Cybersecurity regulation in Chile (2026)

ANCI published three general instructions in the final weeks of 2025 clarifying supplementary registration procedures for essential-service providers, the 60-day deadline to appoint a Cybersecurity Delegate for Vital Importance Operators, and mandatory measures to contain incident propagation. They operationalize Law 21.663's compliance requirements across regulated entities.

ANCI's inaugural general instruction imposed a mandatory registration obligation on all entities providing essential services, requiring enrollment in the ANCI incident-reporting platform. It was the first direct private-sector compliance deadline enforceable under the Cybersecurity Framework Law.

The provisions of Law 21.663 governing the designation of Vital Importance Operators (OIVs) — including their specific cybersecurity duties and mandatory incident notification timelines — became enforceable, completing the phased entry into force of Chile's Cybersecurity Framework Law.

Chile's National Cybersecurity Agency (ANCI) formally commenced operations, making Chile the first Latin American country with a dedicated autonomous cybersecurity regulator. General provisions of the Cybersecurity Framework Law simultaneously entered into force, establishing the new regulatory architecture governing public and private sector entities.

Chile enacted its first comprehensive Cybersecurity Framework Law — promulgated March 26 and published April 8, 2024 — creating the ANCI as an autonomous regulator, defining Critical Information Infrastructure and essential services (energy, finance, healthcare, transport, telecoms), mandating incident reporting, and imposing proportional cybersecurity obligations on both public and private sectors.

Decree N°164 published in the Diario Oficial adopted Chile's second National Cybersecurity Policy. Its five strategic axes — resilient infrastructure, digital rights, security culture, international cooperation, and institutional development — replaced the 2017–2022 policy and served as the political blueprint for Law 21.663.

A LockBit Black ransomware campaign propagated through the Poder Judicial's network on September 25, 2022, infecting more than 100 computers. CSIRT issued a critical cybersecurity alert; the Judiciary filed criminal complaints. The high-profile attack on the national court system intensified congressional urgency to pass the pending Cybersecurity Framework Law.

Chile's state-owned BancoEstado was struck by REvil (Sodinokibi) ransomware after a malicious Office attachment was opened by an employee, infecting an estimated 14,000 computers and forcing closure of all 400+ branches. The largest cyberattack on Chilean financial infrastructure to date triggered a Senate inquiry and catalyzed calls for comprehensive cybersecurity legislation.

Chile established the Government Computer Security Incident Response Team (CSIRT) under the Ministry of the Interior, providing the state with a dedicated operational cyber-defense capability for public administration and critical infrastructure. Public agencies were required to report cybersecurity incidents to CSIRT within three hours of confirmation.

The Interministerial Committee on Cybersecurity launched Chile's inaugural National Cybersecurity Policy, establishing five objectives: a free, open, secure, and resilient cyberspace; protection of individuals' rights; a security culture; coordinated incident response; and international engagement. It created the institutional and policy foundations for subsequent legislation.

Chile established the Comité Interministerial sobre Ciberseguridad (CICS), comprising representatives of Interior, Defense, Foreign Affairs, Justice, Economy, Finance, Telecommunications, and the National Intelligence Agency. CICS was mandated to propose a national cybersecurity policy to the President, marking Chile's first formal inter-agency cybersecurity governance structure.

Chile enacted Law 19.223, one of the first computer crimes statutes in Latin America. Its four articles criminalized computer sabotage and computer espionage but covered a narrow range of conduct. The law's inadequacy in addressing modern threats — it went unamended for 29 years — ultimately drove Chile to replace it with Law 21.459 in 2022.