CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
executed or implemented in computer networks and systems. The Framework Law establishes the duty for providers of essential services and operators of vital importance to report cybersecurity incidents with significant effects to the National CSIRT. The Regulation on Reporting of Incidents of Sig - nificant Effects in force from 1 March 2025 states that a cybersecurity incident shall be considered to have a significant impact if it is capable of producing any of the following effects: • disrupting the continuity of an essential service. In such a case, both the services provided by providers, as well as the supply chain, of an institution providing essential services or of an operator of vital importance shall be considered; • affecting the physical integrity or health of persons; • affecting the integrity or confidentiality of IT assets, or the availability of any network or IT system, even if this does not or would not have had an immediate impact on the provi - sion of the service; • unauthorised use of or unauthorised access to networks or computer systems, even if this does not or has not immediately affected the provision of the service; or • affecting computer systems containing per - sonal data. In determining the significance of the effects of an incident, the following criteria shall be taken into account: • the number of persons affected; • the duration of the incident; and • the geographical extent of the area affected by the incident.
The Framework Law establishes a procedure for reporting cybersecurity incidents with significant effects as soon as possible and in accordance with a scheme which considers a series of dif - ferent stages: • an early warning within three hours of becom - ing aware of the cyber-attack or cybersecurity incident; • a report of the incident within 72 hours, including an initial assessment of its severity and impact, including indicators of compro - mise; • a final report within 15 days of the early warn - ing containing a detailed description of the incident, the type of cause or threat likely to have caused the incident, mitigation meas - ures to be implemented and in progress, and the cross-border impact (if any) of the inci - dent; • in the event that the incident is still ongoing after the final report, a status update must be made; and • again, after a period of 15 days from that update, a new final report must be made. Notwithstanding the foregoing, both the National CSIRT and the competent sectoral authority may request relevant updates on the situation. The Regulation on Reporting of Incidents with Significant Effects in force since 1 March 2025 sets out the specific content that each report and early warning must contain. In addition, it should be noted that an incident will be consid - ered as managed when the background informa - tion provided by the affected institutions allows the Agency to declare it as closed.
81
CHAMBERS.COM
Powered by FlippingBook