Countries don’t restrict cyber threats; they cross borders in milliseconds, exploiting gaps in governance, visibility, and readiness. As the global cost of digital failure surges, so does the urgency to confront what can no longer be delegated or denied. In Latin America, one country is stepping out in front.
Chile isn’t sitting around waiting for disaster to strike; it’s building a legal firewall. Recent cybersecurity reforms position Chile as a regional pace-setter, architecting for digital resilience with an approach that is grounded, forward-looking, and uncompromising where it counts.
For multinational organizations, navigating Chile’s cybersecurity regime is non-negotiable because cybersecurity isn’t a technical concern alone; it involves sovereignty, systemic risk, and operational survival. And in Chile, it’s now the law, too.
The Law Takes Shape
Chile has drawn a line in the digital sand. After years of strategic intent and institutional buildup, Law No. 21.663, known as the Framework Law on Cybersecurity and Critical Information Infrastructure, took full effect in January 2025.
This is the spine of Chile’s cybersecurity regime. Around it, other instruments take shape:
Law 21.459: Modernizes computer crime laws and introduces protections for ethical hacking, provided it’s registered.
Law 19.628 (current) and Law 21.719 (pending): Form the twin pillars of Chile’s evolving data protection laws.
DS No. 295 (March 2025): Lays down incident reporting rules, precise, urgent, unforgiving.
Together, these form Chile’s digital armor. They are functional and designed to absorb shock and limit fallout.
Who Must Comply
The scope is wide. Essential Services (utilities, transport, finance, health, communications) and Operators of Vital Importance (OVIs). These entities are the lifelines of Chilean society. The law assigns responsibilities:
Establish an Information Security Management System (ISMS).
Appoint a Cybersecurity Delegate.
Conduct regular risk assessments.
Maintain business continuity plans.
Train employees. Then train them again.
And when something breaks? The clock starts ticking. Three hours for early alerts, 72 hours for incident reports, and 15 days for final analysis.
For those who miss a deadline or fail to act, the fines run high, up to 40,000 UTM, a figure that makes non-compliance expensive.
Who Are the Watchdogs?
Oversight comes with structure. Chile has built an ecosystem to monitor, coordinate, and enforce.
At its core is the National Agency for Cybersecurity (ANCI), born from Law 21.663. It is independent, technical, and centralized. Its job moves beyond advising to acting.
It audits and investigates, it certifies and sanctions; and it defines which systems are critical, which operators count as vital, and what “secure” truly means.
Supporting it is a web of institutions:
The National CSIRT, Chile’s tactical incident response unit.
The Interministerial Committee on Cybersecurity, which sets top-level policy.
The Multisectoral Committee, a forum for coordination across domains and industries.
Each with a part to play, and each with teeth.
Signals from 2024–2025
Chile’s National Cybersecurity Policy 2023–2028 is a signal of intent. Its five pillars (governance, resilience, capacity, cooperation, and rights) are structured, measured, and time-bound.
This shows that as the country legislates, it’s maturing. It’s aligning sectors, arming its agencies, and bringing cybersecurity to the heart of statecraft. Laws are being passed, and more importantly, they are being operationalized.
And the signal, loud and clear, is being received. Banks, telcos, ISPs, and energy firms have all begun the hard slog of updating systems, mapping risk, and drilling scenarios because waiting is no longer an option.
How Chile Aligns with the World
Chile doesn’t regulate in isolation. It borrows best practices and tailors them to fit. Think of the EU’s GDPR, but with a Chilean flavor. Think NIST risk frameworks applied in Santiago. Think ISO 27001 translated into local controls.
Once enacted, the country’s data protection bill (Law 21.719) will introduce breach notification, privacy by design, and a new Personal Data Protection Agency. These echo European standards but reflect Chile’s distinct constitutional context.
In short, Chile is not replicating the global model. It’s interpreting it.
What Businesses Must Do
If your company touches Chile, by market, by service, or by data, you need to move. Here's how:
Map Your Exposure: Are you classified as essential or an OVI? If not yet, you may be soon. ANCI holds the pen.
Build Defenses Before They're Demanded: Establish an ISMS. Test it. Document everything.
Know the Timelines: Three hours is not a lot. Make sure incident response teams know who needs to call, whom, what must be reported, and how.
Follow the Law, Not Just the Spirit: Registration matters, particularly if you perform pen tests. Chile has room for ethical hackers, but only those in the registry.
Watch the Data Frontier: With Law 21.719, data privacy moves from policy to obligation. Consent, transparency, and breach reporting will be codified.
Engage Locally: Monitor ANCI guidance. Build relationships with sectoral CSIRTs. Compliance is cultural as much as it is technical.
Resilience Before Regulation
Chile is building a framework to prevent future disasters. The legislation is young, but the intent is firm. This is cybersecurity as a foundation.
For global firms, this is the cue. Start now. Don’t wait for enforcement letters or missed deadlines. Because yes, all businesses want to keep regulators happy, but they want to stay in business, more.
In Chile, compliance is no longer a checkbox exercise, it’s a readiness test, and only those who prepare will pass.
Compliance Is Not Security, But It's a Start
Mature beyond checkbox compliance. Fortra® helps organizations around the world follow regulatory compliance mandates and align with security frameworks to strengthen their security posture.
