The National Cybersecurity Agency (ANCI) Charts Its Roadmap for Chile’s New Digital Ecosystem
March 31 ,2025
March 31 ,2025
Santiago, March 31, 2025 — With a strong turnout of representatives from both the public and private sectors, the presentation titled “The Role of the National Cybersecurity Agency (ANCI) in a Digital World” was held, led by Daniel Álvarez Valenzuela, the first Director of the recently established National Cybersecurity Agency. The event took place at the offices of the Chilean-British Chamber of Commerce (BritCham), located at Av. El Bosque Norte 0125, Las Condes, and was moderated by Joanna Pérez, Chair of the Chamber’s Committee on Technology, Innovation, and Science.
Daniel Álvarez, a lawyer and Doctor of Law from the University of Chile, with a remarkable career in public policy for cybersecurity, provided an in-depth overview of the Agency’s responsibilities, challenges, and priorities. ANCI began formal operations following the enactment of the Cybersecurity Framework Law (Law 21.663).
“We are a body with preventive, management, supervisory, and sanctioning powers. Technically, we’re a superintendence with a nicer name,” Álvarez remarked, referring to the strong regulatory role assumed by the agency.
The presentation highlighted Chile’s institutional cybersecurity architecture, built around a governance model where ANCI acts as the national authority, in coordination with:
The Multisectoral Cybersecurity Council
The National CSIRT
The Interministerial Cybersecurity Committee
The National Defense CSIRT
During the presentation, Álvarez emphasized that ANCI’s operational framework combines:
Regulatory powers
Incident management
Oversight and sanctions
Education and awareness
Capacity coordination
Incident management: Within its first month of operation, ANCI has already intervened in incidents involving private sector organizations, including on-site deployment to contain threats like ransomware.
Oversight and sanctions: Fines can reach up to USD 2.5 million, or exceed USD 4 million in severe cases.
Education and awareness: Public training sessions are underway, ranging from basic to advanced technical levels, with recordings available on the agency’s YouTube channel.
Interinstitutional coordination: ANCI emphasized joint management efforts with Civil Registry, Digital Government departments, and sectoral regulators.
Institutional setup: Developing the agency’s digital and administrative infrastructure.
Incident notification system: Mandatory for all entities categorized as essential services or critical operators (OIVs), now active via a digital platform.
Technical protocols and standards: To unify cybersecurity practices, such as mandatory HTTPS use or mitigation against DDoS attacks.
OIV classification process: Carried out in coordination with sectoral regulators through a public consultation process.
Under Law 21.663, public and private entities that provide essential services must report cybersecurity incidents with significant effects, including:
Service disruption
Harm to individuals’ physical integrity or health
Loss of data confidentiality, integrity, or availability
Unauthorized access to networks or systems
3 hours for initial notification after detecting an incident
72 hours for preliminary assessment and indicators
15 calendar days for a detailed report
Additional updates if the incident remains unresolved
Mandatory reporting applies to 35 sectors, including:
Energy (generation, transmission, distribution)
Fuel distribution and storage
Drinking water and sanitation
Telecommunications and digital infrastructure
Third-party IT and digital service providers
All modes of transportation
Health services (hospitals, clinics, etc.)
Financial services, postal services, and social security
Pharmaceutical companies
ANCI may expand this list through participatory processes and public consultation.
OIV Classification Process
The classification of Operators of Vital Importance (OIVs) will begin on May 30, 2025, following this timeline:
Technical report from sector regulators
Publication of preliminary list
Public consultation
Executive summary
Final list publication
OIVs must comply with stricter cybersecurity obligations, including certified information security management systems and auditable business continuity plans.
ANCI’s web platform facilitates quick and intuitive incident reporting. Work is underway to integrate APIs for secure and automated submissions. This is crucial for avoiding redundancy with other regulators, especially in highly regulated sectors like banking and energy.
Field response capability: ANCI is developing strategies to improve its operational presence in critical infrastructure regions.
SME inclusion: Many small businesses must gradually align with the new framework. ANCI is exploring cybersecurity “kits” (hardware, software, training) in partnership with public programs such as SERCOTEC.
Inter-agency coordination: Joint protocols are being created with entities like the Financial Market Commission (CMF) and the Central Bank to streamline incident reporting.
Álvarez stressed that organizational culture is essential for effective cyber defense:
“Does everyone know who to call during a cyber incident? Who leads the crisis committee if it happens on a Friday at 6:00 p.m.? These seemingly basic questions need clear answers.”
The event concluded with a call to action:
“This is a long-term journey. Cybersecurity must be understood as a strategic value. It’s not just about having the right technology — we need culture, coordination, and accountability,” said Álvarez.
Attendees were invited to explore ANCI’s digital platform at www.anci.gob.cl, where they can register as regulated entities, review technical standards, consult the official incident taxonomy, and access educational resources.
The presentation ended with a networking session, reaffirming the importance of public-private collaboration in safeguarding Chile’s digital ecosystem.
