Despite the limited legal scope of NIS2 to EU territory, the reporting and collaboration mechanism for cross-border incidents and cooperation between cybersecurity authorities and businesses in the EU aims to significantly enhance these areas following the entry into force of the NIS2 Directive. The directive increases external pressure on cross-border supply chains because NIS2 requires essential and important entities to consider cybersecurity risks throughout their supply chains, including those from third-country vendors. Although NIS2 does not impose direct legal obligations on non-EU providers to comply with EU-based practices in order to maintain contracts, it does encourage the development of mutual incident response processes and common communication channels with EU clients and authorities.

Additionally, NIS2 could facilitate the sharing of global threat intelligence, particularly when threat information must be exchanged with trusted non-EU members. NIS2 could also enhance real-time cross-border alerting when non-EU incident response teams meet technical requirements or sign a Memorandum of Understanding (MOU) for alignment and cooperation with incident drills organized by ENISA or the relevant cybersecurity authority. Ultimately, the NIS2 Directive aims to enhance the cross-border sharing of information and contribute to a harmonized state of security. This will increase EU companies’ trust in providers abroad that adopt standard practices.

3. What obligations might non-EU suppliers face as EU companies seek to secure their supply chains under NIS2?

Non-EU businesses that supply goods or services to EU organizations, particularly essential entities, may indirectly be obligated to ensure the security of their operations. Although NIS2 does not have extraterritorial reach, EU firms are now legally required to address cybersecurity risks across their entire supply chain, including those involving third-country suppliers. Under NIS2, EU entities must also assess and manage risks associated with third parties, request security guarantees from suppliers and service providers, incorporate cybersecurity clauses into contracts, and report incidents arising from vulnerabilities in third-party systems.

Non-EU providers may be required to follow specific practices, such as NIS2 mandates, including conducting cyber risk assessments, developing design protocols, notifying incidents, ensuring business continuity and recovery, meeting certification and data protection requirements, and undergoing testing and audits. They may also be required to serve as the contact point for the national cybersecurity authority.

4. Do you believe such directives are an efficient way to increase cybersecurity maturity in the region? Why or why not?

Indeed, Directive NIS2 could be a valuable model for improving cybersecurity in Latin America if it is adapted to the region’s conditions. Several countries in the region are currently developing their national security strategies, and NIS2 provides a well-defined governance structure that could serve as a reference point for these discussions. The directive outlines distinct responsibilities across various sectors and establishes an oversight authority, such as a Computer Security Incident Response Team (CSIRT), to manage cybersecurity incidents. Furthermore, implementing an NIS2-like regime could streamline the process of identifying and classifying critical sectors and operators, establishing national enforcement authorities similar to those in Chile, and defining reporting obligations for cybersecurity incidents. The directive could also strengthen supply chain and critical infrastructure security by requiring significant suppliers to conduct risk assessments and create mitigation plans.

In the absence of a mandatory legal framework resembling the EU’s in Latin America, which promotes harmonization, and due to a general lack of awareness in the private sector, where cybersecurity is not always regarded as a strategic issue, it is essential for Latin American countries to adopt NIS2’s principles, along with capacity building and strengthening regional cooperation platforms tailored to their realities.

5. What are the key cybersecurity regulations guiding Chile and South America, and what impact have they had on the countries and regions so far?

South American countries are developing cybersecurity legislation influenced by global factors, such as the NIS2 Directive and the Cybercrime Convention, as well as by challenges in the digital economy. For instance, Chile enacted the Cybersecurity Law (Ley N° 21.663) in accordance with the EU’s NIS2 standard. The law established the Cybersecurity Agency and identified critical infrastructure, known as servicios esenciales and operadores de importancia vital. It also set forth incident reporting, risk management, and audit requirements, while imposing a stringent enforcement regime with fines of up to 20,000 UTM (1,45 million USD) and up to 40,000 UTM (2,90 million USD) respectively. The impact of this legislation remains to be seen. Additionally, Chile was among the first Latin American countries to ratify the Budapest Convention, adopting the Cybercrime Law (Ley N° 21,459) in 2022. These laws complement the National Cybersecurity Policy, which emphasizes partnerships among the public, private, and academic sectors, as well as sectoral resilience and nationwide education and awareness initiatives.
Combined with regional cooperation, Chilean cybersecurity regulation represents a positive step for the region in strengthening its political will to tackle cyber threats at a strategic level as part of state policy. However, regional challenges persist, including a fragmented regulatory environment, inconsistent institutional capabilities among countries, limited private sector involvement, and the complex application of regulations to small and medium-sized enterprises (SMEs).