Post
the-new-cybersecurity-paradigm-in-chile.md

The new cybersecurity paradigm in Chile

Notes from Patagonia Ciber on Chile's new Cybersecurity Framework Law, the qualification process for Vital Importance Operators, and the data-protection shift arriving with Law 21.719.

Posted
Stylized illustration of a person walking toward a window with a moonlit sky, evoking a quiet town the morning after a storm.
Stylized illustration of a person walking toward a window with a moonlit sky, evoking a quiet town the morning after a storm.
By melix
7 min read
The new cybersecurity paradigm in Chile

Originally published on Fintualist (in Spanish, June 2025). The hero illustration first appeared on that publication and is reproduced here with credit to Fintualist.

Tornadoes are rare news in Chile. In school we were told the Andes shield us from them — that any wind-related disaster simply can’t reach us thanks to a geography that acts as a natural buffer. And yet one happened. A tornado tore through Puerto Varas and the whole town had to respond.

Cybersecurity has the same blind spot. There are companies that swear up and down they won’t be attacked because they bought the most expensive defense tool, because they hired the sharpest CISO, because every employee took a phishing course, or simply because the business has zero tech to it, so who’d bother hacking them. It’s the same logic as “no tornadoes here”… right up until there are.

The tornado hit on Sunday and I arrived in Puerto Varas on Wednesday. There were still houses and buildings without roofs, fallen trees and walls, broken glass, missing street signs at some intersections — visible scars from the storm — but Saesa workers were everywhere, the armed forces and municipal security were guarding houses, and locals were doing their part to keep the city running. The incident was contained, but not yet resolved.

Over the next two days, in that same Puerto Varas, I attended Patagonia Ciber. Organized by Chile’s National Cybersecurity Agency (ANCI), it featured talks on security and privacy from many angles, with panels dedicated to finance, tech, healthcare, and energy, and with national and international participants from both the public and private sectors. The tornado added a layer of uncertainty (I saw plenty of people worried it would be cancelled), but in the end it went ahead, and many celebrated the fact that — for the first time — a cybersecurity event was being held this far from Santiago.

The high point was the unveiling of a new milestone of Chile’s Cybersecurity Framework Law: ANCI’s director walked us through the qualification process for Vital Importance Operators, a category that obliges your company to be diligent, because the country depends on it. In other words: the reasons your company might be vital to Chile.

“The data isn’t yours, it’s lent to you”

In the opening of day one, congressman Leonardo Soto dropped this line, which captures perfectly the paradigm shift coming with the new Personal Data Protection Law. Today we’re governed by Law 19.628, written in an era when social networks weren’t yet a concern and AI was a niche topic that couldn’t write your thesis or a Fintualist post. That’s finally getting an update via Law 21.719.

What does it change? If you handle personal data (spoiler: nearly every company does), you’ll have to, among many other things:

  • Demonstrate the legitimate origin of every piece of personal data you hold.
  • Respond promptly to data subjects who want to exercise their ARCO rights (Access, Rectification, Cancellation, Opposition), as well as the rights to Portability and Blocking.
  • Carry out data-protection impact assessments.

Plenty is still to be defined and the law won’t take effect until December next year, but — as with the Cybersecurity Framework Law that created ANCI — this one will spin up a Personal Data Protection Agency. If it isn’t on your radar yet, you still have time.

“In cybersecurity, we don’t compete”

I’ve heard this line a lot, and it was the strongest one from the financial-sector panel — but it applies everywhere. Cristián Vega, from Chile’s Banking and Financial Institutions Association (ABIF), recounted that bank presidents tell their teams as much: when it comes to security, everyone cooperates.

On the energy side: when Spain suffered a massive blackout — much like the one Chile had not long ago — the first thought everyone had was “cyberattack.” It turned out it wasn’t, but the paranoia is justified, because no power means no internet, no internet means no banks, no banks means no commerce, no commerce… you get the picture. It’s a domino effect across companies that, at the end of the day, affect the country and its citizens — which is exactly why they’re such an attractive target for attackers.

