in software development, platform implementation, systems integration, cloud migration, data analytics and AI-related projects. It is most useful where the customer does not have a fully fixed specification at the outset and the project requires iterative design, testing, feedback and adjustment.
In practice, many contracts are not purely agile. Sophisticated projects usually combine agile delivery with more traditional contractual structures, such as master services agreements, statements of work, governance committees, project plans, budget limits, service levels, acceptance criteria, change control and milestone or sprint-based payments. This hybrid approach preserves flexibility while giving legal certainty on scope, price, responsibility and deliverables.
Key drafting points include the agile framework, party roles, backlog, sprint planning, sprint duration, demos, testing, acceptance and escalation. Customer responsibilities are also important: appointing a product owner, prioritising the backlog, providing timely feedback, making users available and approving deliverables.
Pricing is usually time-and-materials, capacity-based or sprint-based, sometimes combined with caps, target prices, milestones or hybrid models. Acceptance is also adapted: rather than one final acceptance, contracts may include acceptance by sprint, user story, release, module or minimum viable product.
For regulated or public-sector customers, agile requires more discipline around documentation, auditability, security, continuity, change management and procurement rules. Overall, agile contracting is present in Chile, but usually in a controlled hybrid form. The main legal challenge is to allow iteration without losing certainty on governance, IP, data, security, change control and termination.
Payment models for IT services in Chile vary according to the type of service, project maturity, scope uncertainty, procurement rules and whether the service is software, SaaS, cloud, outsourcing, implementation, support or consulting. Hybrid models are common.
Fixed-price models are used where scope, deliverables, timeline and acceptance criteria are sufficiently clear, such as defined implementation phases, migrations, integrations or discrete software developments. Suppliers usually require assumptions, exclusions, change control and customer-dependency clauses.
Time-and-materials models are common in consulting, agile projects, support, troubleshooting, cybersecurity, data analytics and evolving projects. They usually include hourly or daily rates, rate cards, estimated budgets, monthly invoicing, approval workflows and sometimes caps or not-to-exceed amounts.
Milestone payments are frequent in implementation and development projects, with payment linked to modules, testing, acceptance, go-live, migration, stabilisation or handover. Subscription and recurring fees are typical for SaaS, cloud, software maintenance, support and managed services. Usage-based pricing is increasingly relevant for cloud, APIs, AI tools, analytics and infrastructure services.
Dedicated team or capacity-based models are also common in outsourcing, staff augmentation, managed services and agile delivery. Overall, Chilean IT contracts often combine fixed implementation fees, recurring subscription or support fees, time-and-materials for enhancements, consumption-based cloud charges and service credits for SLA failures.
The core telecommunications statute in Chile is the General Telecommunications Law, supplemented by regulations, technical rules, plans and administrative instructions issued mainly through the Ministry of Transport and Telecommunications and SUBTEL.
The law defines telecommunications broadly and classifies services into categories such as broadcasting services, public telecommunications services, limited telecommunications services, amateur radio services and intermediate telecommunications services. It also regulates installation, operation and exploitation of services, spectrum, concessions, permits, interconnection, portability and roaming.
A key recent development is the Internet as a Public Service reform, which brings internet access expressly within public telecommunications services and reinforces principles such as technological neutrality, universal access, continuity, convergence, infrastructure sharing, transparency and efficient use of spectrum and public resources.
Net neutrality is another important component. Internet access providers must not arbitrarily block, interfere with, discriminate, hinder or restrict lawful content, applications or services, subject to technical network management and legal exceptions.
Telecoms providers are also subject to consumer protection, data protection, cybersecurity and, where relevant, computer crime and electronic contracting rules. Therefore, the Chilean telecoms framework is built around the Telecommunications Law and SUBTEL rules, but must be read together with internet public service, net neutrality, spectrum, consumer, cybersecurity and data protection regimes.
The main telecommunications regulator in Chile is SUBTEL, the Undersecretariat of Telecommunications. SUBTEL is part of the Ministry of Transport and Telecommunications and is the specialist authority responsible for applying and supervising the Telecommunications Law and its regulations.
SUBTEL’s role includes technical regulation, supervision, inspection and enforcement. It participates in concessions, permits and authorisations; administers and controls spectrum; issues technical rules; supervises providers; monitors compliance with service, quality, infrastructure, interconnection, portability and roaming obligations; and may initiate sanctioning procedures within its powers.
The Ministry of Transport and Telecommunications is relevant as the sector ministry and public policy authority. Certain decrees, concessions and policy decisions are issued through the Ministry, while SUBTEL acts as the specialised technical and regulatory arm.
Other authorities may become relevant depending on the issue. Competition matters may involve the Fiscalía Nacional Económica and the Tribunal de Defensa de la Libre Competencia. Consumer matters may involve SERNAC. Cybersecurity matters may involve the National Cybersecurity Agency, and data protection matters will involve the Data Protection Agency once fully operational.
The National Television Council may be relevant for television broadcasting and audiovisual content, while SUBTEL remains relevant for the technical telecommunications layer. Therefore, SUBTEL is the core telecoms regulator, but operators may interact with competition, consumer, cybersecurity, data protection and audiovisual authorities.
Telecommunications-related activities are regulated when they involve the installation, operation or exploitation of telecommunications services, networks, systems, spectrum or infrastructure in Chile. The need for a concession, permit or authorisation depends mainly on the type of service, use of spectrum, whether the service is offered to the public and whether the provider operates infrastructure or merely purchases connectivity from an authorised operator.
The Telecommunications Law classifies services into broadcasting, public telecommunications, limited telecommunications, amateur radio and intermediate telecommunications services. Public services are those intended to satisfy the telecommunications needs of the general community, and internet access is now expressly included within that category.
