Within the framework of the implementation of Law No. 21,663 (Cybersecurity Framework Law), the National Cybersecurity Agency (ANCI) published General Instructions Nos. 2, 3 and 4 of 2025, which complement the incident reporting regime and establish new specific obligations for Vital Operators (Operadores de Importancia Vital – OIVs).

The new instructions address three key areas: (i) registration and authentication in ANCI’s incident reporting platform, (ii) the formal appointment of a Cybersecurity Delegate, and (iii) minimum standards for the containment and mitigation of cybersecurity incidents. For OIVs, these obligations enter into force within 60 calendar days from the publication in the Official Gazette of the resolutions qualifying them as such.

Key highlights:

General Instruction No. 2 – Registration in ANCI’s platform

Complements General Instruction No. 1 and exceptionally authorizes the registration of cybersecurity officers who do not have access to Clave Única. It also allows the appointment of foreign incident reporting officers, without prejudice to the rules already in force.

General Instruction No. 3 – Cybersecurity Delegate

Regulates, for the first time, the procedure for appointing a Cybersecurity Delegate, an obligation applicable exclusively to OIVs. It establishes minimum profile requirements (training, experience or certification in cybersecurity), sufficient functional independence from IT areas, and a direct reporting line to senior management. A formal designation document is required, along with accreditation before ANCI and timely updates, including notification of any relevant changes within five business days. This designation complements, and does not replace, the incident reporting officer.

General Instruction No. 4 – Incident containment and mitigation measures

Develops the legal duty to adopt timely measures to reduce the impact and spread of cybersecurity incidents. It details minimum immediate containment actions, such as access restrictions, isolation of compromised systems, and temporary or partial suspension of services. It also requires certain measures to be adopted within three hours of becoming aware of an incident —including changing administrative passwords and disabling exposed remote access— and mandates the preventive application of similar measures every six months.