Now, what if a blackout had been triggered by a cyberattack? What if interbank cooperation couldn’t keep up with a large-scale incident? What do these companies — which will absolutely be classified as Vital Importance Operators, and which smaller companies will eventually have to follow — actually need to have in place? Maybe you started reading this because you’re worried about being designated an OIV (Operador de Importancia Vital) and facing the new requirements this paradigm shift brings. So let’s get to it.

The OIV qualification process

If your company delivers an essential service under the Cybersecurity Framework Law, in the next few months it could be classified as a Vital Importance Operator and have to meet the obligations the law sets.

ANCI’s director presented the process for selecting these OIVs, starting with these sectors (more are listed in the law, but they prioritized these for efficiency):

  • Energy
  • Telecommunications
  • Technology
  • Banking, financial services, and payment methods
  • Healthcare

The process has several stages. They walked us through Telecommunications as an example:

  1. On May 30, ANCI digitally delivered a list of companies to the Undersecretary of Telecommunications, from which the Undersecretary will select those that qualify as Vital Importance Operators.
    1. The evaluation runs against the law and against a selection methodology developed by Universidad de Chile.
  2. Thirty days later, the Undersecretary replies: “of the thousand companies regulated by Subtel, these hundred are vital.”
  3. Thirty days later, ANCI publishes a preliminary list and opens public consultation.
    1. The list names each company by legal name and tax ID.
    2. The named companies can agree, disagree, and submit observations.
  4. Thirty days later, the public consultation closes and ANCI starts evaluating the comments.
  5. Thirty days later, ANCI publishes a public document with what proceeds and what doesn’t.
  6. Finally, in October — thirty days after that — ANCI issues several resolutions publishing the final OIV list for the sectors they started with.

For the other sectors the process is essentially the same, but the recipient of the company list changes. They mentioned, for example, that for the financial sector it’ll be Finance Minister Mario Marcel who decides.

Vertical timeline of the six 30-day stages of the Vital Importance Operator qualification process: process start on May 30, sectoral technical report, preliminary list published with public consultation, public consultation closes, executive summary, final OIV list. Source: ANCI.

So what does being chosen as an OIV actually mean? Basically, the State is saying “hey, if you get hacked, the country stops working properly — so get your act together.” And getting your act together means having things like:

  • An information security management system, with a record of the actions that make it up.
  • A business continuity plan (if BCP and DRP ring a bell, you’re on the right track).
  • An incident management plan.
  • A cybersecurity delegate.

Once the final list is published, those obligations apply immediately. No grace period, no time to improvise. Plenty of people are spooked by these requirements, but they’re not from another planet. In fact, your company is already meeting what’s asked of OIVs if it has ISO 27001 certification. At Fintual we’re clear on this because we’re certified under that security standard.

Beyond OIV status, if your company provides an essential service you’ve been required to report cybersecurity incidents on ANCI’s portal since this past March, within three hours of detecting them. And starting June 11, every essential-service provider must be registered on the portal even if they haven’t yet had to report an incident.

The figures ANCI shared were striking: now that mandatory reporting is in effect, between March 1 and May 29 there were 97 reported incidents, of which 33 were cyberattacks (a third of the total). For comparison, that already exceeds last year’s total: 70 reports across all of 2024.

A KPI that isn’t in the law

Among all the regulatory detail, one thought stood out. Francisco Guzmán, from the Chilean IT Industry Association, put it plainly: “The most important indicator in cybersecurity is how long it takes you to rebuild trust after being breached.” At the end of the day, you can have every certificate in the world and check every regulator’s box — but if your customers don’t trust you after an incident, game over.

Cybersecurity, Chile
anci framework-law vital-importance-operators data-protection regulation
This post is licensed under CC BY 4.0 by the author.