Yesterday, March 13^th, the regulation establishing the qualification process for Operators of Vital Importance under the Cybersecurity Framework Law (Law No. 21.663) was published in the Official Gazette. 

It defines two groups of obligated institutions: Essential Services (SE), which are necessary for the normal functioning of the country, and Operators of Vital Importance (OIV). 

WHAT ARE ESSENTIAL SERVICES (SE)? 

Essential services include state agencies, public companies, and state-majority corporations, as well as strategic sectors such as energy (electricity and fuels), water, telecommunications, transportation (land, air, rail, and maritime), banking and finance, social security, messaging, healthcare, and the pharmaceutical industry. Additionally, the National Cybersecurity Agency (ANCI) may classify other services as essential if their disruption could cause severe harm to life or public safety, supply chains, key economic sectors, the environment, the normal functioning of society and government administration, national defense, or public security and order. 

WHO ARE THE OPERATORS OF VITAL IMPORTANCE (OIV)? 

These are public or private institutions that rely on networks and computer systems and whose compromise due to a cyberattack could threaten public security and order, the continuous and regular provision of an essential service to citizens, or the normal functioning of the state. 

The ANCI is responsible for their classification, and accordingly, a regulation governing this process was published yesterday. The evaluation process will begin on May 30, 2025, when the ANCI will request technical reports from sector regulators regarding public and private institutions that should be classified as OIV within their areas of jurisdiction. The ANCI will then draft a preliminary list and submit it for a 30-day public consultation through an electronic platform, allowing participation from both citizens and the institutions involved. After reviewing the feedback received, the ANCI will publish an executive summary with its responses and release the final list of OIVs in the Official Gazette or a nationally circulated newspaper. 

WHAT ARE THE CYBERSECURITY OBLIGATIONS? 

General Duties 

Institutions subject to the Cybersecurity Framework Law must implement permanent measures to prevent, report, and resolve cybersecurity incidents. These measures may be technological, organizational, physical, or informational and must comply with the standards and protocols established by the ANCI. 

Reporting Obligation 

All obligated institutions must report cyberattacks or significant incidents to the National CSIRT as soon as possible, following this schedule: 

• Early Warning: Within 3 hours of becoming aware of an incident. 

• Second Report: Within 72 hours (or 24 hours if it affects essential services) to update the information provided in the Early Warning. 

• Action Plan: Within 7 calendar days, detailing a recovery plan and technical and administrative responsibilities. 

• Final Report: Within 15 calendar days from the Early Warning. However, if the incident remains unresolved, the institution must postpone the Final Report submission and instead send a Partial Report on a Prolonged Incident, which must be updated every 15 days from the last submission. 

Specific Obligations for OIVs 

All Operators of Vital Importance must: 

• Implement an information security management system to assess risks and operational continuity. 

• Maintain a record of actions within this system. 

• Develop and implement certified cybersecurity and operational continuity plans, reviewed every two years. 

• Conduct reviews, drills, and analyses to detect threats and report them to the National CSIRT. 

• Take immediate measures to mitigate incidents and prevent their spread. 

• Obtain cybersecurity certifications required by law and any additional ones determined by ANCI through regulations. 

• Inform affected parties of incidents when they can be identified and when required by the ANCI. 

• Develop training and cyber hygiene programs for employees and collaborators. 

• Appoint a cybersecurity delegate as a liaison with the Agency. 

ANCI 24/7 REPORTING PLATFORM 

The ANCI operates a platform for receiving and managing incident reports, available 24 hours a day, every day of the year. This system ensures that reports submitted by obligated entities are simultaneously communicated to other relevant sectoral authorities when multiple notifications are required. 

PENALTIES 

Violations of the Cybersecurity Framework Law result in fines payable to the national treasury, according to the following scale: 

• Minor Violations: Fine of up to 5,000 UTM, or up to 10,000 UTM for an OIV. 

• Serious Violations: Fine of up to 10,000 UTM, or up to 20,000 UTM for an OIV. 

• Very Serious Violations: Fine of up to 20,000 UTM, or up to 40,000 UTM for an Operator of Vital Importance. 

For more details on the application of the Cybersecurity Framework Law and associated regulations, you can contact this email address.