As of the Cybersecurity Framework Law (Ley N°21.663 in Spanish) and its application to Vital Importance Operators (VIOs or OIV, for its initials in Spanish), on December 17^th the Agencia Nacional de Ciberseguridad (ANCI, for its initials in Spanish) published in the Official Gazette the updated list of service providers required to comply with the regulation, following the review of comments and background information submitted in response to the preliminary list. 

Initially, 1,712 public and private organizations were classified as VIOs for the country’s cybersecurity. However, this figure was reduced to 915 entities, distributed as follows: 

• 147 electricity companies, representing 17% of sector-regulated entities. 

• 29 telecommunications companies, mainly large mobile and internet operators, accounting for 3.8% of the total companies registered with Subsecretaría de Telecomunicaciones (Subtel, for its initials in Spanish). 

• 413 digital services, digital infrastructure, and IT services companies, representing 0.7% of registered and active companies. 

• 34 institutions from the banking, financial, and payment services sector. 

• 114 healthcare providers, both public and private, including hospitals and clinics. 

• 20 public companies. 

• 158 central and national-level State administration bodies. 

This adjustment reflects a more precise application of the criteria of operational criticality and dependency on digital systems, following the analysis of information provided by the entities themselves during the public consultation process. 

The observations received are available in the executive summary of the document “Public Consultation on the Process for Classifying Vital Importance Operators (VIOs).

Likewise, ANCI has already begun the second stage of the classification process, covering additional sectors such as healthcare, transportation, fuel, pharmaceuticals, courier and postal services, among others. The preliminary list for these sectors is expected to be published in March 2026, with the final list to be issued during the first semester. 

Among the implications for entities ultimately classified as VIOs is the imposition of a series of cybersecurity obligations. The law also establishes an aggravated sanctions regime for non-compliance, with fines of up to 40,000 Monthly Tax Units (UTM, for its initials in Spanish) in cases of very serious infringements, pursuant to Article 40 of Law 21,663.