In response to rising cyber threats and growing global pressure for regulatory modernization, Chile enacted Cybersecurity Framework Law No. 21.663 to prioritize cybersecurity as an important part of national security, economic stability, and public safety. This landmark legislation introduces a comprehensive national framework aimed at strengthening cybersecurity, improving incident response, and enhancing the protection of critical infrastructure and digital systems. Here’s what businesses and institutions need to know.
Law No. 21.663 was enacted on April 8, 2024, and it went into effect on January 1, 2025. However, the following articles went into force on March 1, 2025:
- Article 5: Classification by ANCI of Operators of Vital Importance.
- Article 8: Specific Duties of Operators of Vital Importance.
- Article 9: The obligation to report cybersecurity attacks and incidents that may have significant effects on the National CSIRT.
Understanding Law No. 21.663
Law No. 21.663 mandates specific obligations for both public and private entities, particularly those designated as Operators of Vital Importance (OVIs), to implement robust cybersecurity measures.
Some of the most notable aspects of Law No. 21.663 include:
- Establishing the National Cybersecurity Agency (Agencia Nacional de Ciberseguridad, ANCI) to oversee cybersecurity policies and regulations. ANCI is responsible for overseeing incident reporting, setting compliance standards, and coordinating national responses to cyber threats.
- Defining the roles and responsibilities of public and private entities in cybersecurity management.
- Mandating the implementation of Information Security Management Systems (ISMS) aligned with international standards.
- Requiring the timely reporting of cybersecurity incidents to the National Computer Security Incident Response Team (CSIRT).
- Enforcing compliance through audits and imposing penalties for non-compliance.
Practical Steps for Compliance
1. Implement an Information Security Management System (ISMS)
Organizations must establish an ISMS that aligns with international standards such as ISO/IEC 27001. This involves:
- Identifying and classifying information assets.
- Assessing risks and implementing appropriate controls.
- Establishing policies and procedures for information security.
- Conducting regular audits and reviews.
BigID’s Impact: BigID’s advanced data discovery and classification of data across cloud, SaaS, on-prem, and hybrid environments enables organizations to assess risk and apply policy-driven controls for privacy, security, and compliance across the entire data landscape.
2. Designate a Cybersecurity Officer
Entities are required to appoint a dedicated cybersecurity officer responsible for overseeing cybersecurity strategies and compliance.
BigID’s Impact: BigID provides dashboards and reporting that empower cybersecurity officers and security teams with actionable insights into data security posture, aiding in informed decision-making, streamlined operations, risk reduction, and compliance tracking.
3. Conduct Regular Risk Assessments
Regular risk assessments are crucial to identify vulnerabilities and implement mitigating controls.
BigID’s Impact: BigID’s data risk assessments provide complete data risk visibility across the cloud and on-prem, enabling actionable insight into your most critical risks and vulnerabilities, helping organizations prioritize remediation efforts based on risk levels.
4. Report Cybersecurity Incidents Promptly
Law No. 21.663 mandates the reporting of significant cybersecurity incidents to the National CSIRT within 72 hours of becoming aware of the data breach.
BigID’s Impact: BigID’s incident response capabilities include data breach detection and impact analysis, streamlining the reporting process, and ensuring timely communication with authorities.
5. Train Employees on Cybersecurity Practices
Employee awareness and training programs are essential to fostering a cybersecurity culture through education and good practices within the organization.
BigID’s Impact: BigID aids employee cybersecurity training by identifying where sensitive data is most at risk, providing a clear understanding of the data security landscape, and allowing organizations to tailor training programs that address specific vulnerabilities and reinforce best practices.
How BigID Can Help Comply with Chile’s Cybersecurity Framework Law
Navigating the demands of Law No. 21.663 requires deep data visibility, proactive risk management, and automated compliance capabilities—core strengths of BigID.
BigID is the industry-leading provider for data security, compliance, privacy, and AI data management built to align with Chiles’ cybersecurity law requirements, enabling organizations to manage data risks effectively and maintain regulatory compliance.
With BigID’s holistic, data-centric, risk-aware approach to cybersecurity, organizations can better align with Chile’s Cybersecurity Framework Law with a structured approach to information security management, incident response, and compliance monitoring capable of withstanding modern threats.
Request a demo to see how BigID can help you implement cost-efficient data security to comply with Chile’s cybersecurity law.
Author
