CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
them and private entities. It also sets out the minimum requirements for the prevention, con - tainment and response to cybersecurity inci - dents. This law defines essential services and the procedure for qualifying among these essen - tial service providers the operators of vital impor - tance, who will be subject to stricter obligations. The law also creates the ANCI, a decentral - ised public service responsible for advising the President on cybersecurity issues, co-ordinating competent institutions, and ensuring the protec - tion of the right to computer security. The ANCI has the power to issue mandatory protocols and standards for public and private institutions. In addition, the Cybersecurity Framework Law creates the National Computer Security Incident Response Team ( CSIRT Nacional ) within ANCI. This team is responsible for responding to sig - nificant cyber-attacks and co-ordinating other CSIRTs. As of 1 January 2025, the Law and the ANCI came into force. Thus, the Agency can start exercising its regulatory powers, for example by issuing general instructions. In addition, it will have to set up and manage the National Incident Register and will also be able to set the stand - ards to be met by institutions providing goods or services to the state, as well as cybersecurity standards and duties to inform the public about the security risks of digital devices available to end consumers. The Regulation on Notifica - tion of Cybersecurity Incidents with Significant Effects is already in force, and the Agency has enabled a web portal and APIs for both essential service providers and operators of vital impor - tance to make reports to the National CSIRT. The first qualification process for Operators of Vital Importance is expected to be finalised dur -
ing Q3 2025. This regulatory framework also includes other relevant regulations, such as the rules on the (i) Functioning of the Secure Con - nectivity State Network and Special Obligations of State Administration Bodies; (ii) Registry of Cybersecurity Standards Certification Entities; (iii) Functioning of the Interministerial Cyberse - curity Committee; and (iv) one that establishes rules for the functioning of the Multisectoral Cybersecurity Council. The Computer Crimes Law The Computer Crimes Law No 21,459 establish - es rules on computer crimes and their penalties. This law seeks to adapt Chilean legislation to the Budapest Convention. Some of the crimes it typifies are: • attack on the integrity of a computer system; • unlawful interception; • computer forgery; • handling of illegally obtained computer data; • computer fraud; • illicit disposition of devices or programs to commit computer crimes. Regarding the crime of illegal access – ie, access - ing a computer system without authorisation, the penalties are increased if the access is made with the intention of seizing or using information, or if the illegally obtained information is disclosed. However, there is an exemption from criminal sanctions for those who access a computer sys - tem in a responsible manner (ethical hacking), fulfilling certain requirements such as registration with the ANCI, prior notification of the access to the Agency and communication of the vulnerabili - ties to the system operator and the Agency.
75
CHAMBERS.COM
Powered by FlippingBook