Public telecommunications services, broadcasting services and intermediate services are generally subject to a concession regime. Limited telecommunications services are also regulated, but are usually directed to specific communication needs of identified companies or persons and may be subject to permits depending on their technical features and use of spectrum.
Use of radio spectrum is separately regulated because spectrum is a national public good and use rights are temporary. Wireless systems, broadcasting, mobile services and other radio-based activities must therefore be analysed from a spectrum authorisation perspective.
Pure IT services, SaaS, cloud hosting, software development, managed services or data processing do not normally require a telecoms concession merely because they are technology services. However, a telecoms analysis is needed if the provider operates networks, offers connectivity to the public, resells regulated services, uses spectrum, deploys transmission infrastructure or provides internet access.
Interconnection and roaming in Chile are regulated mainly under the Telecommunications Law and SUBTEL’s technical and administrative rules. Public telecommunications services must be designed to interconnect with other public telecommunications services, so that users can communicate across networks and operators.
Interconnection obligations are particularly relevant for public and intermediate telecommunications services. Public services serve the general community and include internet access. Intermediate services are provided through facilities and networks to satisfy the needs of concessionaires or permit-holders, or to provide international long-distance services.
Operators may install their own systems or use systems belonging to other companies, according to their concessions. Public and intermediate operators may also deploy or cross lines and radiating systems on public assets and certain fiscal or concession-related infrastructure, subject to legal, technical and municipal rules.
Roaming is specifically regulated in the mobile environment. Spectrum-holding public service concessionaires must allow access to, and use of, their facilities by other concessionaires or entities seeking to become concessionaires, for mobile virtual network operation and automatic roaming in the cases established by law.
Interconnection and roaming also interact with competition rules. Contractually, these arrangements usually address technical interfaces, traffic routing, capacity, security, numbering, quality, testing, maintenance, fault management, confidentiality, billing, liability, continuity and regulatory co-operation.
Consumer protection for telecoms services in Chile combines general consumer law and sector-specific telecoms regulation. Providers dealing with consumers must comply with consumer protection rules, the Telecommunications Law, SUBTEL rules and, where services are contracted online, e-commerce regulation.
The main obligations are transparency, truthful information and fair contracting. Providers must give clear and timely information on the service, provider identity, coverage, price, tariffs, charges, equipment, duration, renewal, suspension, termination, technical limitations and applicable conditions. Advertising claims may become part of the contract, and misleading claims may trigger liability.
Telecoms contracts with consumers are usually adhesion contracts, so they must be clear and avoid unfair terms. Particular care is needed with unilateral changes, suspension, limitation of liability, price increases, automatic renewals, termination charges, billing, service bundles and equipment financing.
Sector regulation adds obligations on service continuity, quality, portability, interconnection, network access and SUBTEL supervision. Internet access is now treated as a public telecommunications service, which reinforces rules on continuity, universal access, transparency and user mobility.
Online contracting triggers additional e-commerce duties, including pre-payment summaries, confirmation of contract and information on termination mechanisms for recurring contracts. Data protection is also central because telecoms operators process customer, contact, billing, location and traffic-related data.
In Chilean IT contracts, parties usually distinguish background IP and foreground IP through express definitions and ownership clauses. Background IP covers pre-existing or independently developed software, code, tools, libraries, APIs, templates, methodologies, documentation, know-how, trade secrets, data and materials. Foreground IP refers to deliverables, developments, configurations, integrations, documentation, works, inventions or other materials specifically created under the contract.
The starting point is that each party retains its background IP. The customer grants the supplier a limited licence to use customer materials, systems, data, brands and confidential information to perform the services. The supplier grants the customer a licence to use supplier background IP embedded in deliverables, as necessary to receive and use the contracted services.
For software, this is particularly important because Chilean copyright law protects computer programs in source and object code, including preparatory documentation, technical descriptions and user manuals. Although the law contains default rules for employee-created and commissioned software, parties usually regulate ownership expressly because projects often include pre-existing tools, third-party components, open-source software and reusable know-how.
In bespoke development, customers often seek ownership or broad rights over project-specific deliverables, including custom code, specifications, configurations, workflows, reports, interfaces and documentation. Suppliers seek to exclude generic tools, accelerators, methodologies, reusable code, libraries, know-how and non-customer-specific improvements.
In SaaS, cloud and standard software implementation projects, the supplier usually retains the platform, standard software, updates, APIs, documentation and general product improvements. The customer typically owns or controls its data and business materials and receives contractual usage rights.
In technology contracts in Chile, the IP rights most commonly addressed are copyright in software and documentation, database and compilation rights, trade marks and branding, patents and technical inventions, industrial designs, trade secrets, know-how, confidential information, open-source and third-party components and, increasingly, data and AI-related assets.
Software is usually the central IP asset. Chilean copyright law protects computer programs in source and object code, including preparatory documentation, technical descriptions and user manuals. Contracts therefore focus on source code, object code, custom developments, configurations, APIs, scripts, connectors, patches, updates, documentation and manuals.
Technical documentation, manuals, specifications, architecture documents, training materials and reports are also important, especially for implementation, maintenance, audit, compliance and transition. Databases and compilations may be protected where selection or arrangement constitutes an intellectual creation, although the underlying data itself may require separate contractual treatment.
Trade marks, logos, product names, domain names and branding are relevant in SaaS, platforms, marketplaces, telecoms, e-commerce, fintech and consumer-facing services. Patents and technical inventions are less common in ordinary software services, but relevant in hardware, telecoms, cybersecurity, AI, IoT, healthtech, industrial technology and R&D.
