The Incident Reporting Regulation of Cybersecurity Law No. 21.663 is approved.
On March 1, the pending provisions of the Framework Cybersecurity Law, as stipulated by DFL No. 1-21.663, came into effect, marking the full implementation of the new regulation.
These guidelines correspond to Articles 5, 8, 9, and Title VII of the same regulation, which include the following:
-
Provisions regarding the classification of vital operators by the National Cybersecurity Agency (ANCI).
-
Specific duties of vital operators.
-
The duty to report cyberattacks and cybersecurity incidents that may have significant effects to the National CSIRT (Computer Security Incident Response Team).
-
Violations and sanctions outlined in the law, which include fines of up to 20,000 UTM for serious violations, which could rise to 40,000 UTM for vital operators.
Additionally, in the Official Gazette, Decree No. 295 from the Ministry of the Interior and Public Security was published, approving the Incident Reporting Regulation for Cybersecurity Law No. 21.663. Key points of the regulation include:
- Reporting Obligation: Institutions providing essential services or those classified as vital operators must notify the National CSIRT of the ANCI about cyberattacks and cybersecurity incidents (Art. 2).
2. Significant Incident: An incident is considered significant when:
-
It disrupts the continuity of an essential service (Art. 3, letter a).
-
It affects the physical integrity or health of individuals (Art. 3, letter b).
-
It compromises the confidentiality of personal data (Art. 3, letter e).
-
It involves unauthorized access to networks or information systems (Art. 3, letter d).
3. Reporting Deadlines:
-
Early alert: Within 3 hours from the detection of the incident (Art. 9).
-
Second report: Within 72 hours (or 24 hours if it affects essential services) (Art. 10).
-
Action plan: Within 7 days, detailing mitigation and recovery measures (Art. 11).
-
Final report: Within 15 days, consolidating analysis and impact (Art. 12).
4. Content of the Report:
-
Identification of the affected institution (Art. 5, letter a).
-
Date and evidence of the incident (Art. 5, letters c and d).
-
Impact on other institutions and affected assets (Art. 5, letters e and g), among others.
5. ANCI 24/7 Reporting Platform:
- The National Cybersecurity Agency will provide a technological system (platform) operational year-round to receive and manage reports (Art. 8).
- The platform will allow incident reports from obligated entities to be communicated simultaneously to other sectorial authorities when there is a duty to notify more than one authority.
6. Data Protection: Reports should not include personal data, unless exceptions established in the regulation apply (Art. 6).
For more information on how the Framework Cybersecurity Law and Incident Reporting Regulation function, please contact:
Rodrigo Albagli | Partner | ralbagli@az.cl
Eugenio Gormáz | Partner | egormaz@az.cl
Ivonne Bueno | Director az Tech | ibueno@az.cl
Yoab Bitran | Director Compliance Group | ybitran@az.cl
Antonia Nudman | Senior Associate | anudman@az.cl
Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.
