We invite you to read the opinion column by our partner Antonio Rubilar and senior associate az Tech, Antonia Nudman, who analyzed two areas that will be decisive for companies classified as Operators of Vital Importance.
The recent resolution by the National Cybersecurity Agency (ANCI) set off alarms in various sectors: more than a thousand entities were preliminarily considered critical infrastructure operators (OIV), a category that entails special obligations in management, security, and continuity. With the closing of the comment period on October 16, the real challenge now begins: sorting out the regulatory and operational path ahead.
The process is now entering a new phase: ANCI must issue the resolution with the final list within thirty days of the publication of the executive summary. If the deadlines are met, this should occur in December 2025. But beyond the calendar, what is important is to take advantage of the opportunity to carry out the necessary analyses.
This is the time to act, to review the legal position and strengthen internal management, taking into account two comprehensive fronts.
The first is legal: review whether the OIV rating complies with applicable regulations, evaluate the justification provided by the authority and, if necessary, consider the administrative remedies provided for in Law No. 19,880 or, eventually, the judicial claim contemplated in Law No. 21,663. It is a matter of exercising the right to review with technical grounds and clear evidence.
The second front is operational: beyond appeals or discrepancies, it is essential to strengthen internal management mechanisms. This involves defining those responsible with real powers, establishing risk and continuity policies and procedures, having incident reporting protocols in place, and ensuring document traceability.
In other words, transforming regulatory obligations into concrete practices. Even if the entity is not ultimately confirmed as an OIV, it is very likely that it will be classified as an Essential Service Provider (PSE), which also triggers the general duties of the Framework Law.
On the other hand, if the OIV rating is maintained, the requirements become more intense: continuity plans with defined timelines, verifiable exercises, formal incident escalation, preservation of evidence, and contractual alignment of the entire supply chain.
Therefore, the recommendation is to move forward with a progressive, comprehensive, and proportional strategy. Organizations must align the requirements of the Framework Law with their own sectoral regulations and with the new Personal Data Protection Law, especially in terms of security and breach notification.
This approach is particularly relevant for entities that, after a thorough analysis, conclude that their classification as an OIV does not correspond to either the law or the facts of the case. For them, the smartest route is twofold: defend their legal position while strengthening their internal governance. That way, when the final decision is handed down, they will be prepared for any possible scenario.
In short, it is not a matter of being alarmed or improvising. It is a matter of anticipating with discretion: governance, evidence, and coordinated action are today the true signs of maturity in cybersecurity.
Column written by:
Antonio Rubilar | Partner | arubilar@az.cl
Antonia Nudman | Senior Associate az Tech | anudman@az.cl
