/ New decree establishing the obligation to report cybersecurity incidents by the State Administration

December 20, 2022

The public sector issues new rule following the repercussions brought by recent cybersecurity attacks on state agencies


Maria Ignacia Ormeño Sarralde
Associate Attorney
Alessandri Abogados


On December 2, Decree No. 273-2022 was published in the Official Gazette by the Ministry of the Interior and Public Security, which establishes the obligation to report cybersecurity incidents (hereinafter “Decree”).

Given the recent cyber-attacks suffered by the State in the last year, such as the leaks of the Joint Chiefs of Staff or the hacking of the Judiciary, the public sector has found it necessary to issue this type of regulations. The Government’s 2022-2026 program contemplates the protection of information and cybersecurity, through the implementation of a National Cybersecurity Policy.

The Decree establishes that the heads of services of the Ministries and other agencies of the centralized and decentralized State Administration (hereinafter “obligated agencies”), must communicate cybersecurity incidents affecting them to the Ministry of the Interior and Public Security, through their notification to the Computer Security Incident Response Center (CSIRT). Such notification must be carried out as soon as the occurrence of the incident is detected, without being able to exceed a period of more than three hours from the time it becomes known.

On the other hand, it establishes that the heads of service must require technology service providers to share information on threats and vulnerabilities that may affect the networks, platforms and computer systems of the State administration bodies. In addition, they must be notified about the mitigation measures that serve them together with security policies and practices.

Likewise, in its last article, the Decree establishes the possibility of a preventive search for vulnerabilities by the obligated bodies. In order to improve the security of the networks and computer systems of their respective institution, the heads of service can request the technical teams of the CSIRT to review and analyze them. In addition, they can request the preventive search for computer vulnerabilities, if they grant the necessary facilities for this purpose.

It should be noted that this decree states that cyber-attacks affecting the integrity of computer systems and/or data will be typified according to the law on computer crimes (Law No. 21,459), which came into force in June of this year.