Data protection is one of the focal points for guaranteeing security in companies, and Chilean legislation has been updated to contribute to this task.

By Juan Pablo González Gutiérrez  

Over the past year, Chile has undergone significantly updating its technological regulations, with the approval of new laws that place the country at the forefront in Latin America. These reforms, largely inspired by European standards, aim to strengthen cybersecurity and personal data protection, which are key sectors in an increasingly interconnected digital world. 

Law No. 21,663 and the National Cybersecurity Agency 

One of the most notable regulations is Law No. 21,663, which established a Cybersecurity Framework and created the National Cybersecurity Agency (ANCI). This law is inspired by the European NIS2 Directive, one of the most advanced cybersecurity frameworks globally. The ANCI will begin its activities on January 1, 2025, and in March of that year, key provisions affecting essential services and operators of vital importance (OIV) will come into force. 

Among the main obligations that the law imposes on essential services stands the need to implement permanent measures to prevent, report, and resolve cybersecurity incidents. Depending on the case, these measures can be technological, organizational, physical, or informational. Furthermore, OIVs must adopt an Information Security Management System (ISMS) and operational continuity and cybersecurity plans, which may be based on international standards such as ISO 27.001 or the NIST Cybersecurity Framework (CSF). 

The regulation also establishes strict deadlines for incident reporting. Organizations must alert the ANCI about significant cyberattacks within a maximum of three hours, with updates within 72 hours and a final report within 15 days. In the case of OIVs, the deadline for the initial alert is reduced to 24 hours. Sanctions for non-compliance can be severe, with fines reaching up to 40,000 UTM for OIVs. 

Law No. 21,719 and Personal Data Protection 

On the other hand, Law No. 21,719, which regulates personal data protection, represents a profound change in how organizations must handle sensitive information. This law will come into effect on December 1, 2026, but organizations should begin to adapt now to avoid future risks of non-compliance.

 This legislation created the Personal Data Protection Agency, which is responsible for overseeing compliance with the regulations and imposing sanctions for violations. Unlike the Law No. 19,628, which lacked an effective oversight body, the new law introduces a differentiated sanction regime and establishes clear responsibilities for entities that process personal data. Serious violations may be penalized with fines of up to 20,000 UTM, and in the case of severe violations, fines can reach up to 40,000 UTM, with the possibility of a 50% increase if deficiencies are not corrected within a specified time frame. 

Companies must take proactive measures, such as appointing a data protection officer or creating an internal committee, to ensure compliance with the regulation. This includes identifying the personal data being processed, establishing protocols for protecting this information, and developing reporting and sanction mechanisms in case of non-compliance. Additionally, they must implement appropriate security measures to protect the information and ensure transparency with data subjects. 

 Challenges for Organizations 

With the implementation of both laws, Chile will face significant challenges in managing cybersecurity and personal data protection risks. Public and private organizations must clearly understand their processes and the data they handle to identify and adequately mitigate the risks associated with each regulatory framework. 

Companies must anticipate regulatory changes by implementing risk management systems that will allow them to meet the new requirements. This may include using advanced technology, such as diagnostic and self-assessment tools, to identify vulnerabilities and make informed decisions before the new provisions come into force. 

Conclusion 

2025 will mark a turning point for organizations in Chile, which will need to quickly adapt to a more demanding regulatory environment in cybersecurity and personal data protection. Complying with these new regulations will not only prevent sanctions but will also enhance organizations’ resilience against growing cybersecurity threats and strengthen user trust in the handling of their personal information. Early preparation will be key to effectively facing these challenges and ensuring proactive compliance with the regulations. 

XXXx