The Cybersecurity Landscape in Brazil

The Brazilian cybersecurity landscape can be analysed both at the macro level and in specific sectors. This is due to the existence of regulations and research at the federal level, as well as specific regulations pertaining to certain sectors of the economy, which will be outlined throughout this article. The federal scenario shall be considered first, however, before moving on to other, more specific regulation.

Federal landscape

Approved through Decree No 10,222 on 5 February 2020, the National Cybersecurity Strategy (Estratégia Nacional de Segurança Cibernética, or “E-Ciber”) outlined strategic actions for the period from 2020 to 2023, with the aim of guiding Brazilian society on the federal government’s main initiatives around cybersecurity ‒ both nationally and internationally. Among the E-Ciber’s objectives were to make Brazil more prosperous and reliable in the digital environment, increase resilience to cybersecurity threats, and strengthen the country’s international role in cybersecurity.

Following the E-Ciber, on 26 December 2023, President Luiz Inácio Lula da Silva signed Decree No 11,856, establishing the National Cybersecurity Policy (Política Nacional de Cibersegurança, or “PNCiber”). This policy aims to guide cybersecurity activities in the country, establishing guidelines to protect critical infrastructures and promote cyber-resilience. In addition, the decree created the National Cybersecurity Committee (Comitê Nacional de Cibersegurança, or CNCiber), formed by representatives from the government, civil society, scientific institutions and the business sector. The CNCiber is responsible for monitoring the implementation and evolution of the E-Ciber, proposing updates to the PNCiber, and evaluating and suggesting measures to improve cybersecurity in Brazil, as well as formulating international technical co-operation strategies.

The policy arises from the need for protection, given that cyber-attacks represent one of the greatest threats to entities in today’s world. In 2021, there was a major data leak in Brazil, whereby 220 million individual taxpayer registration (Cadastro de Pessoas Físicas, or CPF) and company registration (Cadastro Nacional da Pessoa Jurídical, or CNPJ) numbers were exposed. Although the source of the leak has not been identified, 37 databases covering name, address, photo, credit score, income, Internal Revenue Service status and National Social Security Institute (Instituto Nacional do Seguro Social, or INSS) number were made available on the internet. Part of the data was published for free, such as name and CPF number, while the complete set was sold online.

Most recently, during the CNCiber meeting held on 4 December 2024, a new proposal for the E-Ciber text was presented. Now that suggestions and changes have been made by the members, the new text should be approved and formalised soon. The new E-Ciber will include a new regulatory agenda, as well as directions for new recommendations to the technology market and digital service providers, in addition to suggesting possible legal frameworks to strengthen cybersecurity governance in the country.

At the same time, Brazil has sought to improve mechanisms for sharing information about incidents and vulnerabilities between the public and private sectors. The creation of Computer Security Incident Response Team (CSIRT) centres has been encouraged, with the aim of strengthening the capacity to prevent, detect and respond to cybersecurity incidents. Currently, the country has the Cyber Incident Prevention, Handling and Response Centre of the Brazilian Government (Centro de Prevenção, Tratamento e Resposta a Incidentes Cibernéticos de Governo, or CTIR Gov), which is responsible for co-ordinating cybersecurity actions at government level.

In addition, it is worth mentioning the Brazilian Strategy for Digital Transformation (Estratégia Brasileira para a Transformação Digital, or “E-Digital”) and the National Information Security Policy (Política Nacional de Segurança da Informação, or PNSI). The latter offers a diagnosis of the challenges of the digital transformation of Brazilian society and establishes strategic actions, setting trust in the digital environment as one of its axes.

E-Digital is focused on two areas, which are:

• protection of rights and privacy; and
• defence and security in the digital environment.

It also presents eight strategic actions, which include the draft of a national cybersecurity policy and a national plan to prevent incidents and cybersecurity threats.

Finally, the PNSI was approved through Decree No 9.637/2018 and established within the scope of the entire federal public administration. The PNSI covers:

• cybersecurity;
• cyberdefence;
• physical security and protection of organisational data; and
• actions aimed at ensuring the availability, integrity, confidentiality and authenticity of information.

This policy is implemented through the National Information Security Strategy (Estratégia Nacional de Segurança da Informação, or ENSI) and national plans.

