Written by León Lanis V., Paralegal
Very recently, Chile’s lawmakers and government have taken big steps into the effective regulation and government policies around cybersecurity and the principles companies must comply with in order to effectively protect not only private digital infrastructure, but the overall critical infrastructure of the nation. This legal alert will dive into the two big announcements in this matter.
National Cybersecurity Policy 2023-2028
Since Sebastian Piñera’s first government, successive Chilean governments have given priority to creating guiding principles for the handling of information and computer security, creating very interesting government agencies such as the national CSIRT (Computer Security Incident Response Team) and the idea of creating new criminal offences and better principles for the private sector.
Very recently, Gabriel Boric’s government updated the guiding principles for the next 5 years, which mainly include the development of resilient infrastructure that can handle new types of threats and incidents, the strengthening of the institutional framework for handling incidents, better strategies and support from institutions in the protection of humans rights within digital environment, the development of a national culture for cybersecurity, fostering of national and international coordination (in order to comply with the Budapest Accords), amongst others.
One that has been very criticised by experts in the guild is that this policy is overly ambitious, especially because there are almost 30,000 jobs needed to meet the demands of such plans.
Approval of the Cybersecurity Framework Law
On the 13th of December 2023, the Senate and the Deputies chambers approved a bill for the enactment of the Cybersecurity Framework Law, which seeks to establish the principles and general regulation for the structure, guidance and coordinative cybersecurity actions of the State and the private sector, establishing the principles to prevent, contain, mitigate, resolve and respond any cybersecurity incident.
In order to enforce the compliance of said principles, the law creates the National Cybersecurity Agency (ANC), which will be the main regulator for the public and private sector in this matter. The purpose of this agency is to advise the President of the Republic on cybersecurity matters, collaborate in the protection of national interests in cyberspace matters, ensure the promotion of and respect for the right to information security and coordinate the actions of government agencies in cybersecurity. The ANC will also be in charge of the designation of Critical Infrastructure and Vital Importance Operators (OIV) companies that will be overwatched by the Agency.
Under the legal principles, the following companies will be under the OIV scope:
- Any national service, including the National Electric Grid Service
- Any concessions given by the state and operated by the private sector
- Any Electric Grid related companies, even goods and services providers to those companies
- Other services regulated by the ANC, including services provided by private companies engaged in the transmission, transportation and storage of fuels, digital infrastructure, digital services, information technology services provided by third parties, among others.
The law also classifies the different types of cybersecurity incidents, establishing that those of “special significance” are specially watched by the ANC. The Agency will be tasked to dive into the specifics, but a special significance incidents must follow these principles:
- Number of affected people
- Duration of the incident
- Geographic extension of the incident
This law will also strengthen the role of the previously mentioned CSIRT, which will serve as the first and main responder in such events and will now have a closer relation to those private companies designated as OIV.
Last but not least, the law also establishes fines to those companies that do not follow these principles and the subsequent regulations under the ANC. This topic was the main focus of discussion, as it is the main tool to enforce the obligations under the law, these are:
- Minor infringement: Up to 5.000 UTM (around USD$320.000); twice if it’s an OIV infringement:
- Serious infringement: Up to 10.000 UTM (around USD$640.000); twice if it’s an OIV infringement;
- Very serious infringement: Up to 20.000 UTM (around USD$1.300.000); twice if it’s an OIV infringement.
Given that this law has now passed to third process (revision by the Constitutional Tribunal), we are yet to see the enactment. Being that said, experts say that this law may come into effect before May 2024.