Cybersecurity Law

The Chilean Cybersecurity Law No. 21.663 establishes the national regulatory framework for the protection of critical infrastructure and essential services, defining specific obligations for Organizations of Vital Importance (OIV) and regulated entities.

Purpose of the Law

To ensure operational resilience, service continuity, and the protection of national critical assets against cybersecurity incidents, aligned with international standards such as ISO/IEC 27001:2022.

Alignment with ANCI General Instructions

Compliance with the law requires the effective adoption of the General Instructions (IG) issued by ANCI, which establish mandatory minimum cybersecurity controls:

• IG No. 2 – Registration: Active registration on the ANCI platform, mandatory use of Clave Única and MFA, continuously updated institutional data and contacts, and formally accredited alternative access mechanisms.
• IG No. 3 – Cybersecurity Delegate: Formal appointment by Senior Management, with proven experience in cybersecurity or risk management, direct reporting to executive level, and strict compliance with registration and update deadlines.
• IG No. 4 – Incident Management: Immediate response capability, isolation of compromised systems, strict control of privileged accounts, VPN access with MFA, network segmentation, protected and traceable backups, and full documentation of all decisions.

Governance and Accountability

The law reinforces that cybersecurity is a direct responsibility of Senior Management, including the authority to suspend services when necessary to protect critical assets and reduce systemic risk.

Compliance is not only a regulatory requirement—it is a key driver of organizational resilience, business continuity, and trust in the digital ecosystem.