On December 26th, the National Cybersecurity Agency (ANCI, for its initials in Spanish) published in the Official Gazette three general guidelines intended for institutions that provide services classified as essential and for those designated as Operators of Vital Importance (OIV, for its initials in Spanish), under the Cybersecurity Framework Law No. 21,663. 

These guidelines are part of the implementation of the Cybersecurity Framework and set out operational criteria, deadlines, and formal compliance mechanisms applicable to OIVs. “The value of these guidelines lies in translating the legal framework into clear operational requirements for entities, reducing ambiguity and raising the standard of effective cybersecurity compliance,” declares Catalina Wastavino, associate at Fischer y Cía’s corporate team. 

Key aspects include the appointment of cybersecurity delegates with functional autonomy, registration with ANCI, and the adoption of mandatory minimum measures in response to incidents, aiming to reduce risks and prevent their spread. 

Exceptional registration without Clave Única 

General Guideline No. 2 exceptionally provides alternative identification mechanisms for cybersecurity delegates who do not have a Clave Única (which is the personal password for accessing institutional websites) to register on ANCI’s platform. This option is subject to prior verification of the applicant’s link to the respective institution and validation by ANCI. 

Mandatory appointment of cybersecurity delegate 

General Guideline No. 3 reinforces the obligation for OIVs to appoint a cybersecurity delegate, specifying the minimum requirements for the role. The delegate must have technical experience, sufficient autonomy, and direct access to the institution’s highest authority to ensure timely and effective reporting of relevant risks. 

The guideline emphasizes the functional independence of the role, indicating that the cybersecurity delegate cannot simultaneously hold positions such as head, director, or controller of the IT area. Hierarchical dependence on IT leadership is only permitted when mechanisms ensure independence in performing duties and when there is a direct communication and reporting channel to the authority or leadership. 

The appointment must be formalized by the competent authority according to the nature of the entity (State bodies, public companies, business groups, cooperatives, or other private institutions) and documented to identify the primary and alternate delegate, their legal relationship, and their authorization to represent the institution before ANCI. 

This document must be submitted to the Agency through its official platform. This obligation is complementary and does not replace the appointment of the processor responsible for incident reporting under General Guideline No. 1. 

Mandatory measures in case of cybersecurity incidents 

General Guideline No. 4 details a set of minimum measures that OIVs must adopt when a cybersecurity incident occurs. These measures, mandatory and not merely advisory,  aim to contain the incident and prevent its spread. 

Among other, entities must restrict access, isolate compromised systems, and within the first three hours after becoming aware of the incident, modify affected administrative credentials, remove generic or inactive accounts, and report these measures to ANCI through its early warning system. 

Additionally, specific standards are established for remote access, VPN use and reinforced authentication, network segmentation, backup protection, and when necessary, temporary suspension of publicly exposed services. 

The guideline also reinforces the obligation to maintain decision logs, preserve evidence, coordinate internal teams, and maintain permanent communication with the Agency and the organization’s leadership. 

Compliance deadlines 

The obligations set in these guidelines must be fulfilled within 60 days from the publication in the Official Gazette of the final list qualifying each entity as an Operator of Vital Importance, without prejudice to obligations that must be adopted immediately in the event of a cybersecurity incident.