Brazilian Data Protection Authority

The Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD) is the entity responsible for overseeing data processing activities, ensuring the protection of personal data. Therefore, its regulation affects all sectors where there is data processing activity, according to the Brazilian General Data Protection Regulation (Lei Geral de Proteção de Dados, or LGPD). Although the ANPD does not regulate cybersecurity specifically, it has already implemented several regulations to ensure a secure environment for data processing activities, providing insights into the expectations for data processing agents.

Among these, the following stand out:

• case and technical studies on anonymisation and regulatory sandboxes related to the topic;
• informative notices on data breaches and security measures recommended for data subjects;
• guidelines on information security for small business data processing agents, with an information security checklist that directly names cybersecurity controls, such as web application firewalls or multifactor authentication; and
• other regulations related to the topic, such as Resolution No 15/2024, which establishes the procedure for reporting incidents.

As regards Resolution No 15/2024, the ANPD did not expressly establish the security mechanisms that companies must adopt to ensure data protection – it simply indicated that companies must implement the necessary mechanisms to ensure information security. However, the incident reporting form provided by the ANPD outlines certain expected security mechanisms, such as encryption, authentication methods, back-ups, and firewalls.

Furthermore, several cybersecurity-related topics are included in the ANPD’s regulatory agenda for 2025‒26, such as security measures, technical and administrative standards (including minimum technical security standards), and anonymisation and pseudonymisation. This demonstrates the significance of the subject for the ANPD, as well as the obligations that data processing agents will need to adhere to in the future.

Energy sector

The energy sector is classified as critical infrastructure, making it a prime target for cyber-attacks. The vulnerability of this sector to cybersecurity threats, such as ransomware attacks and data breaches, is a significant concern. Supervisory Control and Data Acquisition (SCADA) systems, which are integral to the operation of energy networks, are particularly susceptible to such attacks.

To mitigate these risks, the sector has been increasingly adopting international cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the International Organization for Standardization (ISO)’s ISO 27001, and the International Electrotechnical Commission (IEC)’s IEC 62443. These frameworks provide comprehensive guidelines for securing critical infrastructure.

Moreover, energy companies are held accountable for any service disruptions caused by cyber-incidents, facing civil liabilities and administrative liabilities alike. Service-level agreements (SLAs) and stringent security requirements for suppliers further reinforce the sector’s resilience against cybersecurity threats.

The energy sector in Brazil is governed by a robust regulatory framework aimed at ensuring digital compliance and cybersecurity. The National Electric Energy Agency (Agência Nacional de Energia Elétrica, or ANEEL) plays a pivotal role in this regard, with specific regulations such as Resolution No 964/2021, which outlines the requirements for digitalisation and cybersecurity measures within the sector. This resolution mandates energy companies to adopt stringent cybersecurity protocols to protect their infrastructure and data.

Additionally, the State-Owned Companies Law (Law No 13.303/2016) and the Digital Government Law (Law No 14.129/2021) impose further compliance obligations on energy companies, emphasising transparency, accountability, and the secure handling of data. These regulations collectively ensure that energy concessionaires adhere to high standards of data governance and cybersecurity, thereby safeguarding the sector against potential cybersecurity threats.

Consumer protection

In recent years, Brazil has made significant strides in enhancing consumer protection and cybersecurity. An important development in this area was the signing of the Technical Co-operation Agreement No 1/2021 between the ANPD and the National Consumer Secretariat (Secretaria Nacional do Consumidor, or “Senacon”) on 22 March 2021. This agreement aims to expedite investigations involving cybersecurity incidents by fostering collaboration between the two entities.

Through the exchange of information, educational initiatives, research, and joint enforcement actions, Senacon and the ANPD are working together to safeguard personal data and defend consumer rights. Senacon provides the ANPD with access to its database, which includes complaints and notifications, whereas the ANPD focuses on regulatory and enforcement actions under the LGPD. This partnership is expected to not only speed up investigations but also to strengthen the culture of data protection in Brazil, ensuring greater legal security for consumers and organisations alike.

In July 2024, Senacon announced an investigation into the damage caused by a recent cybersecurity breach that affected various sectors in Brazil. The incident stemmed from a problematic update by cybersecurity provider CrowdStrike, which disrupted services provided by Microsoft. This error disconnected computers and servers from the internet, leading to a system recovery loop that rendered machines inoperable. The fallout was widespread, impacting global companies and causing significant disruptions in Brazil. Airlines, banks, and even the healthcare system faced operational challenges, with manual check-ins at airports for travellers and service interruptions for hospitals and energy distributors.

