logo

Cybersecurity and Data Laws Chile 2025:
A Guide for Businesses

5 min de lectura · 08.07.2025

Executive Summary

Chile has introduced a new, robust regulatory framework through Cybersecurity Law No. 21.663 and the Personal Data Protection Law No. 21.719. With implementation timelines extending to 2026, these laws require Chilean organisations — especially in sectors such as retail, fintech, banking, and healthcare — to take proactive steps in risk management, regulatory compliance, and digitalisation strategies.

Key points:

  • Cybersecurity (Law 21.663): Requires the implementation of Information Security Management Systems (ISMS), the appointment of a Chief Information Security Officer (CISO), and incident reporting to the new National Cybersecurity Agency (ANCI) under strict deadlines. Penalties for non-compliance are significant, especially for Operators of Vital Importance (OIV).
  • Data protection (Law 21.719): Modernises privacy and aligns with GDPR. It strengthens ARCO+P rights, establishes strict principles for data processing (lawfulness, purpose limitation, consent), and introduces the role of the Data Protection Delegate / Data Protection Officer (DPO). Fines can reach up to 4% of global annual turnover.
  • Strategic impact: Beyond compliance, these laws act as a catalyst for technological innovation, greater customer trust, and the adoption of a culture of agile leadership and security. First-party data management becomes crucial as third-party cookies disappear.
  • Next steps: Organisations should run a diagnostic (gap analysis), establish appropriate governance, invest in technology and training, and consider expert support to navigate this complex landscape.

This article explores these regulations in depth, their implications, and how Soho can help organisations turn these challenges into competitive advantages.

The imperative of digital transformation and Chile’s new regulatory mandate: adaptation and compliance

 

Chile is at a digital turning point. The recent enactment of Cybersecurity Framework Law No. 21.663 and the Personal Data Protection Law No. 21.719 are not minor legislative updates; they represent a fundamental shift in how organisations must operate, protect information, and engage with customers. For decision-makers in key sectors such as retail, fintech, financial services, banking, healthcare, and education, understanding and adapting to this new framework is not only an obligation — it is a crucial strategic opportunity for digital transformation and enterprise risk management.

This new regulatory environment, combined with the impending disappearance of third-party cookies, requires a proactive response. Organisations that navigate this transition successfully will not only avoid sanctions and reputational risk, but also strengthen customer trust, secure operational continuity, and unlock new avenues for sustainable growth. At Soho, we understand this journey requires an end-to-end view — spanning secure Development and privacy-centric UX Design, through to ethical Artificial Intelligence (AI) and Data strategies, supported by robust Cloud infrastructure and agile DevOps practices.

This article is an essential guide to unpacking the complexities of these new laws, identifying the challenges and — most importantly — capitalising on the opportunities they create for your organisation’s digital future in Chile.

 

Digitalisation is no longer optional; it has become the core of business strategy. In Chile, this progress has driven efficiency and technological innovation, but it has also expanded the attack surface for cyber threats and raised consumers’ expectations around data privacy.

Laws 21.663 and 21.719 are a direct response to this reality. Their implementation is vital for business continuity and competitiveness, establishing the foundations for a safer, more trusted national digital infrastructure.

“Cybersecurity and data protection are no longer purely technical topics; they are foundational pillars of business strategy and customer trust in the digital era.”

Cybersecurity — defined as preserving the confidentiality, integrity, and availability of data — is established as a strategic pillar. In parallel, personal data protection is recognised as a fundamental right, demanding transparent and responsible handling of individual information.

For business leaders, this means going beyond mere regulatory compliance. It requires fostering a culture of security and privacy, investing in technology and tech talent, and viewing these regulations as a catalyst for innovation and for building stronger, more trustworthy customer relationships. Alignment with international standards — such as the European GDPR, which these laws promote — also positions Chilean organisations as more reliable partners in global digital commerce.

WEF: Explained: What is digital trust in the intelligent age?

 

 

Cybersecurity Framework Law (No. 21.663): strengthening digital resilience and risk management in Chile

 

Published on 8 April 2024, with general entry into force on 1 January 2025 (and specific articles from 1 March 2025), the Cybersecurity Framework Law marks a before-and-after moment for digital security in Chile. Its goal is clear: to ensure the confidentiality, integrity, and availability of data and IT systems nationally.

 

Key obligations for organisations under Law 21.663:

The law places direct responsibilities on companies, spanning prevention through to response:

  1. Information Security Management Systems (ISMS):
  • Mandatory implementation, ideally aligned with ISO/IEC 27001.
  • This includes: asset identification, risk assessment, implementation of controls, and clear policies.
  • A DevSecOps approach is critical to integrate security from the outset (security by design).
  1. Chief Information Security Officer (CISO):
  • Appointment required.
  • Responsible for overseeing the cybersecurity strategy and ensuring compliance.
  • Must have authority and technical competence.
  1. Risk assessment and operational continuity:
  • Conduct periodic risk assessments.
  • Develop business continuity and disaster recovery plans (BCP/DRP).
  • Cloud solutions provide robust resilience capabilities.
  1. Ongoing training for tech talent and the wider organisation:
  • The human factor is critical.
  • Continuous training in cybersecurity best practice.
  • Tailor programmes to each role and run simulations/drills.

 

Operators of Vital Importance (OIV): a special focus and stricter requirements

The law pays particular attention to Operators of Vital Importance (OIV) — entities that provide essential services. These include sectors such as:

  • Energy
  • Telecommunications
  • Transport
  • Financial services (banking, payments)
  • Healthcare (hospitals, clinics)
  • Digital infrastructure

 

The National Cybersecurity Agency (ANCI) is responsible for designating OIVs. These organisations face more stringent duties.

“For OIVs, compliance with Law 21.663 is not optional — it is an imperative for national security and the continuity of essential services.”

 

Incident reporting: critical deadlines and ANCI

The incident reporting regime to the National CSIRT (under ANCI) is a major shift:

  • Early warning: Within 3 hours of detection.
  • Second report: Within 72 hours (or 24 hours if essential services are affected).
  • Action plan: Within 7 days.
  • Final report: Within 15 days.

These deadlines require advanced detection and response capabilities (SIEM, EDR) and efficient incident management.

 

The National Cybersecurity Agency (ANCI): Chile’s new cybersecurity authority

Operating from 1 January 2025, ANCI is a decentralised public service with broad functions: oversight, regulation, enforcement, and promoting a cybersecurity culture.

Sanctions for non-compliance with Law 21.663:

Non-compliance can carry severe consequences:

  • Minor offences: Up to 5,000 UTM.
  • Serious offences: Up to 10,000 UTM.
  • Very serious offences: Up to 20,000 UTM.
  • For OIVs, these fines can be doubled (up to 40,000 UTM).

Beyond the financial impact, reputational damage and operational restrictions can be substantial.

Soho can help you navigate Law 21.663 by assessing your cybersecurity maturity, designing and implementing an ISMS, defining the CISO role, strengthening your Cloud infrastructure, and adopting DevSecOps practices to embed security throughout the software development lifecycle. Contact us.

 

ciberseguridad equipo

Personal Data Protection Law (No. 21.719): towards a global standard for privacy and data governance

 

 

Law 21.719, published on 13 December 2024 (with an adaptation period through to December 2026), dramatically modernises the old Law 19.628, aligning Chile with standards such as the European GDPR. Its purpose is to regulate the processing of personal data, safeguard individuals’ rights and freedoms, and promote robust data governance.

Core principles for data processing under Law 21.719:

All data processing must follow key principles:

  1. Lawfulness: A clear legal basis (consent, contract, etc.).
  2. Specific purpose: Specific, legitimate, and informed purposes.
  3. Proportionality: Only necessary data (data minimisation).
  4. Transparency: Clear information for data subjects. Transparent UX Design is crucial.
  5. Security: Appropriate technical and organisational measures. Robust cybersecurity is a prerequisite.
  6. Confidentiality: Access limited to authorised personnel.

Consent must be freely given, specific, informed, and unambiguous. The law emphasises privacy by default and by design.

Strengthened ARCO+P rights for data subjects:

Data subjects’ rights are reinforced: Access, Rectification, Erasure (Cancellation), Objection, and Portability.

“Law 21.719 empowers Chilean citizens by giving them unprecedented control over their personal data and demanding greater accountability from organisations.”

The strategic role of the Data Protection Delegate / DPO:

The law introduces the role of the DPD (Data Protection Officer). While not always mandatory, it is strongly recommended for organisations that process large volumes of data or sensitive data.

Personal data breach notification and the new Data Protection Agency:

The law establishes an obligation to notify personal data security breaches to the new Data Protection Agency and, in certain cases, to affected individuals. This agency will have oversight and enforcement powers.

Sanctions for non-compliance with Law 21.719:

Fines are significant:

  • Minor offences: Up to 500 UTM.
  • Serious offences: Up to 5,000 UTM.
  • Very serious offences: Up to 20,000 UTM or up to 4% of the group’s global annual turnover.
Soho supports your alignment with Law 21.719 by defining data governance strategies, designing privacy-respecting user experiences (UX), implementing secure and compliant Data platforms, and developing AI solutions that use data ethically and lawfully.

 

The critical convergence: cybersecurity, data protection, and the future of digital marketing with first-party data

 

It is essential to understand that Law 21.663 (Cybersecurity) and Law 21.719 (Data Protection) do not operate in silos. Robust cybersecurity is the indispensable foundation for safeguarding personal data.

This convergence becomes even more critical as digital marketing evolves towards a future without third-party cookies. First-party data — collected directly from users with their consent — becomes the most valuable asset.

The ethical and lawful collection, management, and activation of this first-party data, governed by Law 21.719, will be a competitive differentiator. This requires:

  • Unified Data strategies with privacy built in from the start.
  • Absolute transparency in data collection and use.
  • Appropriate technologies (CDPs, Data Lakes in Cloud).
  • Analytical capabilities and responsible AI to extract value.

 

Beyond compliance: turning regulatory challenges into strategic opportunities through agile leadership

 

While regulatory compliance is the first step, the real opportunity for Chilean leaders lies in viewing these laws as a driver of positive transformation and the adoption of agile leadership:

  1. Build stronger trust: Demonstrating a commitment to security and privacy strengthens loyalty.
  2. Ensure operational resilience: Protect the organisation from costly disruptions.
  3. Gain competitive advantage: Attract investment and innovate responsibly.
  4. Enable responsible innovation: Build new products and services with privacy “by design”.

 

The role of technology, automation, and specialist expertise:

Adapting to this new paradigm requires a combination of strategy, processes, automation, and technology. This is where a partner like Soho becomes critical:

  • Secure development (DevSecOps): Security embedded across the software lifecycle.
  • Privacy-centred UX design: Intuitive, transparent interfaces.
  • Ethical AI and Data: AI solutions that respect privacy.
  • Secure Cloud solutions: Agility and scalability with strong security.
  • DevOps practices and automation: Improve security posture and accelerate response.

 

Roadmap to adaptation: practical steps for Chilean organisations

Navigating this new landscape requires a clear plan. Consider the following steps:

  1. Diagnosis and assessment (gap analysis):
  • Assess your current position against both laws.
  • Identify gaps in policies, processes, technologies, and training.
  • Classify information assets and assess risks.
  1. Establish the right governance:
  • Define key roles: CISO and, where applicable, DPO.
  • Set clear policies.
  • Engage senior leadership and build a security culture.
  1. Invest in technology and processes:
  • Implement or upgrade your ISMS.
  • Adopt security and automation tools.
  • Review processes for consent management, ARCO+P rights, and incident reporting.
  1. Training and awareness for tech talent and the wider organisation:
  • Develop continuous training programmes.
  • Run simulations/drills.
  1. Review contracts and third parties:
  • Ensure supplier compliance.
  1. Incident response plan:
  • Develop and test your response plan.
  1. Seek expert support:
  • An experienced partner can accelerate your adaptation.

 

The future is now for Chilean organisations – technological innovation and compliance

The Cybersecurity and Personal Data Protection laws mark the beginning of a new era for businesses in Chile. Far from being a burden, they represent an opportunity to strengthen operations, foster technological innovation, and build a safer, more trustworthy digital future. Proactive adaptation, smart investment, and choosing the right technology partners will be decisive for success.

 

 

At Soho, we are ready to support you on this journey — helping you turn regulatory challenges into solid foundations for growth and leadership in Chile’s digital economy.

Is your organisation ready for this new landscape?

Navigating Chile’s new cybersecurity and data protection laws requires specialist knowledge and a clear strategy.

  • Contact our experts: For a tailored assessment of your current situation and a roadmap aligned to your needs.
  • Discover our solutions: Explore how our capabilities in Development, UX Design, AI, Data, Cloud and DevOps can strengthen your organisation.

Credits

  • Joaquin Trujillo

    Head of Growth

    With over 14 years’ experience delivering Customer Experience projects, data-driven strategies, and digital marketing, Joaquin currently leads Soho’s digital platform evolutionary maintenance service. In this role, he heads up strategic initiatives focused on the continuous improvement of websites, e-commerce and apps, integrating advanced analytics, CRO, digital strategy, and automation — with a clear focus on measurable business outcomes. He has actively participated in raising companies’ maturity and readiness for Chile’s new Personal Data Protection Law, advising teams and clients on compliance strategy and organisational change, and teaching the topic in executive programmes. His approach combines technical, ethical, and customer-experience perspectives within this new regulatory landscape. He is also a lecturer and speaker in executive education programmes covering Innovation, CX, Data Protection, and Digital Marketing, collaborating with universities across Chile and Latin America.

The latest in News & events

AI, article, Innovation

25.08.2025

From Traditional Company to AI-Powered: The Transformation Playbook

Learn how to turn a traditional business into an AI-powered organisation — beyond the chatbot hype. Based on a conversation with Aaron Cassorla (CEO at Omnix), it breaks down how to embed AI into decision-making and the core of day-to-day operations.

Design System

article, Design, IT

29.07.2025

Design Systems: Efficiency and Consistency in Digital Products – PedidosYa

See how PedidosYa refreshed its design system to improve operational efficiency, strengthen brand consistency, and deliver better business metrics. Drawing on insights from its UX and engineering leaders, it shares practical lessons for digital teams scaling products with consistency and quality.

accesibilidad digital

article, Design, UX

21.07.2025

Digital Accessibility: A Legal Obligation, an Inclusive Opportunity

Digital accessibility isn’t just a legal requirement — it’s a chance to build better products. Baking it in from the start improves the experience, broadens reach, and reduces friction for users and the business.

paseo cognitivo

Design, UX

25.06.2025

Cognitive Walkthrough and Task Flow Analysis: A Powerful Duo for Optimising User Experience (UX)

Explore how combining cognitive walkthroughs with task-flow analysis can sharpen the UX. This dual approach surfaces hidden friction, quantifies real user effort, and supports design decisions with solid evidence.

Services

What we offer

Contact

Have a project in mind?
Let’s talk
Back to top