Government of President Boric enacts Cybersecurity law

The law creates a cybersecurity governance framework, and it sets norms to regulate and coordinate the actions of State institutions in cybersecurity.

Chilean Government enacts Cybersecurity Law

On Tuesday, March 26, at the Palacio de La Moneda, the President of the Republic enacted the new Cybersecurity Framework Law and presented the National Cybersecurity Policy. These regulations allow the country to strengthen its digital security by creating the National Cybersecurity Agency (ANCI). The new legal framework gives the State increased powers to coordinate public and private actors, establish obligations, and establish fines.

“Chile becomes the first country in Latin America and the Caribbean to have a National Cybersecurity Agency and a cutting-edge regulatory framework in this field. This policy will boost the development of the cybersecurity industry in Chile, which is also an opportunity for jobs and investment.” These were the words of President Gabriel Boric during the signing ceremony of the Cybersecurity Framework Law, which took place on Tuesday, March 26.

This activity marks an important milestone for cybersecurity in our country. The digital security of Chileans will be strengthened thanks to the Law and the National Cybersecurity Policy.

The new law establishes the institutional framework, principles and general regulations that will allow the structuring, regulation and coordination of cybersecurity actions of State agencies. It also establishes the minimum requirements to prevent, contain, resolve and response to cybersecurity incidents, both for the public and private sectors.

Held in the Salón Montt Varas of the Palacio de La Moneda, the ceremony was attended by the Ministers of the Interior and Public Security, Carolina Tohá; of Foreign Relations, Alberto van Klaveren; of Defense, Maya Fernández; of Finance, Mario Marcel; of the General Secretariat of the Presidency, Álvaro Elizalde; of Justice, Luis Cordero; of Science, Technology, Knowledge and Innovation, Aisén Etcheverry; of Transportation and Telecommunications, Juan Carlos Muñoz; and of Energy, Diego Pardow.

The Minister of the Interior and Public Security, Carolina Tohá, stressed that "What is happening today is the result of a virtuous and prolonged process that we have had in Chile to seriously address the risks associated with cybersecurity and the challenges it poses for the country." Minister Tohá reminded that although governments of different political tendencies have passed, progress has been made in this area with cross-cutting agreements.

ANCI: an autonomous agency with real powers

The new law establishes a cybersecurity governance for the country, by creating the National Cybersecurity Agency (ANCI). The Agency shall have regulatory, supervisory and sanctioning powers, both for public and private organizations.

Some of the functions of ANCI are to advise the President in the development of policies, plans and action programs, to establish mandatory protocols and standards for both public and private institutions, to manage the National Incident Registry, to qualify essential services and to establish operators of vital importance, to require information on incidents or background information to prevent their occurrence, and finally to promote cybersecurity education.

The National Computer Security Incident Response Team (CSIRT) is also created by the Law. The National CSIRT will report to ANCI. Its specific functions include responding to cyberattacks or relevant cybersecurity incidents; coordinating the new CSIRTs that will be created for the different branches of the State, including the National Defense CSIRT. It will also collaborate with foreign entities, and it will provide technical advice about actions to enable increased cybersecurity in State institutions, including training and exercises, requesting information on incidents and vulnerabilities, disseminating alerts and developing technical criteria for the categorization of incidents or vulnerabilities exempt from notification.

In addition, the law creates the National Defense CSIRT, under the authority of the Joint Chiefs of Staff, with similar powers to the National CSIRT. The law establishes the need for both CSIRTs to collaborate in the protection of both people and the "essential services" of the country.

The law protects the security of essential services, regardless of whether they are administered by the State, public or private companies. It also defines what is to be considered Vital Importance Operators (OIV), with the aim of instituting duties and fines in case of non-compliance.

OIV shall have the obligation to implement a management system to guarantee the security of information and operational continuity. They will also have to execute the operational continuity and cybersecurity plans, as well as implementing simulations, exercises and analysis of computer systems, adopting measures to mitigate the impact of incidents, and implementing continuous training and education for workers and collaborators.

A national policy organized around five axes

The new National Cybersecurity Policy for the years 2023-2028 was also presented on this occasion. It has the following five main axes:

  1. Resilient infrastructure: The country will have a robust and resilient information infrastructure, prepared to resist and recover from cybersecurity incidents and socio-environmental disasters, from a risk management perspective.
  2. People's rights: The State will protect and promote the protection of people's rights on the Internet, through the strengthening of existing institutions in cybersecurity; and the generation, adoption, and promotion of the necessary mechanisms and technological tools so that each person can integrate into society and develop and express themselves fully.
  3. Cybersecurity culture: Chile will develop a cybersecurity culture around education, good practices, responsibility in the management of digital technologies, and promotion and guarantee of people's rights.
  4. National and international coordination: The State will create a public governance to coordinate the necessary actions in cybersecurity. Public and private organizations will create, together, instances of cooperation with the purpose of communicating and disseminating their cybersecurity activities, avoiding duplication of work and loss of resources, and making efforts in this area efficient. In the international sphere, the State will coordinate with countries, organizations, institutions and other international actors to allow our country to better face malicious activities and incidents in cyberspace.
  5. Promotion of industry and scientific research: The country will promote the development of a cybersecurity industry that protects people and organizations and serves their strategic objectives. To this end, it will promote the focus of applied scientific research on cybersecurity issues, according to the needs of the country.

By enacting the Cybersecurity Law and the National Cybersecurity Policy, the country is at the forefront of Latin America and the Caribbean in public policies on cybersecurity.