On 16 September 2025, the Chilean Cybersecurity Agency (Agencia Nacional de Ciberseguridad, ‘ANCI’) launched a public consultation on its provisional list of companies that may be classified as ‘operators of vital importance’ (Operadores de Importancia Vital, ‘OVI’) under the recently enacted Chilean Cybersecurity Law (Ley Marco de Ciberseguridad No. 21.663, ‘LMC’). This list (available online here) reveals that nearly 1,700 companies active in various sectors could qualify as OVIs. The consultation will remain open for 30 days and offers an opportunity for stakeholders and the public to provide feedback on the preliminary list of OVIs, which may ultimately be subject to the LMC’s most stringent cybersecurity requirements. This public consultation, explicitly mandated by the LMC, aims to uphold one of its newly established guiding principles—the principle of rationality (Principio de Racionalidad)—which requires the ANCI to consider market realities and the level of exposure to cybersecurity risks. This entails active collaboration with the various stakeholders within Chile’s cybersecurity ecosystem, including when determining which companies and public sector bodies should be designated as OVIs.
Once the 30-day period has passed and feedback from other Chilean regulators has been received, the authority will officially publish the list of companies required to comply with cybersecurity obligations under the ‘OVI’ designation. Companies that disagree with their designation as OVIs by the ANCI have the legally guaranteed right to challenge this decision before the competent Chilean courts.
The LMC was adopted in April 2024 and became fully applicable in March 2025. It introduces stringent cybersecurity obligations for companies deemed to provide services of particular importance in Chile. The LMC imposes specific cybersecurity requirements on entities that qualify as:
– Providers of services viewed as ‘essential’ in Chile (Prestadores de Servicios Esenciales, ‘PSE’), which include companies operating in critical sectors such as: electricity, telecommunications, digital infrastructure, digital services and IT, finance and payment systems, healthcare, and pharmaceutical manufacturing sectors; and
– OVI, which include PSE who, in addition, meet the following requirements:
o The provision of their essential services depends on computer networks and services; and
o The disruption, interception, interruption, or destruction of their services has a significant impact on public safety and order, the continuous and regular provision of essential services, or, more generally, on the effective fulfilment of state functions.
Both PSEs and OVIs are required to implement and maintain technical and organizational measures—based on and aligned with protocols and standards established by the ANCI—to prevent, report, and address cybersecurity incidents. When an incident is deemed to have ‘significant effects’ (i.e., when it can interrupt the continuity of essential services or compromise the physical integrity or health of individuals, including through impacts on computer systems that store personal data), notification requirements are particularly stringent, and require that companies in scope of the law file with the Chilean Computer Security Incident Response Team (Equipo de Respuesta a Incidentes de Seguridad Informática, ‘CSIRT’):
– A preliminary notification of the incident within three hours of becoming aware of its occurrence;
– An update to the preliminary report—providing an initial assessment of the incident, its severity and impact, and indicators of what has been compromised—within a maximum period of 72 hours for PSEs and within 24 hours for OVIs whose essential services are affected; and
– A final report within fifteen days of the initial notification, which includes at a minimum a detailed description of the incident (including its severity and impact), the type of threat or root cause, the mitigation measures implemented, and an assessment of any cross-border repercussions.
The LMC also introduces new guiding principles that companies subject to its provisions must consistently uphold, including the principle of security and privacy by design and by default (Principio de Seguridad y Privacidad por Defecto y Desde el Diseño) which requires companies in Chile to ensure that security and the protection of personal data are considered from the earliest stages of designing computer systems, applications and IT solutions.
Companies designated as OVIs by the Chilean authority will also be required, among others, to:
– Implement a robust information security management system (Sistema de Gestión de Seguridad de la Información Continuo, ‘SGSI’) to identify risks that may affect the security of networks, computer systems, and data, as well as the operational continuity of services;
– Maintain a detailed record of all actions taken for the purposes of the SGSI;
– Develop and implement operational continuity and cybersecurity plans, which must be certified and reviewed periodically by the ANCI, at least every two years;
– Take timely and effective measures to mitigate the impact and spread of cybersecurity incidents;
– Obtain necessary certifications in accordance with the standards established by the ANCI;
– When required by the ANCI, inform potentially affected parties of any incidents or cyberattacks that could seriously compromise their information or IT systems—especially where personal data is involved;
– Ensure the implementation of training, education, and continuous cybersecurity learning programs for employees; and
– Appoint a cybersecurity delegate (Delegado de Ciberseguridad), who will serve as a liaison with the ANCI.
Failure to comply with the various legal obligations of the LMC may result in financial penalties imposed by competent local sectoral authorities, depending on the severity of the violation—classified as minor, serious, or very serious.
Pending final confirmation of entities preliminarily qualified by the ANCI as OVIs, companies operating in Chile are well advised to assess whether they fall within the scope of the LMC and to identify the cybersecurity obligations they may be required to fulfil.