Trade secrets, know-how and confidential information are heavily negotiated. Open-source and third-party components are also central, particularly around copyleft risk and commercial-use restrictions. AI projects increasingly address prompts, outputs, embeddings, fine-tuned models, datasets, synthetic data, feedback, logs and model improvements.
In Chilean technology contracts, parties usually allow ongoing use of generic know-how, while separating it from customer-specific confidential information, proprietary deliverables, personal data, trade secrets and project-specific IP.
Suppliers typically seek clauses confirming that they may continue to use general skills, experience, methodologies, ideas, processes, techniques, tools, templates, accelerators, frameworks, reusable code, libraries and know-how, provided they do not disclose or misuse the customer’s confidential information or infringe customer IP.
Customers usually accept this principle but impose boundaries. They normally prohibit reuse of customer data, business rules, internal processes, security information, system architecture, pricing, regulated information, trade secrets, custom code, bespoke documentation or materials created specifically for the customer, except as expressly permitted.
Contracts therefore distinguish general professional knowledge from protected materials. General knowledge may remain available to the supplier, especially where retained in unaided memory and not based on copying documents, code, datasets or confidential materials. Protected materials remain subject to confidentiality, IP, data protection, return/deletion and use restrictions.
In AI and data projects, drafting is becoming more detailed. Suppliers may seek to reuse general learnings, methods, model improvements and non-customer-specific analytics techniques, while customers restrict use of their data, prompts, outputs, embeddings, fine-tuning datasets and confidential business context.
Patent claims in Chile remain relatively specialised and less prevalent than other technology-related disputes, such as software licensing, copyright, trade secrets, data protection, confidentiality, cybersecurity, consumer protection and contractual disputes.
Patent matters are present but tend to be concentrated in sectors where patent protection is commercially central, such as pharmaceuticals, biotechnology, chemistry, mining, engineering, industrial technology, hardware, telecoms, clean technologies and university or R&D-driven innovation.
In ordinary IT, SaaS, cloud, outsourcing and software implementation contracts, patent claims are not usually the main source of disputes. Patent risk is more commonly addressed through IP ownership clauses, warranties, indemnities, third-party component controls, open-source clauses and responsibility for customer specifications or supplier technology.
That said, patent activity is becoming more visible. INAPI has reported increased national patent filings and improvements in patent processing times, suggesting stronger local patent awareness, particularly among inventors, universities, research centres and innovation-driven businesses.
Overall, patent claims appear relatively stable and specialised, while patent filings and patent awareness have increased. For technology contracts, this makes patent risk more relevant in due diligence and drafting, especially in R&D, AI, telecoms, healthtech, green technology, industrial technology and university spin-off projects.
Chile does not yet have a specific enacted statutory regime that fully determines ownership or authorship of AI-generated works. The issue is currently addressed through ordinary copyright, industrial property, contract, confidentiality, unfair competition and data protection rules, together with emerging administrative criteria and the pending AI bill.
Under Chilean copyright law, protection is built around works of the intellect and the concept of an author, making human creative contribution central. The current administrative approach of the Department of Intellectual Rights is that a result created autonomously by generative AI is not treated as a copyright-protected work. If AI is used as a tool to transform an original work owned by the applicant, registration may be possible case by case.
The practical distinction is between AI as an autonomous generator and AI as a tool within a human creative process. Where the human role is limited to prompting and selecting a machine-generated output, protection is uncertain. Where there is meaningful human selection, editing, direction, arrangement or transformation, ordinary copyright rules may apply.
For patents, Chile does not have a separate AI-inventorship regime. INAPI guidance on computer-implemented and AI-related inventions focuses on whether the invention solves a technical problem through technical means and meets ordinary patentability requirements. Applicants should define the technical problem, describe the technical contribution, avoid black boxes, claim a specific technical application and not claim source code as such.
The pending AI bill does not create a complete IP ownership regime for AI outputs, but it recognises IP issues through copyright principles, synthetic content transparency, incidents involving copyright infringement, and confidentiality for IP, trade secrets and source code. In practice, contracts should regulate prompts, outputs, datasets, training data, fine-tuned models, embeddings, logs, feedback, model improvements, confidentiality, warranties and indemnities.
Chile’s framework for data protection, information security and cybersecurity is built in layers rather than in a single statute. The main pillars are the Data Protection Law, the Cybersecurity Framework Law, the Computer Crimes Law, CMF financial-sector regulation, telecoms regulation, consumer protection rules, electronic contracting rules and digital government standards.
The Data Protection Law is the central regime for personal data. It has recently been modernised and now follows a structure closer to international standards, with clearer controller/processor roles, legal bases, enhanced data subject rights, rules on sensitive data, automated decisions, security, breach management, international transfers, compliance models, sanctions and a dedicated Data Protection Agency.
The Cybersecurity Framework Law creates the national cybersecurity framework, including the National Cybersecurity Agency and CSIRT structures, and introduces obligations for state bodies, essential services and operators of vital importance. It is relevant for telecoms, digital infrastructure, financial services, health, energy, transport, water, payment systems and managed IT services.
The Computer Crimes Law modernised Chilean criminal law in line with the Budapest Convention, covering unlawful access, attacks on systems and data, interception, computer fraud, misuse of devices and related conduct. It is also relevant for incident response, digital evidence and data preservation.
Financial-sector rules issued by the CMF are among the most developed sources for information security, outsourcing, cloud, business continuity, operational risk and incident reporting. Telecoms, consumer, e-commerce, e-signature and public-sector digital transformation rules may also apply depending on the service.
Chile does not have a general data localisation rule or a blanket restriction on transferring all categories of data abroad. The main restrictions apply to personal data, with additional controls in regulated sectors such as financial services, telecoms, health, public-sector technology, cybersecurity-sensitive services and outsourced IT operations.
