Since March 1, 2025, Chile is no longer debating whether it will have a cybersecurity framework. It is enforcing one. On that date, articles 5, 8 and 9 and Title VII of Law 21,663, the Framework Cybersecurity Law, came into force, and with them the sanctions regime and the duty to report significant incidents within three hours. Not ninety days, not a week. Three hours.
That number captures the shift in logic better than anything else. The law does not only ask organizations to protect their systems. It asks them to react and to account for it within a window measured in hours. And a decision measured in hours cannot be made during the incident. It has to be settled beforehand.
This article does not restate what Law 21,663 is in general terms. It focuses on the operating layer, the one that separates two figures the law treats differently but as complements. Whoever answers for compliance before the authority, meaning the board and senior management, and whoever sustains that compliance every day, meaning the employee. Two roles, two clocks, and two kinds of evidence.
What does Law 21,663 introduce, and who does it apply to?
The law creates ANCI (the National Cybersecurity Agency), the sector authority with concrete powers. ANCI issues binding technical regulations, supervises regulated entities, runs the sanctioning procedures, and designates Vital Importance Operators through a reasoned resolution. It also creates the National CSIRT, the body that receives incident reports and coordinates the response.
The scope is organized in two tiers. Essential services cover strategic sectors such as energy, water, telecommunications, digital infrastructure, transport, financial services and health. Vital Importance Operators (VIO) are a subset of those services, selected by ANCI for their national criticality, and they carry the highest level of obligation.
The distinction is not bureaucratic. It determines how many measures an entity must demonstrate and which sanction ceiling it is exposed to. Knowing which of the two tiers an organization sits in is the first compliance question, even before talking about training or technology.
What does the law demand from the board?
Article 8 lists the reinforced duties for Vital Importance Operators, and they are duties of governance, not only of the technical area. Implementing an information security management system, developing and certifying operational continuity and cybersecurity plans, running periodic audits and drills, appointing a cybersecurity officer. These are obligations that require budget, oversight, and a decision that starts at the top.
On top of that sits the sanctions regime, tiered by severity and measured in UTM (Unidad Tributaria Mensual, the indexed accounting unit Chile uses for fines and taxes). Minor infractions reach up to 5,000 UTM, serious ones up to 10,000 UTM, and very serious ones up to 20,000 UTM under the general regime and up to 40,000 UTM for Vital Importance Operators. Translated into concrete consequences, non-compliance stops being an abstract reputational risk and becomes a quantifiable line in the risk balance.
There is a third element the board tends to underestimate. Responsibility for compliance is not fully delegated to the IT department. It rests on the entity’s senior management, which must approve the measures and oversee their implementation. It is the same shift in center of gravity that the NIS2 Directive introduced in Europe through its article 20, forcing the cybersecurity program to move from a technical initiative to a structural responsibility of the deciding body.
Three hours, and where the count really begins
Article 9 sets a tiered reporting regime toward the National CSIRT. An early alert within 3 hours of becoming aware of the significant incident, an update report within 72 hours with the assessment of severity, impact and indicators, and a final report within 15 days with the full analysis and the corrective measures applied.
The delicate part of this scheme is not in the technology, it is in the opening minutes. Three hours is a sufficient margin only if the organization already knew an incident was underway. And in most cases, the first to notice something off is not the SOC. It is an ordinary person who receives a strange message, sees an access that does not add up, or notices unusual behavior in their own system.
This is where the two figures meet. The formal three-hour clock belongs to the board and the cybersecurity officer, but the real clock starts much earlier, the moment an employee decides whether to report or let it slide. If that internal alert is fast, the legal window stays manageable. If it arrives late, the three hours are consumed before the responsible person even knows they have to count them.
What does the law demand from the employee?
Law 21,663 imposes no direct obligations on the individual employee, and yet it cannot be met without them. Its compliance depends on a chain that starts in people’s daily attention and reaches all the way to ANCI’s resolution.
The employee’s role concentrates on two measurable capabilities. The first is recognizing an anomalous signal, from the phishing message to the suspicious access, with a level of attention that cannot be improvised. The second is knowing exactly who to report it to and how urgently, because a fast internal alert is the first link in the reporting chain the law foresees.
This is the point where regulatory compliance stops being a document and becomes behavior. An employee who hesitates, who is unsure whether it is worth reporting, or who does not know the right channel, introduces a delay no technology recovers. That is why security awareness is not an add-on to the Law 21,663 compliance program. It is one of its operating components.
How is compliance demonstrated before ANCI?
Between declared knowledge and actual behavior there is a distance that audits measure without concessions. Stating that staff “were trained” is not the same as being able to show who completed which content, when, with what result, and with what reinforcement over time. Traceable evidence is what turns an awareness program into an argument of defense before the authority.
On this point, SMARTFENSE structured its formal Law 21,663 material along the same split the law imposes. On one side, an executive track for the board and senior management, covering scope of application, article 8 duties, the reporting regime and the sanctions framework. On the other, an introductory track for the employee, explaining in plain language what ANCI and the National CSIRT are, what the three-hour window means, and why their daily attention is part of compliance. Added to these are periodic assessments and communications that leave a trace of every interaction.
The underlying idea is the same that applies to board-level reporting or to personal data protection in a regulatory setting. Compliance that cannot be shown with data does not exist in the eyes of whoever verifies it. Anyone who wants to see how a program like this is structured can explore it on the SMARTFENSE platform.
Chile’s framework is now applied law, with an operating authority and a clock that runs. The board knows what it is risking and the employee knows what to watch for. The question that remains is not whether Law 21,663 will change how cybersecurity is managed in Chile, but whether the organization will be able to prove it in the three hours when it truly matters.
Leave a Reply