az Alert | Three key elements of the Draft Framework Law on Cybersecurity and Critical Information Infrastructure

az Tech

October 18, 2022, in the Senate Chamber, the bill that establishes a Framework Law on Cybersecurity and Critical Information Infrastructure (Bulletin No. 14847-06) was approved in general -and unanimously-. It was also set November 11 as the deadline for presenting indications.

The main objective of the initiative is to establish the necessary institutional framework to strengthen cybersecurity, preventive work, the formation of public culture on digital cybersecurity, and to face contingencies in both the public and private sectors.

Below you will find 3 significant elements of the project:

To whom would the Framework Law on Cybersecurity and Critical Information Infrastructure apply?

Bodies of the State Administration.
State bodies, such as municipalities, autonomous fiscal entities; State companies or those in which the Treasury is involved through capital contributions.
Private institutions that own Critical Information Infrastructure, where we find companies in the energy, banking or telecommunications sectors.

What are the factors to be considered in order to determine whether a sector or institution has critical infrastructure?

The critical information infrastructure is defined as the facilities, networks, systems, platforms, services and physical information technology equipment whose affectation, degradation, denial of service, interception, interruption or destruction may have a significant impact on national security, on the provision of essential services, on the effective fulfillment of the State’s functions, and in general, on the services that the State must provide or guarantee. Based on the above, every two years, the infrastructure of sectors or institutions may be qualified as critical considering the following factors:

Impact of a possible interruption or malfunction of the components of the information infrastructure. This must be evaluated under certain criteria.
Capacity of the affected computer system, network or infrastructure to be replaced or repaired in a short period of time.
Potential financial losses due to failures or absence of service at national or regional level associated with the gross domestic product (GDP).
Relevant impact on the functioning of the State and its organs.

What are the obligations of institutions with information infrastructure classified as critical?

Permanently apply technological, organizational, physical and information security measures necessary to prevent, report and resolve cybersecurity incidents, manage risks, as well as contain and mitigate the impact on operational continuity, confidentiality and integrity of the service provided.
Implement a permanent risk management system.
Maintain a record of the executed actions that make up the risk management system.
Develop and implement operational continuity and cybersecurity plans. These must be updated periodically, at least once a year.
Continuously carry out review operations, exercises, drills and analysis of networks, computer systems, platforms.
Adopt the necessary measures to reduce the impact and propagation of a cybersecurity incident.
Have the certifications of the management systems and processes that are determined.

The bill will now begin its discussion in particular, and government representatives have made clear their objective of introducing improvements and streamlining the governance model, which considers the creation of the National Cybersecurity Agency. The main purpose of the Agency would be to advise the President of the Republic in these matters, as well as to actively collaborate in safeguarding national interests in cyberspace.

At az we are always monitoring legislative advances with the aim of informing and raising awareness of the importance of preventing contingencies and mitigating risks associated with this type of threat. We believe that the approval of a Framework Law on Cybersecurity is a great step forward for our country as it would provide legal certainty in the face of threats that are becoming more and more commonplace for everyone.

For more information on these topics, please contact our az Tech team:

Eugenio Gormáz | Partner | egormaz@az.cl

Gonzalo Navarro | Director az Tech | gnavarro@az.cl

Antonia Nudman | Associate IP, Tech and Data | anudman@az.cl

Natalia González | Associate IP, Tech and Data | ngonzalez@az.cl

Constanza Pasarin | Associate IP, Tech and Data | cpasarin@az.cl

Te podría interesar

Can an employee be dismissed for acts committed outside the work environment and working hours?

Can an employee be dismissed for acts committed outside the work environment and working hours?

Sep 26, 2023 | az Alert (eng)

The Superior Court of Justice considered it possible to extend the liability of worke The case we are discussing in this opportunity is related to the dismissal, for disciplinary reasons, of an employee who left his workplace and went to a nearby bar, where he...

Economic Crimes Act | Implications of the abusive agreement

Economic Crimes Act | Implications of the abusive agreement

Sep 22, 2023 | az Alert (eng)

The law penalizes those who, in their majority position on the board of directors of a corporation, adopt an abusive agreement to benefit themselves without the agreement bringing a benefit to the corporation. With the entry into force of the Economic Crimes Law, a...

Intellectual property dispute | The New York Times prohibits OpenAI from using its content.

Intellectual property dispute | The New York Times prohibits OpenAI from using its content.

Sep 1, 2023 | az Alert (eng)

While AI can be an incredible tool for streamlining various procedures and tasks, care must be taken to ensure that it does not constitute an infringement of intellectual property. The boom in the use of Artificial Intelligence (AI) technologies is a complex issue...