Under the Data Protection Law, international transfers of personal data are subject to specific requirements. The new regime moves Chile closer to international standards by requiring organisations to consider whether the destination offers adequate protection or whether the transfer is supported by an appropriate legal mechanism.
Transfers may be legitimised through adequacy decisions or recognised adequate jurisdictions, contractual safeguards, binding corporate rules, data subject consent, contract necessity, legal claims, public interest grounds or other statutory derogations. In practice, companies use data processing agreements, transfer clauses, vendor due diligence, transfer risk assessments, security measures and subprocessor controls.
For non-personal data, Chile does not generally impose the same transfer restrictions. However, contractual, confidentiality, cybersecurity, procurement, sector-specific or regulatory obligations may restrict storage, access, processing or transfer abroad, especially for trade secrets, source code, financial information, health information, telecoms data, government records or security-sensitive operational data.
For cloud and outsourcing, the practical approach is to map jurisdictions, processors and subprocessors; assess transfer risks; implement contractual safeguards; define security and encryption requirements; regulate incident notification; ensure audit and regulatory access; and agree on return, deletion and exit assistance.
Chile does not impose one single mandatory security standard, such as ISO 27001, NIS2 or CSA CCM, across all industries. The approach is generally risk-based and sector-specific. Security obligations arise mainly from the Data Protection Law, the Cybersecurity Framework Law, CMF financial regulation, telecoms regulation, public-sector digital government rules and market practice.
The Data Protection Law requires controllers and processors to implement appropriate technical and organisational measures to protect personal data. It does not mandate one certification, but measures should be proportionate to the data, processing risks, state of the art and potential impact on data subjects.
The Cybersecurity Framework Law focuses on governance, risk management, prevention, detection, response, incident reporting, continuity and compliance with technical rules and instructions issued by cybersecurity authorities, particularly for State bodies, essential services and operators of vital importance.
Financial-sector regulation is more prescriptive. CMF-regulated entities must maintain robust frameworks for information security, cybersecurity, outsourcing, continuity, operational risk and incident management. ISO 27001, SOC 2, NIST, PCI DSS or cloud security frameworks may be used as evidence of good practice, but the key is effective governance, controls, monitoring, auditability, resilience and vendor oversight.
NIS2 does not directly apply in Chile, but may influence multinational groups, suppliers to EU-regulated customers or global cybersecurity policies. CSA CCM, SOC reports, penetration testing and cloud security documentation are commonly requested in cloud, SaaS and outsourcing due diligence, mostly as market requirements rather than universal legal obligations.
Chile has legal and regulatory requirements to notify certain security incidents, but the applicable regime depends on the type of incident, sector and role of the affected entity.
Under the Data Protection Law, once the new regime is fully in force, personal data breaches must be assessed and, where they may affect data subjects’ rights, notified to the Data Protection Agency. Where the breach creates serious risk for affected individuals, direct communication to data subjects may also be required. The obligation concerns incidents affecting confidentiality, integrity or availability of personal data.
Under the Cybersecurity Framework Law, state bodies, essential services and operators of vital importance must report cybersecurity incidents and cyberattacks that may have significant effects. These include events affecting confidentiality, integrity, availability, resilience or authentication of networks, systems or information. The main authority is the National CSIRT within the National Cybersecurity Agency framework, and timelines are very short.
Financial-sector entities must also report relevant operational and cybersecurity incidents to the CMF, including cyberattacks, technology failures, service interruptions, data leaks, loss of information and events affecting continuity, security or quality of regulated services. Telecoms operators may also have duties to inform SUBTEL of events affecting service continuity, quality or regulated infrastructure.
In practice, the authority notification obligation usually sits with the regulated entity, data controller, essential service provider or financial institution, not automatically with the IT supplier. Suppliers are usually contractually required to notify the customer immediately, provide technical information, preserve evidence, support forensic analysis, mitigate the incident and assist with regulatory or customer communications.
Chile does not have a single cross-sector technology supply-chain due diligence law requiring all companies to perform formal risk assessments on all suppliers. However, supplier due diligence is legally required or strongly expected in regulated contexts, especially where personal data, cybersecurity, financial services, cloud, outsourcing, essential services or public-sector technology are involved.
Under the Data Protection Law, controllers must ensure that processors and subprocessors provide sufficient guarantees. This makes supplier due diligence important where vendors process, host, access or support personal data. Customers should assess security, instructions, subprocessors, international transfers, breach notification, deletion/return and support for data subject rights.
The Cybersecurity Framework Law increases the importance of supply-chain risk management for essential services and operators of vital importance. This will often include third-party technology providers, managed service providers, cloud providers, software vendors, critical subcontractors and other operational dependencies.
The most developed requirements are in the financial sector. CMF-regulated entities must assess and manage risks associated with outsourcing, cloud, external service providers, cybersecurity, continuity and incidents. They remain responsible for outsourced functions and must supervise providers, manage subcontracting, ensure continuity, protect customer data and allow audit or regulatory review.
In the wider market, supplier due diligence is increasingly standard in IT contracts through security questionnaires, ISO/SOC evidence, penetration testing summaries, business continuity plans, incident response procedures, subcontractor lists, data location information, cyber insurance, audit rights, exit plans and flow-down obligations.
Chile does not impose a general obligation for every supply agreement to include data protection or cybersecurity clauses. However, such clauses are legally required or strongly expected where the supplier processes personal data, provides outsourced or cloud services to regulated entities, supports essential services, or operates in a sector subject to cybersecurity, financial, telecoms or public-sector technology rules.
