Our senior associate at az Tech, Antonia Nudman, spoke with LexLatin to discuss the 2023–2028 National Cybersecurity Plan and its implementation with the Framework Law in Chile.
In July of this year, Chile’s Ministry of the Interior and Public Security issued Exempt Resolution No. 28, which implements the 2023–2028 National Cybersecurity Policy Action Plan (PNC 2023–2028) and was created as a government response to the growing sophistication and volume of cyber threats. This strategy is reinforced by the Framework Law on Cybersecurity and Critical Information Infrastructure (Law No. 21,663), which establishes the new institutional framework, guiding principles, and general regulations essential for structuring, regulating, and coordinating cybersecurity actions by both state administration bodies and private entities.
The resolution that launched the PNC 2023-2028 (a complex and multifaceted process) is based on the agreement of the Interministerial Committee on Cybersecurity, which included 15 priority measures selected on the basis of their feasibility of implementation and which can be summarized in five areas:
- Strengthening digital infrastructure to make it secure and resilient from a risk management perspective, so that it can withstand and quickly recover from cybersecurity incidents.
- Protecting citizens’ fundamental rights in cyberspace, so that people can browse the internet safe in the knowledge that their personal data and privacy are effectively protected.
- Creating a culture of cybersecurity that promotes education and the adoption of good practices among citizens at all levels and encourages shared responsibility in the use of digital technologies.
- Coordinating collaboration between national institutions and those in other countries, taking into account that many of the threats in cyberspace are global in nature.
- Promoting research and development (R&D) and industry by developing local capacities to encourage innovation in cybersecurity.
R+D+I
Focusing for a moment on this last point, in order to strengthen collaboration in R&D&I in cybersecurity, the government has rolled out a specific agenda that combines diagnosis, training, and implementation, which highlights the prioritization of cybersecurity in the scholarships awarded by the National Research and Development Agency (ANID), both in national programs and in the Chile Scholarships for master’s and doctoral degrees, which today favor topics such as cybersecurity, artificial intelligence, and public safety, explained Diego Córdova, associate at Alessandri Abogados. These actions seek to connect knowledge with real challenges, creating a national cybersecurity community with a strategic vision.
This aims to promote applied research projects and close the gap in specialized human capital in an area critical to the country. In addition, priority lines of research, joint incident response exercises, student fairs, new technical degrees, and collaboration agreements between universities, companies, and public agencies are being implemented, said the lawyer.
It is also important to highlight that measures are being implemented across the entire R+D+I chain, such as the development of guidelines and instructions for public bodies, which standardize criteria and facilitate their adoption by universities and companies; updating the national cybersecurity R&D diagnosis to map capabilities and gaps and align projects, consortia, and funding; developing a country risk assessment methodology based on international models and adapted to the national reality; promoting cybersecurity exercises in public-private and academic partnerships with replicable materials; publishing an annual cybersecurity report that provides data and trends to guide applied research; student fairs and a proposal for a mid-level technical degree in cybersecurity; joint development of a research guidelines document with the government and the private sector; and education and digital self-care tutorials for people who require greater support, added Antonia Nudman, senior associate az Tech at Albagli Zaliasnik.
Together, these actions address technical standardization, human capital training, inter-institutional coordination, evidence generation, knowledge transfer, and public awareness in a cross-cutting manner, creating a common language and effective collaboration pathways between academia, the public sector, and the private sector, she explained.
The new institutional framework
Law No. 21,663, fundamental to the PNC 2023-2028, outlines the new institutional framework, guiding principles, and general regulations essential for structuring, regulating, and coordinating cybersecurity actions by both government agencies and private entities, while focusing primarily on protecting the country’s critical information infrastructure.
This means that it is more than a declaration of intent, becoming a structural transformation whose goal is to guarantee a reliable, secure, and inclusive digital environment for Chile. One of the things that most distinguishes this policy is that it moves away from the traditional reactive model in response to cybersecurity incidents to one of comprehensive governance, which conceives of cybersecurity as a cross-cutting responsibility between the State, the private sector, and citizens, with a focus on privacy management, organizational culture, and corporate governance, where the private sector must take a more proactive stance than it has had until now.
Thus, in the short term, both the PNC 2023–2028 and Law No. 21,663 (which created the National Cybersecurity Agency (Anci) and established the reporting and coordination framework), in addition to Exempt Resolution No. 28 (which instructs the development of a Manual of Communication Protocols for Cybersecurity Incidents), “consolidate a transition towards a more coherent, mandatory, and traceable state incident management model for public agencies,” said Antonia Nudman.
The lawyer also indicated that, although the Action Plan is robust in terms of state governance, it does not yet define specific mechanisms to address the protection of local governments and municipalities, which continue to be the entities with the least maturity and greatest exposure to ransomware. Nor is there a clear roadmap for protecting medium-sized or private infrastructures that do not qualify as essential or vital but can cause significant cascading disruptions.
Additionally, there is a regulatory gap regarding digital services and technology platforms operating in Chile that do not belong to a traditionally regulated sector. This means that communication platforms, cloud storage, internal management SaaS solutions, marketplaces, and digital identity providers are not covered by specific technical standards or clear reporting or resilience obligations, “despite the fact that they concentrate massive volumes of data and operational dependencies.”
Entities subject to regulation
Now, with the entry into force of Law No. 21,663 and Exempt Resolution No. 28, the only sector with an explicit mandate for specific technical standards is the electricity sector, so it is worth asking whether and when other sectors considered critical (such as finance, health, and water) will be next to receive specific cybersecurity technical standards. For these sectors, the ANCI has not yet issued a resolution indicating which one is next in line, according to the az specialist.
That said, Exempt Resolution No. 50, which opened the public consultation on the preliminary list of Operators of Vital Importance, shows which sectors have the highest concentration of qualified operators, so it is reasonable to anticipate that the prioritization of future technical standards will follow the same sectoral pattern, which includes, in addition to state administration bodies, the telecommunications, digital infrastructure services, digital services, and third-party managed information technology services sectors, banking, financial services and means of payment, and institutional health services, she said.
Meanwhile, these new cybersecurity requirements in public radio spectrum tenders represent, in Diego Córdova’s opinion, a strategic step forward in ensuring that future 5G networks are deployed with high standards of resilience against critical threats, such as attacks or unauthorized access.
For him, this regulatory approach strengthens institutional and public confidence in digital infrastructure, while creating an environment conducive to innovation, in which actors developing advanced security solutions will have a tangible competitive advantage.
Furthermore, by considering cybersecurity criteria in the technical evaluation of proposals—beyond price—competition based on quality, compliance, and technological sustainability is promoted. The challenge will be to apply these requirements with proportionality and clarity, so that they stimulate investment without becoming unnecessary barriers for new entrants or international suppliers, he said.
The cybersecurity policy defines two categories of entities required to manage cyber risks and report incidents: Essential Service Providers (PSE), such as State Administration entities, the National Electricity Coordinator, entities that provide services under public law concessions, and private institutions that carry out certain activities. These entities are required by Law 21.663 to implement systems for cyber risk management; report cybersecurity incidents to ANCI within the time frames and formats determined by the agency; designate a cybersecurity delegate to act as a liaison with the agency; and maintain an updated inventory of critical assets and conduct periodic audits.
The second category is Operators of Vital Importance (OVIs), entities exposed to greater regulatory pressure and required to identify and focus their efforts on those components within their networks and systems that are essential and vital to the delivery of services to the country, whose interruption, modification, or destruction (of their services or infrastructure) would have a serious impact on national security, public health, and the functioning of essential basic services.
The creation of these categories and the establishment of a sanctions regime to protect them creates a direct economic and regulatory incentive for investment in cybersecurity, which is one of the pillars of the 2023-2028 PNC. For this reason, the law ensures that the implementation of the PNC does not depend on sectoral will, but is a legally enforceable mandate.
For both OIVs and PSEs, the State recommends adopting a proactive and structured compliance strategy, which should be viewed in light of the establishment of a culture of cybersecurity and the transformation in this area pursued by the Chilean government, for which the ANCI will focus its efforts on educational programs that lead to the adoption of best practices by citizens and public and private companies.