Digital piracy

Another significant effort in the realm of cybersecurity is Brazil’s fight against digital piracy in the field of consumer protection. On 10 February 2025, the National Council for Combating Piracy and Intellectual Property Offences (Conselho Nacional de Combate à Pirataria e Delitos contra a Propriedade Intelectual, or CNCP) submitted a list of 393 blocked pirate websites to the World Intellectual Property Organization (WIPO). This list will be included in WIPO Alert, an international monitoring and dissemination mechanism.

The CNCP, which is linked to Senacon, has been actively involved in combating digital piracy and protecting citizens from cybercrimes. Operations such as Redirect and 404 have targeted illegal platforms, blocking hundreds of websites and applications. These pirate sites not only distribute illegal content but also expose more than 90 million consumers to fraud, data theft, and cyber-attacks, often featuring illegal gambling ads that particularly affect minors.

Role of public prosecutor

On 28 May 2024, the National Council of the Public Prosecutor’s Office (Conselho Nacional do Ministério Público, or CNMP) unanimously approved a resolution establishing the National Cybersecurity Policy and System of the Public Prosecutor’s Office (Política e o Sistema Nacional de Cibersegurança do Ministério Público, or “PNCiber-MP”). Resolution No 294/2024 aims to set forth principles, guidelines, and a minimum governance system to guide the planning, actions, and control of cybersecurity within the units and branches of the public prosecutor. The proposal consists of nine chapters addressing various aspects such as principles, goals, instruments, governance, and the management of the PNCiber-MP. The resolution was officially published on 3 July 2024.

The PNCiber-MP is an integral part of the Institutional Security Policy of the Public Prosecutor’s Office (Política de Segurança Institucional do Ministério Público, or PSI/MP), established by CNMP Resolution No 156/2016, which regulates measures aimed at security in information and communications technology (ICT). The resolution outlines that cybersecurity encompasses a set of actions designed to prevent, detect, treat, and respond to digital threats using appropriate controls, including policies, rules, processes, procedures, organisational structures, technologies, and people. These measures aim to ensure the availability, integrity, confidentiality and authenticity of information, in line with the risk profile of the public prosecutor. The guiding principles of the PNCiber-MP include:

• the protection of fundamental rights and guarantees of users;
• integration and co-operation among cybersecurity actors;
• proactive incident prevention; and
• the reliability of information systems.

The instruments defined by the PNCiber-MP include the National Strategic Planning of the Public Prosecutor’s Office (Planejamento Estratégico Nacional do Ministério Público, or PEN-MP), the PSI/MP, the National Information Technology Policy (Política Nacional de Tecnologia da Informação do Ministério Público, or PNTI-MP), and the National Strategic Information Technology Plan (Plano Estratégico Nacional de Tecnologia da Informação do Ministério Público, or PEN-TI-MP).

Additionally, the PNCiber-MP includes the institutional security plans and strategic information technology plans of the units and branches of the Public Prosecutor’s Office, as well as protocols, instructions, manuals, and technical statements issued by governance and management bodies. The National Cybersecurity System of the Public Prosecutor’s Office, co-ordinated by the CNMP, will adopt a co-operative governance methodology and include the National Cybersecurity Management Committee (Comitê Gestor Nacional de Cibersegurança do Ministério Público, or “CGNCiber-MP”), the Cyber Crisis Management Committee, and the National Cybersecurity Co-operation Network (Rede Nacional de Cooperação em Cibersegurança do Ministério Público, or “REDECiber-MP”).

Ministry of Science, Technology, and Innovation

The Ministry of Science, Technology, and Innovation (Ministério da Ciência, Tecnolodia e Inovação, or MCTI) in Brazil, in collaboration with the Brazilian Agency for Industrial Research and Innovation (Empresa Brasileira de Pesquisa e Inovação Industrial, or “Embrapii”), has announced the establishment of the Cybersecurity Competence Centre, which will receive an investment of BRL60 million from the MCTI’s Priority Programme (Programa Prioritário em Informática, or PPI) IoT/Manufacturing 4.0. The centre will focus on four key research areas:

• identity and access management;
• data protection and privacy;
• cybersecurity threat intelligence; and
• legal, ethical and behavioural aspects.