Under the Data Protection Law, where a supplier processes personal data on behalf of a customer, the agreement should include data processing terms covering instructions, purpose and duration, categories of data, security measures, confidentiality, data subject rights, breach notification, subprocessors, international transfers, deletion or return, audits and allocation of responsibilities.
The Cybersecurity Framework Law also makes cybersecurity clauses important for essential services and operators of vital importance. Contracts with critical technology suppliers should address security measures, incident notification, co-operation, continuity, resilience, access controls, vulnerability management, evidence preservation, reporting and remediation.
Financial-sector regulation is one of the clearest areas for detailed contractual requirements. CMF-regulated entities entering outsourcing, cloud or technology supply arrangements must include provisions that allow them to manage operational, cybersecurity, continuity and third-party risks. This means service levels, audit rights, regulatory access, confidentiality, security, continuity, incident reporting, subcontracting controls, exit plans and termination assistance.
Even outside regulated sectors, Chilean market practice increasingly expects data protection and cybersecurity provisions in IT, SaaS, cloud, outsourcing, software implementation and managed services contracts.
In Chile, laws relevant to technology supply chains do not apply solely to the customer in all cases. The answer depends on the applicable regime and the role each party plays. Often, the customer remains primarily accountable to the regulator, but the supplier may have direct legal obligations or contractual duties to support compliance.
There is no general Chilean technology supply-chain due diligence law applying uniformly to all customers and suppliers. Obligations arise instead from data protection, cybersecurity, financial regulation, telecoms regulation, public procurement and sector-specific rules.
Under the Data Protection Law, both customer and supplier may have obligations, but not the same ones. The customer will often be the controller and the supplier the processor. The controller remains responsible for lawful processing and selecting processors with sufficient guarantees; the processor must follow instructions, implement security, maintain confidentiality, manage subprocessors, assist with rights and support breach management.
Under the Cybersecurity Framework Law, direct obligations apply to entities that qualify as essential service providers or operators of vital importance. A customer may fall within that category, but so may a technology supplier if it provides critical digital infrastructure, managed IT, cloud, cybersecurity or other relevant services.
In the financial sector, the regulated customer generally remains accountable before the CMF for outsourced services. Suppliers assume contractual obligations that allow the customer to comply, including audit rights, regulatory access, information security, confidentiality, incident notification, continuity, subcontracting restrictions, exit assistance and access to relevant information.
Chile is likely to move from policy guidance and general technology laws toward a more specific, risk-based AI regulatory framework. The pending AI bill is the clearest signal of this direction and follows a model broadly inspired by international risk-based regulation, with categories such as unacceptable risk, high risk, limited risk and systems with no evident risk.
The future framework will probably combine three layers. First, a general AI law setting baseline principles, risk classification, transparency, human oversight, technical robustness, data governance, cybersecurity, accountability, incident management, sanctions and civil liability, especially for high-risk uses affecting rights, consumers, public services, employment, education, health, financial services or essential benefits.
Second, Chile is likely to develop sector-specific AI regulation. Financial services, health, education, labour, telecoms, consumer platforms, cybersecurity and public-sector decision-making are likely to receive closer attention. Authorities such as the Data Protection Agency, the National Cybersecurity Agency, the CMF, SUBTEL, consumer authorities and digital government bodies may each play a role.
Third, private compliance and contracting will continue to develop before the statutory framework is fully settled. Companies are already addressing AI through procurement policies, acceptable use rules, vendor due diligence, governance committees, impact assessments, model risk controls, cybersecurity requirements and clauses on training data, outputs, confidentiality, IP, auditability, explainability, liability and incidents.
Overall, Chile’s AI regulation is expected to become more formal, but not through one instrument alone. The likely model is a combination of a general AI law, regulatory guidance, sector enforcement, data protection, cybersecurity and increasingly sophisticated contractual governance.
Technology contract drafting in Chile has become more modular, operational and focused on risk allocation. Rather than relying on a single services agreement, sophisticated projects are commonly structured through a master agreement supported by statements of work, data processing agreements, security schedules, SLAs, cloud or SaaS addenda, continuity provisions and, increasingly, AI-specific clauses.
A clear development is the greater importance of data protection and cybersecurity drafting. Contracts now include more detailed clauses on controller/processor roles, transfers, subprocessors, data location, breach notification, security measures, audit rights, encryption, access controls, vulnerability management, incident response, forensic support, continuity, disaster recovery and secure deletion or return.
Cloud and SaaS contracts have changed negotiation dynamics. Global providers often resist changes to standard terms, so negotiation focuses on order forms, service descriptions, support terms, DPAs, security documentation, service credits, termination assistance and regulatory requirements.
Liability clauses have also become more granular, with differentiated caps or carve-outs for confidentiality, personal data, cybersecurity, IP infringement, fraud, wilful misconduct, gross negligence, supplier-caused regulatory fines, payment obligations and audit or compliance duties.
AI is an emerging drafting area. Clauses now address permitted use of AI tools, training data, prompts, outputs, model improvement, confidentiality, IP ownership, third-party rights, hallucinations, bias, explainability, auditability, human review, prohibited uses and responsibility for AI-generated content. Pricing has also become more flexible, combining fixed price, time-and-materials, subscriptions, consumption, capacity-based teams, minimum commitments, true-ups, service credits and milestones.
Hyperscalers such as Microsoft, AWS and Google have significantly changed technology contract negotiations in Chile. Their influence has reduced the scope for bespoke negotiation of core cloud terms, while increasing the importance of due diligence, regulatory alignment, technical architecture, security documentation, exit planning and risk allocation across the cloud supply chain.
In most cases, hyperscalers operate on standard global terms and are reluctant to amend core documents. Negotiation therefore shifts away from the main terms and into order forms, service descriptions, support plans, data processing addenda, security documentation, SLAs, enterprise agreements and the customer’s cloud architecture.
