Cybersecurity · Brazil
Cybersecurity regulation in Brazil (2026)
Brazil shaded by its cybersecurity status
Brazil regulates cybersecurity through a combination of an executive-branch national policy (PNCiber, Decree 11.856/2023) and sector-specific obligations rather than one comprehensive law. Binding incident- and breach-reporting duties exist for personal data (LGPD/ANPD) and for financial and payment institutions (BCB), while a comprehensive NIS2-inspired bill creating a national cybersecurity authority is under consideration as of 2026.
Key points
Decree No. 11.856 of 26 December 2023 established the National Cybersecurity Policy and the National Cybersecurity Committee (CNCiber), setting principles and objectives (critical-infrastructure protection, resilience, R&D) for the federal government; it is a policy framework, not a statute imposing direct obligations on the private sector.
ANPD Resolution CD/ANPD No. 15 of 24 April 2024 implements LGPD Art. 48: controllers must notify the ANPD and affected data subjects of incidents posing relevant risk within three business days of confirming personal data was affected, with supplementary information allowed within 20 business days and a five-year incident register required.
CMN Resolution No. 4.893 of 26 February 2021 requires financial and payment institutions to adopt a cybersecurity policy, maintain action and incident-response plans, and report relevant incidents to the Central Bank; in force since 1 July 2021, it consolidated the earlier 2018/2019 rules.
Bill No. 4752/2025, introduced in the Senate in 2025, would create Brazil's first comprehensive Cybersecurity Legal Framework and a National Cybersecurity Authority (ANCiber), inspired by the EU NIS2 directive, with public-procurement compliance requirements and shared supply-chain incident responsibility; it remains pending as of 2026.
The GSI/Presidency-led E-Ciber strategy operationalizes PNCiber; an updated text was advanced through CNCiber and issued in 2025, setting a regulatory agenda and guidance for digital service providers and the technology market.
Brazil has no general mandatory cybersecurity law applicable to all sectors; obligations are layered across the LGPD (data protection), sectoral regulators (BCB for finance, with telecom/Anatel and others), and the public-sector PNCiber/E-Ciber framework, which is why the regime is best characterized as sectoral pending the proposed comprehensive law.
Timeline - major decisions & events
CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025 updated cybersecurity policy and cloud/data-processing contracting requirements for BCB-regulated institutions, modernizing the 2018 framework. It raises baseline security and outsourcing obligations across Brazil's financial sector.
Baker McKenzie / Global Compliance News ↗Brazil enacted a new National Cybersecurity Strategy (E-Ciber) with roughly 40 strategic actions, replacing the 2020 strategy and implementing the PNCiber. It defines timelines and governance to be detailed in a forthcoming National Cybersecurity Plan (P-Ciber).
Mattos Filho ↗The STF ruled Article 19 of the Marco Civil da Internet partially unconstitutional, allowing platforms to be held civilly liable for certain unlawful content (hate speech, terrorism, child sexual abuse material, serious disinformation) without a prior court order. It imposes a stricter duty of care on online platforms.
Global Network Initiative ↗The data protection authority operationalized LGPD Article 48, requiring controllers to notify ANPD and affected individuals within three business days when a breach poses relevant risk or harm, and to keep breach records for five years. It clarified long-uncertain incident-reporting duties.
DataGuidance / ANPD ↗The decree created Brazil's overarching National Cybersecurity Policy with seven principles and eleven objectives, plus the National Cybersecurity Committee (CNCiber) to steer implementation. It set the foundational governance framework guiding the country's later cyber strategy.
Presidência da República (Planalto) ↗An exposed database revealed personal data of more than 220 million Brazilians and tens of millions of companies, including CPF numbers, addresses, income and credit scores — the largest leak in the country's history. It intensified pressure for stronger data-security enforcement and incident regulation.
Cybernews ↗Coordinated by the Institutional Security Cabinet (GSI), Brazil's first National Cybersecurity Strategy set federal cyber-defense priorities and made federal agencies responsible for implementing its actions. It marked the first structured national approach to cybersecurity governance.
Presidência da República (Planalto) ↗Brazil's omnibus data-protection law imposed security, breach-notification and accountability duties on public and private data processors and created the basis for the ANPD. It anchors most data-security obligations applicable in Brazil today.
Presidência da República (Planalto) ↗The National Monetary Council issued Brazil's first binding sector cybersecurity rules, mandating cyber-security policies, incident response and strict cloud/outsourcing requirements for Central Bank-regulated institutions. It became the template for Brazil's financial-sector cyber regulation.
Banco Central do Brasil ↗The 'Internet Bill of Rights' set principles for internet use including privacy, data protection, net neutrality and data-retention/security duties for connection and application providers. It established core obligations for handling and safeguarding user data online.
Presidência da República (Planalto) ↗Prompted by the leak of a celebrity's private photos, this law amended the Penal Code to criminalize unauthorized access to computer devices and related cyber offenses. It was Brazil's first dedicated cybercrime statute, laying the criminal-law foundation for cybersecurity.
Presidência da República (Planalto) ↗Brazil - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →