CHILE Trends and Developments Contributed by: Nicolás Yáñez Figueroa and Ornella Otárola Tiozzo, EDN Abogados
• illegal access; • illegal interception; • computer-related forgery; • receiving stolen computer data;
This law will apply to institutions classified as provid- ers of essential services (PSE), as well as those clas- sified as operators of vital importance (OVI). The list of entities considered to be PSEs includes, for example, those provided by state administration bodies, those granted under public concession, and those provided by private institutions. The list covers activities essen- tial to the functioning of the country, such as: • electricity generation, transmission or distribution; • transport, storage or distribution of fuels; • drinking water supply or sanitation; • telecommunications; and • banking, financial services and payment systems. In relation to the technology sector, services related to digital infrastructure, digital services and third-party managed information technology were included. As for OVIs, these include services that depend on net- works and computer systems, and whose disruption, interception, interruption or destruction would have a significant impact on public security and order, the continuous and regular provision of essential services, the effective fulfilment of state functions, or, in general, the services that the state must provide or guarantee. In July 2025, the registration process for PSEs was completed, and the ANCI is currently reviewing mar- ket observations regarding the first list of entities preliminarily classified as OVIs. The process of nomi- nating PSEs and OVIs has not been free from contro- versy, raising considerable uncertainty in the market, particularly within the technology sector, given that concepts such as “digital services and third-party managed information technology services” are very broad. This has generated significant confusion for tech companies, as it may encompass both major industry players and small enterprises. Following the PSE registration process, with public consultation carried out by the ANCI, a preliminary list of OVIs was published, which also caused difficul- ties. Some entities were nominated as OVIs, opening an observation process for nominees, with entities striving to be given only the qualification of PSE and thus face less stringent regulation. According to an Executive Summary published by the ANCI, the public consultation process showed differing opinions, both
• computer fraud; and • misuse of devices.
In parallel, to address these new forms of crime, in 2022 the Investigation Police created the National Cybercrime Headquarters, as well as the Digital Forensics Department. From an M&A perspective, considering all these new forms of crime, the due diligence phase should now involve a more exhaustive revision of topics such as: • the security measures in place; • the data map inside the company; • who has access to such information; • confidentiality levels of the employees and advisers within the organisation; and • understanding the key technology activities within the company and how they are protected. That said, it would at least be necessary to review the policies, their scope and effectiveness, especial- ly those relating to data protection and information security, interacting with the data and security officers, and checking all applicable regulations or standards. Cybersecurity In April 2024, Law No 21,663 on the Cybersecurity Framework was enacted, following approximately two years of debate in Congress. This law introduces a new legal framework aimed at strengthening cyber- security in Chile, and establishes new institutions, principles and general regulations to co-ordinate cybersecurity actions by state bodies and certain pri- vate institutions. The emphasis is on the prevention, containment, resolution and response to cyberse- curity incidents, setting minimum requirements and defining the corresponding powers and obligations. The law creates new institutions, including the Chilean National Cybersecurity Agency ( Agencia Nacional de Ciberseguridad , ANCI), and other multisectoral coun- cils or committees and Incident Response Teams. The ANCI will have various powers, including regulatory, supervisory and sanctioning powers.
74 CHAMBERS.COM
Powered by FlippingBook