Cybersecurity - Brazil

Decree No. 11.856 of 26 December 2023 established the National Cybersecurity Policy and the National Cybersecurity Committee (CNCiber), setting principles and objectives (critical-infrastructure protection, resilience, R&D) for the federal government; it is a policy framework, not a statute imposing direct obligations on the private sector.

ANPD Resolution CD/ANPD No. 15 of 24 April 2024 implements LGPD Art. 48: controllers must notify the ANPD and affected data subjects of incidents posing relevant risk within three business days of confirming personal data was affected, with supplementary information allowed within 20 business days and a five-year incident register required.

CMN Resolution No. 4.893 of 26 February 2021 requires financial and payment institutions to adopt a cybersecurity policy, maintain action and incident-response plans, and report relevant incidents to the Central Bank; in force since 1 July 2021, it consolidated the earlier 2018/2019 rules.

Bill No. 4752/2025, introduced in the Senate in 2025, would create Brazil's first comprehensive Cybersecurity Legal Framework and a National Cybersecurity Authority (ANCiber), inspired by the EU NIS2 directive, with public-procurement compliance requirements and shared supply-chain incident responsibility; it remains pending as of 2026.

The GSI/Presidency-led E-Ciber strategy operationalizes PNCiber; an updated text was advanced through CNCiber and issued in 2025, setting a regulatory agenda and guidance for digital service providers and the technology market.

Brazil has no general mandatory cybersecurity law applicable to all sectors; obligations are layered across the LGPD (data protection), sectoral regulators (BCB for finance, with telecom/Anatel and others), and the public-sector PNCiber/E-Ciber framework, which is why the regime is best characterized as sectoral pending the proposed comprehensive law.