/ Official Gazette Published the Law on Cybersecurity

Maria Ignacia Ormeño Sarralde
Associate Attorney
Alessandri Abogados

• The Law on Cybersecurity creates the National Cybersecurity Agency (the “Agency”), in charge of governing, supervising and sanctioning all public and private organizations that provide essential services and critical operators.
• Governs essential services and critical operators, establishing obligations aimed at managing risks, reporting violations, among others.
• Penalties up to 40,000 UTM.
• It will come into force in the term established by the President of the Republic, by means of a decree to be issued within one year from the publication of the Law. In no case may the legal vacancy be less than 6 months counted from such publication.
• It is the first law on cybersecurity in Latin America.

________

Law 21,663 on Cybersecurity was published in the Official Gazette on April 8, 2024.

The Law seeks to establish the institutional framework, principles and general regulations to structure, govern and coordinate the cybersecurity actions of the State Administration bodies and individuals, and establishes minimums standards for the prevention, containment, resolution and response to cybersecurity incidents; in addition to establishing attributions, obligations and duties of public and private institutions.

Among the guiding principles to be observed by the obligated parties are responsibility, cooperation with the authority, information security, rationality, coordination, integral protection, security, privacy by default and by design, confidentiality of information systems and damage control.

Scope

The Law shall apply to institutions providing services qualified as essential and to those qualified as critical operators (CO).

Services Qualified as Essential

The following are essential services:

1. Those provided by the agencies of the State Administration and by the National Electric Coordinator.
2. Those provided under a public service concession.
3. Those provided by private institutions that carry out the following activities:

• Generation, transmission or distribution of electricity.
• Transportation, storage or distribution of fuels.
• Supply of drinking water or sanitation.
• Digital infrastructure.
• Digital services and information technology services managed by third parties.
• Land, air, rail or maritime transportation, as well as the operation of their respective infrastructure.
• Banking, financial services and means of payment.
• Administration of social security benefits.
• Postal and courier services.
• Institutional health care services provided by entities such as hospitals, clinics, medical offices and medical centers, and the production and/or research of pharmaceutical products.

4. Those that the Agency qualifies as essential by means of a founded resolution of the National Director when their affectation may cause serious damage to the life or physical integrity of the population or to its supply, to relevant sectors of the economic activities, to the environment, to the normal functioning of society and/or the State Administration, to the national defense, or to the security and public order.
5. Critical Operators

The Agency shall establish by means of a resolution issued by the National Director, according to the CO qualification procedure, the essential service providers that are qualified as COs. Additionally, the Agency may qualify as COs those who meet the following requirements:

• That the provision of such service depends on computer networks and systems; and
• That the affectation, interception, interruption or destruction of its services have a significant impact on security and public order, on the continuous and regular provision of essential services, on the effective fulfillment of the functions of the State or, in general, of the services that it must provide or guarantee. In addition, the Agency may qualify as COs private institutions that, although not having the quality of essential service providers, meet the requirements indicated above and whose qualification is required for having acquired a critical role in the supply of the population, the distribution of goods or the production of those indispensable or strategic for the country; or for the degree of exposure of the entity to risks and the probability of cybersecurity incidents, including their severity and the associated social and economic consequences.

In any case, the size of the private institution must always be taken into consideration, especially the characteristics and needs of micro, small and medium-sized companies, as defined in Law No. 20,416, which sets special rules for smaller companies.

Cybersecurity Obligations

Institutions bound by this Law must comply with certain general duties, in addition to the reporting obligation. However, those that are qualified as COs will have greater requirements since they must also comply with specific duties detailed in the Law.

Regarding the reporting obligations, the Law establishes that all essential service providers and COs shall have the obligation to report to the National CSIRT (Computer Security Incident Response Team) cyber-attacks and cybersecurity incidents that may have significant effects (if it is capable of interrupting the continuity of an essential service or affecting the physical integrity or health of persons, as well as in the case of affecting computer systems containing personal data), as soon as possible, according to the following general scheme:

1. Within a maximum period of 3 hours counted from the time they become aware of the occurrence of the cyber-attack or cybersecurity incident that may have significant impacts, an early warning must be sent regarding the occurrence of the event.
2. Within 72 hours at the latest, an update of the information referred to in paragraph i), including an initial assessment of the incident, its severity and impact, as well as compromise indicators, if available.

However, in the event that the affected institution is a critical operator and its provision of essential services is affected by the incident, the information update shall be provided to the National CSIRT within 24 hours of becoming aware of the incident.

• Within a maximum term of 15 calendar days from the sending of the early warning referred to in paragraph i), a final report.

In the event that the incident is still ongoing after the submission of the report referred to in paragraph iii), this shall be replaced by a report on the situation at that time. The final report shall be submitted within 15 calendar days after the incident has been handled.

In particular, the COs shall inform the National CSIRT of their action plan as soon as it has been adopted. The adoption of this action plan shall not be later than 7 calendar days after the occurrence of the incident.

In cybersecurity incident reports, any personal data or information must be omitted, in accordance with the provisions of Law No. 19,628 on Privacy Protection. The specific procedure for reporting a cybersecurity incident, the form, as well as the conditions of anonymity, the taxonomy of the report and the periodicity, will be established in a regulation. On the other hand, to assess the severity of the effects of an incident, the Law establishes the following criteria:

• Number of people affected;
• Duration of the incident; and
• Geographical extent with respect to the area affected by the incident.

Violations and Penalties

Violations of the obligations provided by the Law for services classified as essential and critical are classified as minor, serious and very serious and carry different penalties that can reach up to 40,000 UTM in the case of a CO.

In setting the fine, the following shall be taken into consideration:

• The degree to which the offender adopted the necessary measures to safeguard the computer security of the operations.
• The probability of occurrence of the incident.
• The degree of exposure of the offender to the risks.
• The seriousness of the effects of the attacks, including their social or economic impacts.
• The repetition of the infringement within 3 years from the time the incident occurred.
• The size and economic capacity of the offender.

Entry Into Force

The Law empowers the President of the Republic so that within 1 year of the publication of the Law in the Official Gazette, he may establish by means of one or more law-ranking decrees the period for the entry into force of the established rules, which may not be less than six months from its publication.

Click here to see Law 21,663.