Carey
  December 13, 2023 - Santiago, Chile

National Congress approves the Bill that establishes a Framework Law on Cybersecurity
  by Carey

On December 12th, 2023, the Chamber of Deputies approved in the second constitutional procedure the bill that "Establishes a Framework Law on Cybersecurity and Critical Information Infrastructure" (the "Bill"). On the same date, the Bill was sent to the Senate and advanced to the third constitutional stage, with all the amendments of the reviewing chamber being approved. Thus, the Bill will be sent to the President of the Republic for its promulgation, without prejudice to the preventive control to be carried out by the Constitutional Court.

The main objectives of the Bill are to establish the institutionality, principles and general regulations to structure, regulate and coordinate the cybersecurity actions of State bodies and between them and individuals, as well as to establish the requirements for the prevention, containment, resolution and response to cybersecurity incidents and cyberattacks.

The Bill involves a series of relevant aspects and changes in cybersecurity matters. Some of these are highlighted below:

It creates a new institutionality

The Bill contemplates the creation of new institutions in cybersecurity matters, providing for the creation of the National Cybersecurity Agency ("ANCI"), the Multisectoral Council on Cybersecurity, the Interministerial Committee on Cybersecurity and different Computer Security Incident Response Teams ("CSIRT")"), including the National Computer Security Incident Response Team, the National Defense Computer Security Incident Response Team and the other CSIRTs belonging to State Administration Bodies.

Regarding to the ANCI, this authority will be responsible, among other things, for advising the President of the Republic on cybersecurity matters, collaborating in the protection of national interests in cyberspace, coordinating the actions of the institutions with competence in cybersecurity matters, ensuring the protection, promotion and respect for the right to computer security, and coordinating and supervising the actions of State Administration Bodies in cybersecurity matters. To fulfil its functions, the ANCI will have regulatory, supervisory and sanctioning powers.

As an example, among other attributions, the ANCI is given the competence to "dictate the protocols and standards set forth in article 7" and "the general and particular instructions, of a mandatory nature, for both public and private institutions bound by this law" (regulatory powers); the power to "oversee compliance with the provisions of this law, its regulations, protocols, technical standards and the general and particular instructions issued by the Agency [...]" (supervisory powers); and the power to "instruct the initiation of sanctioning procedures and sanction infractions and non-compliances incurred by the institutions bound by the present law [...]".

The Bill also provides for regulatory coordination mechanisms between the ANCI and sectoral entities in the event that the protocols, technical standards or general instructions it issues in the exercise of its functions have effects in the areas of competence of such sectoral entities. Sectoral authorities may also issue general regulations, technical standards and instructions necessary to strengthen cybersecurity of institutions of their sector, in accordance with the respective regulation and in coordination with ANCI.

It establishes principles in cybersecurity matters

The Bill introduces several principles that obligated institutions must observe in their conduct. Among the principles included in the Bill, it is possible to highlight the following:

Scope of application: providers of essential services and operators of vital importance

The Bill will apply to institutions providing services qualified as "essential" and those that qualified as "operators of vital importance".

The Bill establishes that essential services are:

The ANCI may qualify other services as essential by means of a reasoned decision of the National Director when their affectation may cause serious damage to the life or physical integrity of the population or its supply, to relevant sectors of the economic activities, to the environment, to the normal functioning of society, of the State Administration, to the national defense, or to the security and public order.

For its part, ANCI will be responsible for determining the providers of essential services that are qualified as operators of vital importance by means of a reasoned decision, that complies with the following requirements: (i) that the provision of such service depends on the networks and information systems; and (ii) that the affectation, interception, interruption or destruction of its services has a significant impact on security and public order; on the continuous and regular provision of essential services; on the effective fulfillment of the functions of the State; or, in general, of the services that the State must provide or guarantee.

Likewise, ANCI shall have the power to qualify private institutions that, although they do not have the quality of providers of essential services, also meet the requirements set forth in the preceding paragraph under certain assumptions.

Security obligations

The Bill distinguishes between duties and obligations of a general nature and those of a specific nature that must be complied with by the entities that are qualified as vital operators.

It establishes infractions and associated penalties

The Bill establishes a series of sanctions for infringement of the provisions of the future law. The ANCI will be in charge of sanctioning such infringements, without prejudice to the powers of the respective sectorial authority to know and sanction the infringements, as well as to execute the sanctions, to the regulations on cybersecurity that it has issued and whose effects are at least equivalent to those of the regulations issued by the ANCI.

It should be noted that the Bill classifies infringements into minor, serious and very serious infringements, in addition to establishing specific infringements for operators of vital importance. The following are some of the infringements contemplated in the Bill:

As for the amounts, minor infractions will be sanctioned with a fine of up to 5,000 Monthly Tax Units ("UTM"), which can reach up to 10,000 UTM if the offender is an operator of vital importance; serious infractions will be punished with a fine of up to 10,000 UTM, which may reach 20,000 UTM if the offender is an operator of vital importance; and, finally, very serious infractions will be punished with a fine of up to 20,000 UTM, which can reach 40,000 UTM if the offender is an operator of vital importance. As a result, the penalties could amount to almost USD 3,000,000.

Effective Date

The President of the Republic must issue, within one year of the publication of the future law, one or more executive law decrees to determine a period for the entry into force of the rules of the future law, which may not be less than six months from the publication of the future law, the date of initiation of the activities of ANCI, among other matters.

The post National Congress approves the Bill that establishes a Framework Law on Cybersecurity appeared first on Carey Abogados.




Read full article at: https://www.carey.cl/en/national-congress-approves-the-bill-that-establishes-a-framework-law-on-cybersecurity/