Cybersecurity - Chile

The Agencia Nacional de Ciberseguridad (ANCI) was created by Law 21.663 as a decentralized, technically specialized public body. It commenced operations on January 1, 2025, and holds regulatory, supervisory, standard-setting, and sanctioning powers over both public and private entities in scope.

The law was promulgated March 26, 2024, and published in the Diario Oficial on April 8, 2024. Core obligations for essential service providers applied from January 1, 2025; provisions governing OVI designation, OVI-specific duties, and the sanctions regime entered into force on March 1, 2025.

All in-scope public and private institutions must report significant cybersecurity incidents to the ANCI's National CSIRT within 3 hours of detection, provide a progress update within 72 hours, and submit a final report within 15 days. Reports are filed through the ANCI portal at portal.anci.gob.cl.

The law distinguishes Essential Service Providers (energy, healthcare, transport, banking, telecoms, water/sanitation, IT sectors) from Operators of Vital Importance (OVIs), who face stricter obligations including continuous risk management, security audits, and mandatory participation in national cybersecurity exercises.

On December 17, 2025, ANCI published the final first-group list designating 915 public and private institutions as OVIs across electricity, telecoms, banking/payments, digital services, healthcare, and public administration sectors.

Serious infringements by Essential Service Providers carry fines up to 10,000 UTM (~USD 725,000). For OVIs the ceiling rises to 40,000 UTM (~USD 2.9 million). Repeat or especially grave violations by OVIs can result in temporary suspension of operations.