Carey
  April 4, 2024 - Santiago, Chile

Framework Law on Cybersecurity is enacted
  by Carey

On March 26th, 2024, the President of the Republic enacted the Framework Law on Cybersecurity and Critical Information Infrastructure (the "Law"), after having been generally approved by the Chamber of Deputies, and the preventive control of constitutionality carried out by the Constitutional Court was concluded.

The new Law entails the implementation of relevant aspects and changes in cybersecurity, which includes a series of effects and consequences, which are detailed below:

The Law: Five points to keep in mind

1.- New institutionality

First, the Law implements a new institutional framework in this area, by creating the (i) National Cybersecurity Agency ("ANCI"); (ii) Multisectoral Council on Cybersecurity ("Council"); (iii) the Interministerial Committee on Cybersecurity ("Committee"); and (iv) Computer Security Incident Response Teams (each, "CSIRTs"), including the National CSIRT, the National Defense CSIRT, and other CSIRTs of State Administration agencies.

Regarding the ANCI, it will correspond to a decentralized public service, of a technical and specialized nature, whose main objectives will be to advise the President of the Republic on matters of cybersecurity, collaborate in the protection of national interests in cyberspace, coordinate the different institutions with competence in cybersecurity, ensure the protection, promotion and respect for computer security, among others.

In order to comply with the objectives indicated, the ANCI will have various attributions, among which are, (i) regulatory powers; (ii) supervisory powers; and (iii) sanctioning powers; among others.

The Law also provides for regulatory coordination mechanisms between the ANCI and sectoral entities in the event that the protocols, technical standards or general instructions it issues in the exercise of its functions have effects in the areas of competence of such sectoral entities. Sectoral authorities may also issue general regulations, technical standards, and instructions necessary to strengthen cybersecurity of institutions of their sector, in accordance with the respective regulation and in coordination with ANCI.

2.- Principles governing cybersecurity regulation

The Law introduces several principles that obligated institutions (indicated in point 3 below) must observe in their conduct. Some of these principles are: (i) damage control; (ii) cooperation with the authority; (iii) responsible response; (iv) computer security; (v) reasonableness; and (vi) security and privacy by default and by design. 

3.- Scope of application

The Law will apply to institutions providing services classified as "Essential", on the one hand, and to those classified as Operators of Vital Importance, on the other.

As for Essential Services, these correspond to:

For its part, ANCI will be responsible for determining the providers of essential services that are qualified as operators of vital importance by means of a reasoned decision, that complies with the following requirements: (i) that the provision of such service depends on the networks and information systems; and (ii) that the affectation, interception, interruption or destruction of its services has a significant impact on security and public order; on the continuous and regular provision of essential services; on the effective fulfillment of the functions of the State; or, in general, of the services that the State must provide or guarantee.

Likewise, ANCI shall have the power to qualify private institutions that, although they do not have the quality of providers of essential services, also meet the requirements set forth in the preceding paragraph under certain assumptions.

4.- Cybersecurity obligations

Regarding the obligations contemplated by the Law, on the one hand, there are the general duties, applicable to both providers of Essential Services and those considered Operators of Vital Importance, which are obliged to:

On the other hand, the Law introduces specific duties for Operators of Vital Importance, who will be obliged, among other duties, to the following:

5.- Infractions and associated penalties

The Law provides for various penalties for non-compliance with its provisions, which are classified into 3 categories: minor, serious, and very serious.

By way of example, the law will consider as minor the late delivery of the information required by the ANCI that is not necessary for the management of a cybersecurity incident, as serious  as the failure to comply with the obligation to report and as a very serious infraction, the delivery of manifestly false or erroneous information to the ANCI,  and that it has been necessary for the management of a cybersecurity incident.

The Law also provides for specific infractions and penalties for non-compliance with the specific duties of Operators of Vital Importance.

As for the penalties provided for in the Law, these translate into the imposition of a fine for tax benefit:

In the case of Vital Operators of Vital Importance, these fines can even be up to double.

Next Steps & Effective Date (What's Coming)

The President of the Republic must issue, within one year of the publication of the future law, one or more executive law decrees to determine a period for the entry into force of the rules of the future law, which may not be less than six months from the publication of the future law, the date of initiation of the activities of ANCI, among other matters.

The post Framework Law on Cybersecurity is enacted appeared first on Carey Abogados.




Read full article at: https://www.carey.cl/en/framework-law-on-cybersecurity-is-promulgated/