Law No. 21.663: Framework Law on Cybersecurity

Cybersecurity and Critical Information Infrastructure Framework Law

‍

Last Monday, April 8, Law No. 21,633, Framework Law on Cybersecurity and Critical Information Infrastructure (hereinafter, the “Law”) was published in our country, which aims to define the fundamental principles and essential structures to safeguard the rights of individuals in the digital environment.

‍

What is Cybersecurity?

The aforementioned Law defines cybersecurity as the preservation of the confidentiality and integrity of information and the availability and resilience of computer networks and systems, with the objective of protecting individuals, society, organizations or nations from cybersecurity incidents.

In turn, this definition provides us with 4 key concepts, which the Law goes on to define as follows:

1. Confidentiality: property that consists in that the information is not accessed or delivered to unauthorized individuals, entities or processes.
2. Integrity: property that consists in the fact that the information has not been modified or destroyed without authorization.
3. Availability: the property that information is available and usable when required by an individual, entity or authorized process.
4. Resilience: the ability of computer networks and systems to continue operating after a cybersecurity incident, even if in a degraded, weakened or segmented state, and the ability of computer networks and systems to recover their functions after a cybersecurity incident.

Scope of application of the Law

The Law applies to institutions that provide services qualified as essential and to those that are qualified as operators of vital importance.

Essential services are those that are (i) provided by the State Administration Bodies and by the National Electric Coordinator; (ii) provided under a public service concession; and, (iii) provided by private institutions that carry out the following activities:

• Generation, transmission or distribution of electricity;
• Transportation, storage or distribution of fuels;
• Drinking water supply or sanitation;
• Telecommunications;
• Digital infrastructure;
• Digital services, information technology services managed by third parties;
• Land, air, rail or maritime transportation, as well as the operation of their respective infrastructure;
• Banking, financial services and means of payment;
• Administration of social security benefits;
• Postal and courier services;
• Institutional health care provided by entities such as hospitals, clinics, doctor’s offices and medical centers;
• Production and/or research of pharmaceutical products, and
• Other services qualified as essential by the National Cybersecurity Agency (hereinafter, the “ANCI”).

‍

ANCI will establish the providers of essential services that are qualified as operators of vital importance, according to the fulfillment of two requirements (i)that the provision of such service depends on the computer networks and systems; and, (ii) that the affectation, interception, interruption or destruction of its services has a significant impact on security and public order; on the continuous and regular provision of essential services; on the effective fulfillment of the functions of the State; or, in general, of the services that the State must provide or guarantee.

Likewise, ANCI may qualify as vital operators private institutions that, in addition to the requirements already indicated, (i) fulfill a critical role in the supply of the population, the distribution of goods or the production of those indispensable or strategic for the country; or,(ii) due to the degree of exposure of the entity to risks and the probability of cybersecurity incidents, including their severity and the associated social and economic consequences.

ANCI shall review and update the qualification of critical operators every 3 years.

‍

Duties

• Duty to implement the protocols and standards established by ANCI, as well as the particular cybersecurity standards dictated in accordance with the respective sectorial regulation.

• Duty to report to the National CSIRT cyber-attacks and cybersecurity incidents that may have significant effects, within a maximum of 3 hours of becoming aware of their occurrence.
  • This report must also be updated within 24 hours in the case of critical operators, and within 72 hours in other cases.   
  • Finally, a final report must be submitted within 15 days of the report.     
  • Significant effects” shall be understood as those indicated in Article 27 of the Law.

• ‍Specific dutiesof operators of vital importance.
  • Implement an ongoing information security management system;
  • Maintain a record of the actions executed;
  • Develop and maintain business continuity and cybersecurity plans, which must be certified and subject to periodic reviews;
  • Continuously perform review operations, exercises, drills, simulations and analysis of networks, computer systems and systems;
  • Adopt, in a timely and expeditious manner, measures to reduce the impact and spread of security incidents;
  • Inform those potentially affected about the occurrence of incidents or cyber-attacks that could seriously compromise their information or computer networks and systems;
  • To have training, education and continuing education programs for its employees; and
  • Appointing a cybersecurity officer

‍

New institutional framework

The Law creates a governance model that promotes risk management and the implementation of cybersecurity standards, through a public-private collaboration system, also considering the creation of some entities:

1. National Cybersecurity Agency (ANCI), whose purpose is to (i) advise the President of the Republic on cybersecurity matters, (ii) collaborate in the protection of national interests in cyberspace, (iii) coordinate the actions of the institutions with competence in cybersecurity matters, (iv) ensure the protection, promotion and respect of the right to information security, and (v) coordinate and supervise the actions of the State Administration agencies in cybersecurity matters.

To meet these objectives, ANCI will have a series of powers, including: (i) to issue protocols, standards and general and specific instructions of a mandatory nature; (ii) to apply and administratively interpret the legal and regulatory provisions on cybersecurity; (iii) to oversee compliance with the Law; (iv) to request information from the entities to which the Law applies; (v) to initiate disciplinary proceedings and sanction violations and non-compliance by the obligated parties.

2. Multisectoral Council on Cybersecurity (Council), whose objective will be to advise and make recommendations to ANCI in the analysis and periodic review of the country’s cybersecurity situation, in the study of existing and potential threats in the field of cybersecurity, and to propose measures to address them.
3. State Secure Connectivity Network (RCSE), which will provide interconnection and Internet connectivity services to State Administration agencies.
4. Computer Security Incident Response Teams (CSIRT), which will aim to prevent, detect, manage and respond to cybersecurity incidents quickly and effectively. These include the National Computer Security Incident Response Team (National CSIRT), the National Defense Computer Security Incident Response Team (National Defense CSIRT) and the other CSIRTs belonging to State Administration agencies.
5. Interministerial Committee on Cybersecurity, whose purpose is to advise the President of the Republic on cybersecurity matters relevant to the functioning of the country.

‍

Sanctions

The Law classifies violations as minor (with fines of up to 5,000 UTM), serious (with fines of up to 10,000 UTM) and very serious (with fines of up to 20,000 UTM).

Now, in the case of an operator of vital importance, the fines may be up to double the amounts already indicated, reaching 40,000 UTM.

‍

Validity

From the date of publication of the Law, the President of the Republic shall have a term of 1 year to issue one or more Decrees with Force of Law determining the period for the entry into force of the provisions of the Law, which may not be less than 6 months from its publication.

‍

 For any question related to this topic, please contact Javier Edwards.