On September 16^th, the National Cybersecurity Agency (ANCI, for its initials in Spanish) published the Preliminary List of Vital Importance Operators (OIV, for its initials in Spanish), in accordance with Law No. 21,663, the Cybersecurity Framework, and its Regulations approved by Decree No. 285 of 2025. 

This publication marks the start of a 30-day public consultation process, available through the institutional portal https://portal.anci.gob.cl. During this period, the institutions included in the preliminary list, as well as any interested natural or legal person, may submit comments or background information deemed relevant. 

Process stages 

• Public consultation: from September 16^th  to October 16^th, 2025. 

• Executive summary: ANCI must address the comments received and publish an executive summary within 30 days following the close of the consultation (approx. November 15th, 2025). 

• Final list: ANCI will issue a substantiated resolution definitively designating private institutions as OIV within 30 days following the publication of the executive summary (approx. December 15th, 2025). 

Implications of being designated as an OIV 
Entities included in the final OIV list will be subject to a reinforced cybersecurity obligations regime, meaning they must comply with additional obligations beyond the general requirements in this field. 

The main obligations of an OIV include: 

• Implementing a continuous Information Security Management System (ISMS, for its initials in spanish), with periodic risk assessments and updated mitigation measures. This system must enable evaluation of both the probability and potential impact of a cybersecurity incident. 

• Developing and maintaining certified operational continuity and cybersecurity plans that ensure service recovery and normalization. 

• Conducting periodic exercises and simulations to detect actions or software programs that compromise cybersecurity and reporting related information to the National CSIRT (Computer Security Incident Response Team). 

• Appointing a cybersecurity delegate responsible for coordinating the implementation of controls and liaising with the authority. 

• Providing ongoing training, education, and awareness programs for employees and collaborators, including cyber hygiene campaigns. 

• Complying with strict incident reporting deadlines, including the obligation to notify early warnings within the first three hours of detecting an event. 

Additionally, the law establishes a stricter sanctions regime for OIV, with fines reaching up to 40,000 UTM in cases of very serious violations. 

Final considerations 
The resolution of September 16^th corresponds to the first stage of the OIV designation process, covering sectors such as telecommunications, electricity, health, digital services, banking and financial services, as well as public bodies and state-owned companies. 

According to the official schedule, a second stage is planned for November 2025, which will include other essential services such as fuel, drinking water and sanitation, transportation and associated infrastructure, public service concessionaires, social security, postal and courier services, as well as pharmaceutical production and research. 

Therefore, the current publication does not exhaust the range of entities that may be designated as OIV but rather constitutes the first milestone in a gradual process that will conclude with the determination of all critical institutions required to comply with the reinforced cybersecurity regime.