Chile has established itself as a regional leader in cybersecurity regulation with a comprehensive framework that addresses both public and private sector obligations. The enactment of Law 21.663 (National Cybersecurity Framework), combined with the modernised data protection requirements of Law 21.719 and sector-specific regulations from the CMF and other authorities, creates a multi-layered compliance environment. For businesses operating in Chile, understanding and meeting these requirements is essential for operational continuity, regulatory compliance, and competitive positioning.
Key Regulatory Frameworks
Law 21.663 - National Cybersecurity Framework
Chile's landmark cybersecurity legislation establishes the institutional framework for cybersecurity governance, creates the National Cybersecurity Agency (ANCI), defines obligations for operators of essential services and critical infrastructure, establishes incident reporting requirements, and provides the legal basis for cybersecurity standards and technical guidelines. Operators of essential services must implement appropriate security measures, conduct regular risk assessments, report significant incidents to the CSIRT, and cooperate with the National Cybersecurity Agency during investigations.
Law 21.719 - Personal Data Protection
While primarily a data protection law, Law 21.719 has significant cybersecurity implications. It requires organisations to implement appropriate technical and organisational measures to protect personal data, mandates breach notification to the Data Protection Agency, establishes accountability requirements that necessitate demonstrable security controls, and creates penalties for security failures that result in unauthorised access to personal data.
Law 21.459 - Cybercrime
Chile's updated cybercrime law criminalises unauthorised access to computer systems, data interference and system interference, illegal interception of communications, computer fraud and forgery, and abuse of devices. This law provides the legal framework for prosecuting cyber attacks and also establishes the boundaries within which security testing must operate.
Sector-Specific Regulations
The CMF (Comision para el Mercado Financiero) has issued detailed cybersecurity requirements for financial institutions including risk management frameworks, incident response capabilities, third-party risk management, and regular security assessments. The telecommunications sector is subject to cybersecurity requirements from Subtel, while the energy and mining sectors face obligations under critical infrastructure provisions.
Building a Compliance Programme
A comprehensive cybersecurity compliance programme for Chilean businesses should address the following key areas:
Governance and Leadership
Establish clear accountability for cybersecurity at the board and executive level. Define roles and responsibilities including a designated cybersecurity officer, establish a cybersecurity committee with appropriate representation, and ensure that cybersecurity strategy aligns with business objectives and regulatory requirements.
Risk Assessment
Conduct regular risk assessments that identify threats and vulnerabilities relevant to your operations, evaluate the potential impact of security incidents, prioritise risks based on likelihood and business impact, and inform the selection of security controls. Risk assessments should cover all assets, processes, and third-party relationships within scope of your compliance obligations.
Technical Controls
Implement technical security measures proportionate to your risk profile including network security (firewalls, segmentation, intrusion detection), endpoint protection and management, access control and identity management, encryption for data at rest and in transit, security monitoring and logging, and regular penetration testing and vulnerability scanning.
Policies and Procedures
Develop and maintain a comprehensive policy framework covering information security, acceptable use, access control, incident management, business continuity, data protection, and third-party security requirements. Policies should be reviewed regularly and updated to reflect changes in the regulatory environment and threat landscape.
Incident Response
Establish incident response capabilities that meet the reporting timelines and requirements of Law 21.663 and Law 21.719. This includes defined incident classification and escalation procedures, a trained incident response team with clear roles, communication plans for internal and external stakeholders including regulators, evidence preservation and forensic analysis capabilities, and post-incident review and improvement processes.
Training and Awareness
Invest in regular cybersecurity awareness training for all employees, with role-specific training for personnel with elevated access or security responsibilities. Training programmes should cover current threats, organisational policies, regulatory obligations, and practical security behaviours.
Compliance with International Standards
Many Chilean businesses complement local regulatory compliance with international standards. ISO 27001 provides a comprehensive framework for information security management that maps well to Chilean regulatory requirements. SOC 2 certification demonstrates security controls to international clients and partners. PCI DSS compliance is mandatory for organisations processing payment card data. The NIST Cybersecurity Framework provides a flexible approach to managing cybersecurity risk that aligns with Chilean regulatory expectations.
Third-Party Risk Management
Chilean regulations increasingly require organisations to manage cybersecurity risks in their supply chain and third-party relationships. This includes conducting due diligence on service providers, including cybersecurity requirements in contracts, monitoring third-party compliance and security posture, and establishing incident notification requirements with suppliers.
Compliance Monitoring and Reporting
Maintaining compliance requires ongoing monitoring and regular reporting to stakeholders. Key activities include continuous monitoring of security controls and compliance status, regular internal audits and compliance assessments, management reporting on cybersecurity posture and risk levels, and regulatory reporting as required by Law 21.663 and sector-specific regulations.
A centralised compliance management platform streamlines these activities by providing a unified view of compliance status across all applicable frameworks, automating evidence collection, and facilitating reporting to management and regulators.
Conclusion
Chile's cybersecurity compliance landscape is comprehensive and continues to evolve. Businesses that invest in building structured compliance programmes, supported by robust technical controls and a culture of security awareness, are best positioned to meet regulatory requirements, protect their operations, and maintain the trust of customers and partners. Start with a gap assessment against applicable requirements and build a prioritised roadmap for achieving and maintaining compliance across all relevant frameworks.