This has made pre-contractual review more important. Customers focus on where data is stored and accessed, subprocessors, certifications, audit reports, incident notification, continuity commitments, service credits, export/deletion at termination and support obligations.
For regulated customers, especially in financial services, the challenge is reconciling global cloud terms with local requirements on outsourcing, cybersecurity, data protection, continuity, auditability, regulatory access, incident reporting and supplier risk management. This often requires local controls, internal risk assessments and documented governance rather than extensive changes to the hyperscaler’s terms.
Hyperscalers also affect negotiations with integrators, resellers and managed service providers. These providers cannot promise more than the underlying cloud service provides, making it essential to distinguish what is controlled by the hyperscaler, what is managed by the integrator and what remains the customer’s responsibility under the shared responsibility model.
Traditional IP concepts remain relevant in Chile, but they are under pressure from current technologies and are not always sufficient on their own. Copyright, industrial property, trade secrets, know-how, contractual licences and confidentiality still provide the basic framework for most technology transactions.
These concepts work reasonably well for software, source code, documentation, databases, brands, technical inventions, industrial designs, confidential information and reusable know-how. However, generative AI, data analytics, machine learning, cloud platforms, open-source software, APIs and automated content generation create questions that classic ownership concepts do not fully answer.
In copyright, the main tension is authorship. Chilean copyright law is structured around works of the intellect and the concept of an author, pointing toward human creative contribution. Current administrative criteria are consistent with that logic: fully autonomous AI outputs may not qualify for copyright protection, while AI-assisted human creations may be protectable depending on the degree of human input.
In patents, the traditional framework remains relevant, but the focus is technical contribution. INAPI guidance confirms that AI-based inventions can be assessed under ordinary patent rules if they solve a technical problem through technical means. The difficulty is avoiding abstract claims, black-box descriptions or attempts to protect algorithms or code as such.
Data is another area where traditional IP is imperfect. Data itself is not always protected as IP, although databases, compilations, confidential datasets, trade secrets and contractual rights may be protected. As a result, contracts increasingly regulate data access, ownership, aggregation, anonymisation, training, AI outputs, model improvements, open source, indemnities and permitted use.
Luis Matte Larrain 9851
Las Condes
Santiago
Chile
+56 954 241 575
contacto@lawtech.cl www.lawtech.cl
Regulatory Complexity and Digital Transformation: How Emerging Regulation Is Reshaping Client–Provider Relationships in Technology Projects
Chile is experiencing one of the most significant transformations of its digital regulatory landscape in recent decades. The entry into force of the Cybercrime Law (Law No 21,459), which modernised Chile’s criminal framework and aligned it with the Budapest Convention on Cybercrime, the implementation of the Cybersecurity Framework Law (Law No 21,663) and the enactment of Law No 21,719, which modernises the country’s personal data protection regime and establishes a dedicated supervisory authority, collectively reflect a broader shift towards more robust governance of digital risks.
These developments are not occurring in isolation. Together, they form part of a broader regulatory response to increasing digitalisation, growing dependence on technology infrastructure and the emergence of new risks associated with data-driven business models, cloud computing, artificial intelligence (AI) and interconnected digital ecosystems.
At the same time, organisations across all sectors continue to invest heavily in digital transformation initiatives. For many organisations, digital transformation is increasingly viewed as a strategic necessity rather than a source of competitive differentiation, supporting objectives relating to efficiency, resilience, innovation and long-term growth.
These parallel developments are creating a new reality in which technology projects can no longer be assessed solely from technical or commercial perspectives. Regulatory obligations increasingly influence project design, supplier selection, contractual negotiations and governance structures. As a result, digital transformation initiatives are increasingly being viewed as exercises in regulatory governance as much as technology implementation.
This evolution is reshaping the relationship between clients and technology providers. Compliance is increasingly being addressed from the earliest stages of project planning rather than after implementation. In many projects, regulatory considerations remain a central component of governance throughout the project life cycle.
Increasingly, successful projects appear to depend not only on technical performance or delivery against schedule, but also on the ability of clients and providers to identify, allocate and manage regulatory obligations in an environment characterised by growing complexity and regulatory scrutiny.
The New Regulatory Environment for Digital Transformation
Over the past decade, digital transformation has become a strategic priority for organisations across virtually every sector of the economy. Businesses continue to invest heavily in cloud migration, enterprise software, advanced analytics, automation technologies and AI solutions in pursuit of greater productivity, resilience and competitiveness.
Historically, many of the challenges associated with these initiatives were operational in nature. Organisations focused primarily on implementation timelines, budgets, system integration and user adoption. Regulatory compliance was often treated as a separate exercise managed alongside the project rather than integrated into its design.
That approach is becoming increasingly difficult to sustain. Modern technology projects operate within a regulatory environment that is considerably more demanding than it was only a few years ago. Organisations must now consider a growing range of legal and regulatory obligations that influence how technology solutions are selected, configured and operated.
In Chile, this trend is particularly evident. The new Personal Data Protection Law introduces enhanced obligations relating to accountability, governance and risk management. The Cybersecurity Framework Law establishes new expectations concerning cybersecurity governance, incident reporting and operational resilience. At the same time, ongoing discussions regarding AI regulation reflect a growing focus on transparency, accountability and responsible innovation.
These developments mirror broader international trends. Governments and regulators around the world are responding to increasing digitalisation and dependence on technology infrastructure by introducing more sophisticated regulatory frameworks. Data protection, cybersecurity, operational resilience and AI governance are increasingly viewed as interconnected components of digital governance rather than isolated compliance obligations.
