Law 21,663: what Chile's Cybersecurity Framework Law requires and how to prepare

The Cybersecurity Framework Law is already in effect

Law 21,663 — known as the Cybersecurity Framework Law — was published on April 8, 2024. Its purpose is to establish an institutional and regulatory framework to protect Chile’s critical infrastructure against cyber threats. This is not a future law: it came into effect on January 1, 2025, and incident reporting obligations have been in force since March 1, 2025.

If your company operates in regulated sectors — banking, telecommunications, energy, healthcare, transportation — or if you rely on critical digital infrastructure, this law directly affects you. And unlike previous regulations, this one has an authority with real enforcement and sanctioning powers.

What is ANCI?

Law 21,663 creates the National Cybersecurity Agency (ANCI), an autonomous, technical, and decentralized body. ANCI is the authority responsible for regulating, supervising, and sanctioning cybersecurity matters in Chile.

Its main functions include:

• Issuing technical standards and cybersecurity requirements.
• Overseeing compliance with the law’s obligations.
• Coordinating the response to cybersecurity incidents at the national level.
• Designating Vital Importance Operators (OIV).
• Applying sanctions directly, without the need to go through courts.

Before this law, Chile had no centralized cybersecurity authority. ANCI fills that gap and has broad powers to demand information, conduct audits, and impose fines.

Who must comply?

The law distinguishes two categories of obligated entities:

1. Essential Service Providers (PSE). These are organizations operating in critical sectors defined by the law: banking and financial services, telecommunications, electric energy, water and sanitation, healthcare, transportation, digital services, and government administration. If you operate in any of these sectors, you are a PSE by legal definition.

2. Vital Importance Operators (OIV). These are organizations specifically designated by ANCI, whose interruption or degradation would have a significant impact on national security, the economy, or public services. ANCI will determine the definitive list of OIV before October 30, 2025.

OIV have more demanding obligations than PSE: they must implement certified information security management systems, conduct periodic operational continuity tests, and submit to ANCI audits.

Even if your company is neither a PSE nor an OIV, if you are a technology service provider for any of these organizations, cybersecurity requirements will reach you through contractual obligations. The compliance chain extends downstream.

Main obligations

The law establishes a set of obligations that vary according to the category of the obligated entity. These are the most relevant:

Information Security Management System (ISMS). OIV must implement a certified ISMS, compatible with international standards such as ISO 27001. The ISMS must cover critical asset identification, risk analysis, security controls, incident management, and continuous improvement.

Mandatory incident reporting. This is one of the most demanding obligations of the law. The deadlines are strict:

• Early warning: within 3 hours of detecting a significant incident.
• Initial report: within 72 hours, with a description of the incident, preliminary impact assessment, and measures taken.
• Final report: within 15 days, with a complete root cause analysis, actual impact assessment, and corrective measures implemented.

Operational continuity testing. OIV must conduct periodic tests to verify that their business continuity plans work under cyberattack scenarios. Having a document is not enough: you have to test it.

Duty to report vulnerabilities. If you detect a vulnerability in your systems that could affect third parties or critical infrastructure, you must report it to ANCI. This includes vulnerabilities in third-party software that you are using.

Fines and sanctions

The sanctions under Law 21,663 are significant, and ANCI can apply them directly, without the need to go through courts:

• Minor infractions: fines of 100 to 1,000 UTM (approximately CLP $6.5 million to $65 million).
• Serious infractions: fines of 1,001 to 10,000 UTM (approximately CLP $65 million to $650 million).
• Very serious infractions: fines of 10,001 to 40,000 UTM (approximately CLP $650 million to $2.6 billion).

What constitutes a very serious infraction? Failing to report an incident within the established deadlines, not implementing the required ISMS, or deliberately hindering or obstructing ANCI’s supervisory work. Fines are determined based on the severity of the incident, the size of the organization, its compliance track record, and the mitigation measures adopted.

Relationship with ISO 27001 and NIST

The law does not mandate a specific framework, but it requires the ISMS to be certifiable under internationally recognized standards. In practice, this leaves two main paths:

ISO 27001 is the most widely used standard in Chile and worldwide for information security management. It is certifiable by accredited third parties, has a clear structure (requirements + Annex A controls), and is the most direct path to demonstrate compliance with ANCI.

NIST Cybersecurity Framework (CSF) is the framework developed by the U.S. National Institute of Standards and Technology. It is widely recognized and complements ISO 27001 well, especially in risk identification and incident response. ANCI recognizes it as a valid framework.

The practical recommendation: if your organization has no framework implemented, start with ISO 27001. If you already have NIST CSF, keep it and supplement it with the formal certification requirements that the law demands.

5 steps to prepare your company

Regardless of whether your organization has already been classified as a PSE or OIV, these actions will prepare you for compliance:

Step 1: Determine if you are a PSE or OIV. Review the sectors defined in the law. If you operate in banking, telecommunications, energy, healthcare, transportation, digital services, or government administration, you are a PSE. If ANCI has notified you or your disruption would significantly impact the economy or public services, you could be designated as an OIV. The definitive list will be published before October 30, 2025.

Step 2: Assess your current security maturity.Do an honest assessment: do you have documented security policies? Do you control access? Do you have tested backups? Have you ever done a pentest? Do you have an incident response plan? If the answer to more than two questions is “no” or “I don’t know,” you need to start with the basics.

Step 3: Implement or certify an ISMS. If you are an OIV, certification is mandatory. If you are a PSE, a documented and functional ISMS protects you during inspections. ISO 27001 is the most direct path: define scope, conduct risk analysis, implement controls, document, and certify.

Step 4: Establish incident response protocols. The 3-hour deadline for the early warning, 72 hours for the initial report, and 15 days for the final report are non-negotiable. You need a clear procedure: who detects? Who classifies? Who reports to ANCI? Who communicates internally? Practice it with drills.

Step 5: Train your team and test continuity.Cybersecurity is not just about technology — most incidents involve human error. Train all staff in basic digital hygiene and your technical team in response protocols. Then test: run incident and operational continuity drills at least once a year.

Relationship with Law 21,719 on personal data

Law 21,663 (cybersecurity) and Law 21,719 (personal data protection) are complementary laws, not alternatives. The first protects infrastructure— networks, systems, data in general. The second protects people— their personal data specifically.

If your company handles personal data and also operates in a regulated sector, you need to comply with both laws. In practice, a well-implemented ISMS covers a good portion of the security requirements demanded by Law 21,719, but not all of them: the personal data law has specific requirements regarding consent, ARCO rights, international transfers, and data governance that go beyond cybersecurity.

The advantage of addressing both laws together is that efforts are shared: the asset inventory includes personal data, access controls protect both domains, and incident protocols serve for reporting to both ANCI and the future Data Protection Agency. Do not duplicate work.

Conclusion: cybersecurity is no longer optional

Chile now has a cybersecurity law with real authority, concrete deadlines, and fines that can reach CLP $2.6 billion. ANCI is already operating and the OIV list will be published in October 2025.

Do not wait to be audited before taking action. The cost of preparing is a fraction of the cost of a sanction — not to mention the reputational damage of a mismanaged incident.

If you need to assess your cybersecurity maturity level, implement an ISMS, or establish incident response protocols aligned with Law 21,663, that is exactly what we do. Technical assessment, implementation, and ongoing support — no intermediaries.