Information Security in Brazil: Legal Framework and Regulatory Expectations

Cybersecurity as a Strategic National Priority

Brazil, one of the largest economies in Latin America and among the most digitally connected countries in the Southern Hemisphere, faces increasing challenges in the field of information security. Cyber incidents have caused substantial financial losses—estimated at up to 18% of the national Gross Domestic Product (GDP), according to the National Cybersecurity and Connectivity Institute (INCC, 2025)—affecting private companies, public services, and critical infrastructure. In response, the country has been consolidating a legal and institutional environment aimed at digital protection, aligned with international best practices and focused on risk prevention, data protection, and coordinated responses to cyber threats.

Brazil’s Legal Framework for Information Security

Brazil does not yet have a single, comprehensive cybersecurity law. Instead, it relies on an interconnected set of general and sector-specific regulations, which govern data processing, system protection, and responsibilities in case of incidents. The main legal instruments currently in force include:

• The General Data Protection Law (Lei Geral de Proteção de Dados – LGPD, Law No. 13.709/2018), which regulates personal data processing and requires both public and private entities to adopt measures to ensure security, prevent damage, and notify the National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD) and affected individuals in the event of a data breach.

  
  

• The Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet, Law No. 12.965/2014), regulated by Decree No. 8.771/2016, which sets out principles for the use of the internet in Brazil, establishing obligations for internet service providers and application operators regarding user privacy, data storage, and adherence to international technical security standards.

  
  

• The Consumer Protection Code, which holds suppliers liable for offering digital products or services that fail to meet established technical standards—particularly when those standards are based on internationally recognized frameworks, such as ABNT NBR ISO/IEC 27001 and 27701 on information security management and privacy protection.

  
  

• The Brazilian Penal Code, which contains specific provisions criminalizing cyber offenses, including unauthorized access to IT systems (Article 154-A), punishable by up to four years’ imprisonment; electronic fraud (Article 171, §2-A), with penalties of up to eight years; and digital theft (Article 155, §4-B), involving unauthorized data exfiltration or use of malicious software.

  
  

Sector-Specific Regulations

In addition to general legislation, several strategic sectors of the Brazilian economy are regulated by specialized agencies that have issued sector-specific rules on information and cybersecurity:

• Financial sector: supervised by the Central Bank of Brazil (Banco Central do Brasil – BCB) and the Securities and Exchange Commission of Brazil (Comissão de Valores Mobiliários – CVM). Institutions are required to implement cybersecurity policies proportionate to their size and risk profile, response plans for incidents, third-party oversight, and prompt notification to regulators.

  
  

• Telecommunications sector: regulated by the National Telecommunications Agency (Agência Nacional de Telecomunicações – Anatel), which mandates the implementation of security policies, incident reporting, supplier evaluation, and information-sharing among service providers to strengthen collective cyber defense.

  
  

• Electric power sector: governed by the National Electric Energy Agency (Agência Nacional de Energia Elétrica – ANEEL), which requires companies to establish cybersecurity plans and report high-impact incidents that affect system integrity, availability, or authenticity.

  
  

• Healthcare sector: under the supervision of the National Health Surveillance Agency (Agência Nacional de Vigilância Sanitária – ANVISA), which sets guidelines for the cybersecurity of medical devices and IT systems. Data protection in this sector is also subject to the LGPD’s provisions on sensitive personal data.

  
  

• Insurance sector: overseen by the Superintendence of Private Insurance (Superintendência de Seguros Privados – SUSEP), which obligates insurers and reinsurers to implement incident response plans, notify relevant parties of incidents, and prepare periodic reports on the effectiveness of their cybersecurity measures.

National Cybersecurity Policy and Institutional Governance

The National Cybersecurity Policy (Política Nacional de Cibersegurança – PNCiber), established by Decree No. 11.856/2023, outlines the Brazilian government’s strategic approach to cybersecurity. Key principles include digital sovereignty, protection of critical infrastructure, promotion of technological innovation, organizational resilience, and public-private cooperation.

Implementation is carried out through the National Cybersecurity Strategy and the National Cybersecurity Plan, both coordinated by the National Cybersecurity Committee (Comitê Nacional de Cibersegurança – CNCiber)—a multistakeholder body composed of representatives from government agencies, civil society, and the private sector. Additionally, the Federal Network for Cyber Incident Management, created under Decree No. 10.748/2021, handles response efforts to major cyber incidents affecting federal government entities.

Minimum Cybersecurity Expectations for Private Companies Operating in Brazil

Foreign companies operating or planning to operate in Brazil should be aware that personal data protection is strictly regulated, especially under the LGPD, enforced by the ANPD; that digital security is treated as a core compliance requirement, with specific mandates for regulated sectors regarding risk prevention and incident response; and that the country promotes alignment with international standards, which facilitates integration for companies already in compliance with frameworks such as the European Union’s General Data Protection Regulation (GDPR) or ISO/IEC standards.

Regardless of their industry, private entities are expected to adopt a minimum set of security measures, considered standard corporate due diligence in the Brazilian regulatory landscape. These include:

• A formal information security policy, defining governance structures, responsibilities, and risk controls;

  
  

• Technical security measures, such as data encryption, multifactor authentication, firewalls, enterprise-grade antivirus software, and network monitoring tools;

  
  

• An incident response plan, detailing detection, containment, notification procedures, and mitigation actions;

  
  

• Employee training programs, focused on cybersecurity awareness, fraud prevention, and handling sensitive data;

  
  

• Third-party risk management, including vendor assessments and contractual clauses on data security obligations;

  
  

• Regular audits and security testing, with documented assessments, vulnerability remediation, and continuous improvement.

  
  

These practices are widely encouraged by Brazilian technical standards and sector-specific regulations and are essential to reduce the risk of civil, administrative, and criminal liability in the event of a data breach or cyberattack.

Sources and References

• National Cybersecurity and Connectivity Institute (INCC), 2025

• World Economic Forum, Global Risks Report, 2024

• IBM, Cost of a Data Breach Report, 2024

• Federal Law No. 13.709/2018 – LGPD

• Federal Law No. 12.965/2014 – Civil Rights Framework for the Internet:

• Decree No. 11.856/2023 – PNCiber

• Decree No. 10.748/2021 – Federal Network for Cyber Incident Management

• Decree No. 2.848/1940 - Brazilian Penal Code