These developments are taking place against the backdrop of sustained digital investment across the Chilean economy. Organisations in sectors such as financial services, retail, mining, telecommunications and critical infrastructure are increasingly incorporating regulatory considerations into technology procurement and transformation programmes.
The financial services sector provides a particularly useful illustration of this trend. Entities supervised by the Financial Market Commission (Comisión para el Mercado Financiero or CMF) operate within a regulatory framework that places significant emphasis on outsourcing governance, operational resilience, information security and technology risk management.
In practice, financial institutions frequently assess technology projects not only from a commercial and operational perspective, but also in light of regulatory expectations applicable to critical services, cloud adoption, cybersecurity controls and third-party oversight. As a result, regulatory considerations often play a significant role in technology procurement processes and contractual negotiations involving strategic technology providers.
Questions relating to cybersecurity, data governance, supplier oversight and operational resilience are becoming more prominent during project planning and contractual negotiations. Whilst the regulatory implications may vary across sectors, a common trend appears to be emerging: technology decisions are increasingly being evaluated not only in terms of functionality, cost and efficiency, but also through the lens of compliance, governance and risk management.
One consequence of these developments is that technology projects are increasingly being assessed through a regulatory lens. Decisions relating to architecture, hosting arrangements, data flows, supplier selection and system functionality may all have compliance implications that extend beyond the technology itself.
The Convergence of Technology, Regulation and Business Risk
One of the most notable characteristics of the current environment is that technology-related risks can no longer be managed in isolation.
Historically, digital transformation projects were largely driven by technology teams, whilst legal, compliance and risk functions often became involved at later stages. In many organisations, technology implementation and regulatory compliance were treated as separate disciplines with limited interaction.
Today, that model is increasingly being challenged.
A decision concerning cloud architecture may affect compliance with data protection requirements. The deployment of an AI solution may create governance and accountability challenges. A cybersecurity incident may simultaneously generate operational disruption, contractual disputes, financial losses and regulatory investigations.
The growing interdependence of these risks is encouraging organisations to adopt more integrated approaches to project governance.
Increasingly, successful projects involve collaboration among professionals from multiple disciplines, including:
A notable trend among organisations undertaking complex transformation initiatives is the recognition that technology projects often involve broader governance considerations. Successful programmes increasingly appear to depend upon the ability to integrate technology, regulation, risk management and business strategy within a common decision-making framework.
This convergence is also contributing to growing demand for professionals capable of operating across traditionally separate disciplines. Organisations are placing greater emphasis on multidisciplinary teams that can understand technology architecture, regulatory requirements, cybersecurity risks and commercial objectives simultaneously.
Why Third-Party Risk Management Has Become a Strategic Priority
One of the most significant regulatory trends affecting technology projects is the growing emphasis on third-party risk management.
Organisations increasingly rely on external providers for critical functions. Cloud providers host essential infrastructure. Software vendors deliver business-critical applications. Managed service providers support operational processes. Specialist technology firms implement and maintain complex digital solutions.
This dependence creates efficiencies and enables innovation. However, it also introduces new forms of risk. A security incident affecting a provider may disrupt business operations. A data protection failure may expose the client to regulatory scrutiny. Deficiencies in outsourced technology may also create operational, legal and reputational consequences.
Regulators are increasingly responding to these risks by imposing greater expectations on organisations that outsource critical activities. The underlying principle is straightforward: responsibility for regulatory compliance cannot be entirely delegated simply because a service is performed by an external provider.
Market practice suggests that vendor selection processes have become considerably more sophisticated in recent years. Organisations undertaking large-scale cloud migration, enterprise software implementation and managed services projects are increasingly seeking evidence of cybersecurity maturity, governance capabilities and compliance frameworks as part of procurement and due diligence exercises.
This trend appears particularly visible in regulated industries and in organisations operating critical digital infrastructure, where regulatory scrutiny and operational resilience requirements continue to increase.
The financial services sector provides a particularly clear example. Supervisory expectations issued by the CMF have contributed to raising standards regarding outsourcing governance, technology risk management and oversight of critical service providers. As a result, financial institutions are increasingly seeking contractual frameworks that provide greater transparency, audit rights, incident reporting mechanisms and operational resilience commitments from technology providers.
The enactment of the Fintech Law (Law No 21,521) has further contributed to this evolution. As new regulated participants enter the financial ecosystem and increasingly rely on digital platforms, cloud services and third-party technology providers, governance and risk management considerations are becoming more relevant in the design and operation of technology-enabled financial services.
Consequently, organisations are expected to exercise more active oversight throughout the supplier life cycle. This often includes:
The result is a relationship that is becoming increasingly collaborative. Effective risk management depends not only on contractual protections but also on transparency, information sharing and ongoing co-operation between clients and providers.
Data Governance as a Core Project Requirement
Data sits at the centre of virtually every digital transformation initiative. Whether an organisation is implementing a customer relationship management platform, deploying analytics tools or incorporating AI capabilities into business processes, data is often the foundation upon which value is generated.
For this reason, data governance has become one of the most important considerations in project planning and execution.
The enactment of Chile’s new Personal Data Protection Law represents a significant development in this regard. The new framework aligns Chile more closely with international standards and introduces enhanced obligations relating to accountability, governance and risk management.
For organisations undertaking digital transformation initiatives, privacy considerations are increasingly being integrated into project planning from the outset. Decisions concerning data architecture, vendor selection, international transfers and AI deployment may all have implications under the new regime.
The creation of a dedicated supervisory authority is also expected to encourage organisations to adopt more mature governance practices and increase attention to accountability mechanisms.
Several questions therefore require consideration during the earliest stages of project design.
Failure to address these questions early in a project may result in delays, redesign efforts and increased compliance risks.