The announcement, made in May 2024, underscores the Brazilian government’s commitment to enhancing cybersecurity infrastructure. This is crucial for the secure operation of essential systems, including government digital services.

The creation of the Cybersecurity Competence Centre is part of a broader initiative by Embrapii and the MCTI to establish multiple competence centres across various strategic and frontier technology areas, with a total investment of BRL495 million. These centres aim to generate knowledge, develop human resources, and foster innovation through collaboration with industrial partners and start-ups. The initiative is expected to bolster Brazil’s cybersecurity capabilities, protect critical national infrastructure, and stimulate the national cybersecurity industry ‒ thereby enhancing the country’s competitiveness and attracting foreign investment. The Cybersecurity Competence Centre is poised to play an important role in addressing the complex cybersecurity challenges facing Brazil, leveraging its extensive experience in innovation and technology development.

Hackers do Bem hub

In addition to the Cybersecurity Competence Centre, the MCTI has also launched the Hackers do Bem hub, which is a virtual space created by the National Education and Research Network (Rede Nacional de Ensino e Pesquisa, or RNP). This initiative aims to strengthen Brazil’s cybersecurity ecosystem by bridging experts, companies and enthusiasts in an open environment for information sharing, networking, and technical training. Launched in August 2024 during the RNP Forum in Brasília, the hub is designed to be an interactive platform that fosters a self-sustaining and autonomous community dedicated to advancing digital security in the country.

The Hackers do Bem hub host events, courses and forums to solidify Brazil’s defence against cybersecurity threats and connect professionals to job opportunities. It will also serve as a resource for students of the Hackers do Bem programme, which has already seen more than 100,000 enrolments since its inception in 2023. The hub, developed in partnership with Cisco and Rustcon, aims to enhance the training of cybersecurity professionals by providing additional courses and specialised activities ‒ thereby ensuring that graduates are well equipped to tackle the evolving challenges in the field.

Aviation sector

The National Civil Aviation Agency (Agência Nacional de Aviação Civil, or ANAC) has made significant strides in enhancing cybersecurity within the aviation sector in Brazil. The publication of the new National Civil Aviation Security Programme Against Acts of Unlawful Interference (Programa Nacional de Segurança da Aviação Civil contra Atos de Interferência Ilícita, or “PNAVSEC”) on 8 September 2022, marked a pivotal moment for aviation security. This programme, approved by Decree No 11,195/2022, aligns Brazil’s aviation security regulations with international standards set by the International Civil Aviation Organization (ICAO). Decree No 11,195/2022 introduces innovative security measures, including risk assessments and security protocols for public and airport areas, and addresses threats from -man-portable air defence systems (MANPADS). Notably, it incorporates cybersecurity regulations to identify vulnerabilities and implement protective measures for data and communication systems, ensuring the confidentiality, integrity and availability of information.

In April 2023, ANAC established the Cybersecurity Committee (“CSC/ANAC”) through Portaria No 11.126. This committee aims to co-ordinate, harmonise and consolidate ANAC’s efforts in cybersecurity, implementing policies to protect civil aviation against cybersecurity threats. The CSC/ANAC takes over the responsibilities of the Cybersecurity Working Group (Grupo de Trabalho de Segurança Cibernética, or GTSC), established in August 2020, and serves as the sectoral co-ordination team (Equipe de Prevenção, Tratamento e Resposta a Incidentes Cibernéticos de Coordenação Setorial, or “ETIR Setorial”) as per Decree No 10.748, which created the Federal Network for Cyber Incident Management (Rede Federal de Gestão de Incidentes Cibernéticos, or ReGIC). The CSC/ANAC comprises representatives from various organisational units within ANAC ‒ each responsible for different aspects of aviation security ‒ and is co-ordinated by the Superintendence of Airport Infrastructure (Superintendência de Infraestrutura Aeroportuária, or SIA).

Throughout 2023, ANAC faced numerous challenges and achieved significant milestones in cybersecurity. Recognising the growing reliance on ICT in civil aviation, ANAC took proactive measures to mitigate emerging risks and vulnerabilities. The agency released two key manuals, the Civil Aviation Cybersecurity Awareness Manual and the Cybersecurity Assessment Manual, based on international standards. These documents aim to raise awareness among aviation professionals and help organisations assess and improve their cybersecurity maturity. Additionally, ANAC engaged in international co-operation with organisations such as ICAO, the European Union Aviation Safety Agency (EASA) and the European Organization for Civil Aviation Equipment (“EUROCAE”), fostering collaboration and information exchange on cybersecurity.

