Chile: Enactment of the Framework Law on Cybersecurity and Critical Information Infrastructure

Manuel Bernet, Jorge Tisné

Bofill Mir, Chile - On March 26, 2024, the President of the Republic enacted the Framework Law on Cybersecurity and Critical Information Infrastructure. Therefore, it remains pending for the law to be published in the Official Gazette. The law establishes several changes and novelties in the area of cybersecurity.

The following are some of the most important elements.

I. Objective and principles

The objective of the law is to establish the institutional framework, principles and general regulations that allow structuring, regulating and coordinating the cybersecurity actions of the State agencies and between them and individuals. It also establishes the minimum requirements for the prevention, containment, resolution and response to cybersecurity incidents, as well as the duties of the obligated institutions, the control, supervision, responsibility and sanction mechanisms, among others. The law lists a series of principles and duties that must be complied with by the obligated entities.

The principles set forth in the law are: (i) damage control; (ii) cooperation with the authority; (iii) coordination; (iv) security in cyberspace; (v) responsible response; (vi) computer security; (vii) rationality; and (viii) security and privacy by default and by design. 

II. Obligated Parties

The law will apply to institutions that the new National Cybersecurity Agency qualifies as "Essential Services" and to those qualified as "Operators of Vital Importance". Essential Services are:

- Those provided by the agencies of the State Administration and by the National Electric Coordinator;
- Those provided under a public service concession;
- Those provided by private institutions that carry out activities of generation, transmission or distribution of electricity; transportation, storage or distribution of fuels; supply of drinking water or sanitation; telecommunications; digital infrastructure; digital services, information technology services managed by third parties; land, air, rail or maritime transportation, as well as the operation of their respective infrastructure; banking, financial services and means of payment; administration of social security benefits; postal and courier services; institutional provision of health by entities such as hospitals, clinics, medical offices and medical centers; and the production and/or research of pharmaceutical products. 

Operators of Vital Importance ("OIV") are those who meet the following requirements:

- That the provision of such service depends on computer networks and systems; and,
- That the affectation, interception, interruption or destruction of their services have a significant impact on security and public order; on the continuous and regular provision of essential services; on the effective fulfillment of the State’s functions; or, in general, of the services that the State must provide or guarantee.
- In addition, the Agency may qualify as OIV to private institutions that meet the 2 previous requirements and that fulfill a critical role in the supply of the population, the distribution of goods or the production of those indispensable or strategic for the country; or by the degree of exposure of the entity to risks and the probability of cybersecurity incidents, including their severity and the associated social and economic consequences.

III. Duties

Institutions bound by the law shall permanently implement measures to prevent, report and resolve cybersecurity incidents. Among the most relevant obligations of the OIVs are:

- Implement a continuous information security management system in order to determine those risks that may affect the security of networks, computer systems and data, and the operational continuity of the service.
- Maintain a record of the executed actions that make up the information security management system, in accordance with the regulations. - Elaborate and implement operational continuity and cybersecurity plans.
- To inform those potentially affected, to the extent that they can be identified and when so required by the Agency, about the occurrence of incidents or cyber-attacks that could seriously compromise their information or networks and computer systems, especially when they involve personal data and there is no other legal provision that requires its notification.
- Designate a cybersecurity delegate. In addition, all institutions regulated by law must report within 3 hours to the National CSIRT cyber-attacks and cybersecurity incidents that may have significant effects under the terms provided by law.

IV. New Institutionality

The law creates a new institutional framework dedicated to the protection and promotion of cybersecurity in the country. This institutional framework will be mainly formed by:

- National Cybersecurity Agency,
- Multisectoral Council on Cybersecurity,
- Interministerial Committee on Cybersecurity,
- National Computer Security Incident Response Team (CSIRT),
- National Defense CSIRT.

V. National Cybersecurity Agency

The purpose of this Agency will be to advise the President of the Republic in matters related to cybersecurity, to collaborate in the protection of national interests in cyberspace, to coordinate the actions of institutions with competence in cybersecurity, to ensure the protection, promotion and respect of the right to computer security, to coordinate and supervise the actions of the State Administration bodies in matters of cybersecurity. This new Agency will be endowed with several attributions, among which the following stand out:

(i) To apply and administratively interpret the legal and regulatory provisions on cybersecurity;
(ii) Create and manage a National Registry of Cybersecurity Incidents;
(iii) oversee compliance with the law;
(iv) instruct the initiation of sanctioning procedures and sanction infringements and non-compliance by the obligated parties.

VI. Infringements and penalties

The law classifies the different infractions as minor, serious and very serious for all regulated institutions. Specific sanctions are also established for OIV. Violations of the law will result in the imposition of the following fines:

- Minor infractions: fine of up to 5,000 UTM;
- Serious infringements: Fine of up to 10,000 UTM; and
- Very serious infringements: Fine of up to 20,000 UTM.

Fines may be doubled in the case of an Operator of Vital Importance, and may reach 40,000 UTM.

The fine will be set taking into consideration the degree to which the offender adopted the necessary measures to safeguard the IT security of the operations, the probability of occurrence of the incident, the degree of exposure of the offender to the risks, the seriousness of the effects of the attacks including their social or economic repercussions, the repetition of the infraction within a period of 3 years from the time the incident occurred, the size and economic capacity of the offender.

VII. Entry into force of the law

Once the law is published in the Official Gazette, the President of the Republic must issue decrees with force of law within one year to implement the new regulations, including the term for the start of activities of the new Agency and determine a period for the effectiveness of the law, which may not be less than six months from its publication.

BofillMir.cl

Authors:

Manuel Bernet - Partner - IP, data and technology.
Jorge Tisné - Senior Associate - IP, Data & Technology