Associate
Alessandri Abogados
Since March 1, 2025, it has been mandatory for all public and private institutions that provide essential services to report cyberattacks or incidents that may have significant effects to the National CSIRT, as provided by Law No. 21,663.
What is meant by significant effect?
A cybersecurity incident will be considered to have a significant effect if it is capable of producing any of the following effects:
- Interrupting the continuity of an essential service. In this case, both the services provided by suppliers and the supply chain of an institution providing essential services or of a vital operator should be considered.
- Affecting the physical integrity or health of individuals.
- Affect the integrity or confidentiality of computer assets, or the availability of any network or computer system, even if this does not or would not result in an immediate impact on the provision of the service.
- Use or enter computer networks or systems without authorization, even if this does not or would not result in an immediate impact on the provision of the service.
- Affect computer systems that contain personal data.
Report to the CSIRT
In order to comply with the reporting obligation, essential services must send a report to the National CSIRT. The minimum content of incident reports will be updated by resolution of the Director. This resolution must be based on a technical report from the National CSIRT, which must consider the practices and recommendations of international organizations with competence in the matter.
The incident report must omit all personal data or information, in accordance with the provisions of article 2, letter f), of Law No. 19,628, on the Protection of Privacy. For the purposes of the provisions of this subsection, the IP address shall not be considered personal data or information.
How is this obligation fulfilled?
To facilitate the reporting of incidents, the National Cybersecurity Agency (ANCI) has made available to users the portal site: portal.anci.gob.cl where public and private institutions that provide essential services can report incidents with a significant impact.
To do this, they must register on the platform, using the unique password of the person responsible for notification and completing the information required in each of the three steps of the process: early warning, second notification and final report.
1. Early warning.
Once the institution obliged to report has become aware of the occurrence of a cybersecurity incident, it must send an alert about the occurrence of the event within a maximum period of three hours, counting from the moment it became aware of the occurrence of the incident.
2. Second notification:
Once a maximum period of seventy-two hours has elapsed since the institution became aware of the occurrence of a cybersecurity incident, it must send a second report to the National CSIRT. If the affected institution is a vital operator and the incident affects the provision of its essential services, the update of the information, through the second report, must be delivered within a maximum period of twenty-four hours.
3. Final report:
Within a maximum period of fifteen calendar days from the sending of the early alert and provided that the incident has been managed, the institution must draw up a final report which must include, as a minimum, a confirmation or update of all the data reported in the previous reports.
Entry into force of the Regulations
These Regulations shall take effect from March 1, 2025
/ Related Posts
Cybersecurity in the metaverse: real challenges in a virtual world