In 2024, ANAC continued its efforts to modernise and enhance aviation security with the publication of Resolution No 753 on 9 August 2024. This resolution, approved during the 12th deliberative meeting of ANAC’s collegiate board, mandates the adoption of technical and technological solutions to improve civil aviation security against unlawful interference and elevate operational safety. The resolution aims to enhance passenger services and airport capabilities by implementing new equipment and procedures. ANAC will define the minimum criteria for the acceptance of these technologies and methodologies, tailored to the size, resources, and needs of each aerodrome. This resolution is part of the broader Airports+Security programme, which was launched in June 2023 by the federal government to ensure that Brazilian airports meet the highest standards of safety and security.

Telecommunications sector

The National Telecommunications Agency (Agência Nacional de Telecomunicações, or ANATEL) has a range of publications on cybersecurity, encompassing regulations (such as Resolution No 767/2024), public policies, guidelines, and other documentation and studies aimed at bolstering cybersecurity within its domain.

Mainly, ANATEL relies on the Cybersecurity Regulation Applied to the Telecommunications Sector (Regulamento de Segurança Cibernética Aplicada ao Setor de Telecomunicações, or “R-Ciber”). The R-Ciber sets forth the obligations of regulated agents (eg, the development, maintenance and implementation of a cybersecurity policy), as well as the principles to be followed by them (eg, confidentiality, availability, integrity and liability).

Besides that, the R-Ciber also establishes a governance model within ANATEL, through the Cybersecurity and Critical Infrastructure Risk Management Technical Group (Grupo Técnico de Segurança Cibernética e Gestão de Riscos de Infraestrutura Crítica, or “GT-Ciber”). This group has a series of obligations related to monitoring cybersecurity policy and critical infrastructure management, equipment configuration, technical requirements, and suppliers ‒ sharing information and best practices as well as awareness, training, studies and interaction with the Brazilian Communications Commissions (Comissões Brasileiras de Comunicações, or CBCs).

Right after the R-Ciber was published, ANATEL took another step to promote the cybersecurity of the sector on 5 January 2021, when it approved the Cybersecurity Requirements for Telecommunications Equipment. This authorises ANATEL to carry out the certification and approval of telecommunications equipment ‒ from the simplest (eg, sensors with wireless communication interfaces) to the most complex (eg, operator network core equipment). One of the principles of this approval activity is the protection and security of the users of these products. The aim of establishing the requirements together with the creation of a market oversight programme is to:

• encourage manufacturers to develop their products with security in mind from the outset (“security by design”);
• monitor the market for insecure products;
• ensure that manufacturers implement fixes for identified flaws/vulnerabilities; and
• prevent insecure equipment from being commercialised.

Finally, ANATEL also promotes campaigns to increase society’s awareness of cybersecurity practices, including campaigns to prevent fraud and other digital crimes.

Financial sector

The Central Bank of Brazil (Banco Central do Brasil, or “BACEN”) has taken further steps by enacting regulations pertaining to cybersecurity, thereby imposing specific obligations on financial and payment institutions under its purview. This is notably evident through the implementation of Resolution No 4.893/2021 and Resolution No 85/2021. Both regulations aim to enhance the regulatory framework governing the financial system’s stability and integrity. This is part of BACEN’s ongoing efforts to align with international standards and best practices, ensuring that financial institutions operate under robust and transparent guidelines. The primary objective of Resolution 4.893/2021 is to establish comprehensive rules for the management of risks and capital adequacy, thereby promoting a more resilient financial sector.

The regulatory framework regarding cybersecurity for financial institutions authorised to operate under the BACEN is outlined by Resolution No 4.893/2021, which delineates the cybersecurity policy and the prerequisites for engaging data processing, storage services, and cloud computing. Similarly, Resolution No 85/2021 addresses the same subject matter but applies to payment institutions, securities brokerages, securities distributors, and authorised foreign exchange brokerages operating under BACEN.

Given the importance of safeguarding transactions within its purview, BACEN has been actively promulgating regulations in this sector to enforce stringent obligations and standards for the entities under its regulation, thereby ensuring the security of transactions.