We invite you to read the column written by our partner Antonio Rubilar and directors Francisco Fuentes (Civil Litigation and Arbitration) and Ivonne Bueno (az Tech), who reflect on the litigations that will arise from the Cybersecurity Framework Law.
One of the most relevant points of the law is the National Cybersecurity Agency’s (ANCI) authority to qualify certain service providers, primarily essential ones, as Operators of Vital Importance (OVI), based on specific criteria.
The recent enactment of the Cybersecurity Framework Law (N°21.663) not only establishes new standards, obligations, and sanctions, but it will also open the door to new litigation in the administrative and judicial realms. Organizations subject to this law should prepare now for potential disputes arising from its implementation.
-
Qualification of Operators of Vital Importance
One of the most significant aspects of the law is the National Cybersecurity Agency’s (ANCI) power to qualify certain service providers, particularly essential ones, as Operators of Vital Importance (OVI) based on specific criteria. This classification is not minor: it imposes greater demands and higher penalties than for traditional essential services, doubling the maximum fines from 20,000 to 40,000 UTM in case of infringement.
This process includes the issuance of a reasoned report by sectorial agencies, the publication and public consultation of a preliminary list of OVIs, and, finally, the resolution. Against this decision, the affected parties may file administrative appeals under Law N°19.880 (reposition, hierarchical, etc.) and an illegality appeal before the Santiago Court of Appeals (ICA) or the one in the claimant’s jurisdiction.
In this case, the service providers will find it particularly important that a “stay of innovation” (ONI) order may be issued by the respective ICA if the ANCI’s final decision classifies the company as an OVI and there are sufficient grounds to challenge it through the resources available under the law. This request serves as an alternative to “freeze” the effects of the ANCI’s decision while it is determined whether the provider is truly of vital importance.
-
Access to Networks and Information Systems
The ANCI also has the power to require access to networks and information systems in cases of significant impact incidents or as part of its supervisory activity. However, private institutions may oppose this access, which will trigger a special procedure before the ICA, where a designated judge will resolve the request after hearing both parties as soon as possible.
If authorization is granted, the affected entity may appeal, and the case will be added preferentially to the next day’s schedule, even if it is a non-working day, demonstrating the urgency the law assigns to these cases. For example, the law grants this same urgency to the knowledge of personal precautionary measures in criminal cases, reaffirming the importance the legislator places on this sensitive matter for service providers.
-
Sanctions
Starting on March 1, 2025, the ANCI will also be able to apply sanctions. Affected parties may file administrative appeals as outlined in Law N°19.880, which must be resolved promptly within 15 days. Additionally, the appellant may file an illegality appeal before the ICA of Santiago or their jurisdiction.
In this case, the Court may order the suspension of the sanction (ONI) if its execution could cause irreparable harm. The Court will then request a report from the Agency, which must be provided within ten working days. The ICA may open evidence gathering as per the rules of incidents, review the case for the possibility of preferential pleadings, and then decide to reject or accept the claim, modify the sanction, annul it, or acquit, as appropriate. Against this decision, an appeal can be filed with the Supreme Court, which will resolve it in full.
New Law, New Litigations
As can be seen, the Cybersecurity Framework Law not only strengthens the information security of critical organizations in Chile but also introduces new challenges in contentious matters, especially for the Court of Appeals and the Supreme Court.
The qualification as an OVI; the authorizations for access to networks and information systems; and the imposition of sanctions will open a new front between companies and the ANCI, which will be primarily handled by our higher courts of justice in administrative proceedings.
In this scenario, cybersecurity will no longer be just a technological and legal issue, but a key field for legal disputes, requiring not only specialized technical and legal advice but also strategic defense in such administrative conflicts, with professionals trained and experienced to face this new and complex regulatory framework.
Another point to consider will be the speed at which the Courts of Appeals and the Supreme Court can address these processes, given their workload and expertise in these matters, where an active role is expected from the Third Chamber of the Supreme Court in creating case law for the application of this law and its most relevant norms.
Column written by:
Antonio Rubilar | Partner | arubilar@az.cl
Francisco Fuentes | Director, Civil Litigation and Arbitration Group | ffuentes@az.cl
Ivonne Bueno | Director, az Tech | ibueno@az.cl