Increasingly, organisations are seeking greater clarity regarding the allocation of responsibilities for data governance activities. Clients often expect providers to implement robust controls, support compliance obligations and provide transparency regarding their data management practices.
Artificial Intelligence and the Emergence of Shared Accountability
The rapid adoption of AI technologies is introducing an additional layer of complexity into digital transformation projects.
Organisations are exploring AI solutions to improve efficiency, automate decision-making, enhance customer experiences and generate business insights. Whilst these technologies offer significant opportunities, they also raise important governance and accountability questions.
Unlike traditional software applications, AI systems may generate outputs that evolve over time and are not always fully predictable. This characteristic can create challenges when organisations attempt to allocate responsibilities between clients and technology providers.
Questions frequently arise regarding:
These issues are becoming increasingly relevant as regulators around the world continue to explore frameworks designed to address the risks associated with AI deployment.
Although regulatory approaches vary, several common themes are emerging. Risk management, transparency, human oversight and accountability are increasingly being recognised as core principles of AI governance.
This evolution is encouraging the development of shared accountability models. Rather than assigning responsibility entirely to one party, organisations and providers are increasingly recognising that effective AI governance requires collaboration throughout the technology life cycle.
Providers may be expected to explain system limitations, disclose relevant information and support monitoring activities. Clients, meanwhile, continue to play a critical role in ensuring that AI systems are deployed appropriately and in accordance with legal, ethical and business requirements.
Cybersecurity and Operational Resilience
Cybersecurity is increasingly regarded as one of the defining regulatory issues of the digital economy.
Chile’s Cybercrime Law has modernised the legal framework applicable to offences affecting information systems, data integrity and digital services. By aligning Chile with the standards established under the Budapest Convention, the legislation reflects growing recognition that cyber incidents are not merely technical events but also legal, operational and business risks capable of generating significant consequences for organisations and their service providers.
Together, the Cybercrime Law and the Cybersecurity Framework Law signal a clear regulatory expectation that organisations should adopt more mature approaches to cybersecurity governance, incident management and operational resilience. This expectation increasingly extends beyond internal operations and encompasses the management of risks arising throughout technology supply chains and outsourced service arrangements.
For organisations undertaking digital transformation initiatives, cybersecurity is increasingly viewed as a matter of governance, regulatory compliance and risk management rather than solely a technical issue.
Clients increasingly expect providers to demonstrate that appropriate security measures are embedded within their services. Common requirements include:
Consequently, cybersecurity considerations are becoming more prominent not only in technology design but also in procurement strategies, contractual negotiations and vendor management programmes.
The Evolution of Technology Contracting
The cumulative effect of these regulatory developments is transforming the way technology contracts are negotiated and structured.
For organisations procuring complex technology solutions, contractual negotiations increasingly serve as a mechanism for addressing regulatory and operational risks rather than merely defining commercial terms. Market practice suggests that discussions concerning cybersecurity governance, data protection accountability, supplier oversight, operational resilience and AI-related responsibilities are becoming increasingly important components of technology contracting discussions.
Historically, technology agreements focused primarily on commercial and operational matters. Key areas of negotiation included pricing, service levels, intellectual property rights and implementation obligations.
Whilst these topics remain important, regulatory considerations now occupy a more prominent role within contractual discussions.
Modern technology agreements increasingly address issues such as:
This shift reflects an important change in how organisations view technology contracts. Rather than serving solely as mechanisms for allocating liability, contracts are increasingly being used as governance tools that support compliance and risk management objectives.
The most effective contractual arrangements recognise that compliance cannot be achieved through legal drafting alone. Whilst contractual provisions remain important, successful outcomes typically depend upon operational collaboration, information sharing and ongoing engagement between clients and providers throughout the life cycle of the project.
Looking Ahead: From Technology Providers to Regulatory Partners
The regulatory landscape surrounding digital transformation is likely to continue evolving over the coming years.
Data protection requirements are becoming more sophisticated. Cybersecurity expectations continue to expand. AI governance frameworks are emerging across multiple jurisdictions. At the same time, regulators are placing greater emphasis on operational resilience and third-party oversight.
These developments are changing the nature of the relationship between clients and technology providers.
Technology providers are increasingly being viewed as more than suppliers of technical solutions. In many projects, they are expected to play a broader role in supporting compliance, operational resilience and risk management objectives.
For many organisations, the challenge is no longer whether to invest in digital transformation, but how to do so whilst navigating an increasingly complex regulatory environment. As transformation programmes become larger, more interconnected and more dependent on external providers, organisations are likely to place greater emphasis on governance models that integrate compliance, technology and risk management from the outset.
The growing interaction between data protection, cybersecurity, artificial intelligence and operational resilience is creating a category of business risk that increasingly requires integrated governance approaches.
In this environment, organisations that are able to combine legal, technological and commercial perspectives within a common decision-making framework may be better positioned to navigate regulatory complexity whilst continuing to innovate.
Equally, technology providers are increasingly expected to act not only as service providers but also as strategic partners capable of understanding the regulatory and operational realities faced by their clients.
This evolution is contributing to growing demand for professionals who can operate at the intersection of technology, regulation, risk and business strategy. As digital transformation becomes increasingly shaped by regulatory expectations, these multidisciplinary capabilities may prove as important to project success as the technology itself.
Ultimately, the future of digital transformation is likely to be defined not only by technological innovation, but also by the ability of organisations and their technology partners to develop governance models capable of balancing innovation, compliance and resilience in an increasingly complex digital economy.
Luis Matte Larrain 9851
Las Condes
Santiago
Chile
+56 954 241 575
contacto@lawtech.cl www.lawtech.cl