Sectoral regulation
Regulations for data processing
Cybersecurity and infrastructure
International cooperation


The potential of cyberattacks to compromise confidential information stored in databases poses a genuine threat to the interconnected world, affecting businesses and individuals alike. This threat has become increasingly relevant over the past few years as it has impacted financial institutions, private organisations, critical infrastructure and government systems. Concerningly, the number of cyberattacks is on the rise, becoming even more dangerous as cybercriminals develop new ways to break through security systems and access valuable data.

The Centre for Studies, Responses and Treatment of Security Incidents in Brazil registered 875,327 security incident notifications in 2019 and 318,697 in the first half of 2020 alone, including fraud, scams, worms, denial-of-service attacks and intrusions. These reports, however, are submitted voluntarily and therefore do not accurately reflect the actual number of security incidents identified. Moreover, cybersecurity company Kaspersky has recently published a study indicating that cyberattacks in Brazil have increased by 23% in 2021. Given this scenario, cybersecurity has become a high-profile issue in Brazil and there is an increasing demand for regulation.

Sectoral regulation

In Brazil, cybersecurity requirements are generally provided by regulatory agencies, such as the central bank (BACEN), the Securities and Exchange Commission (CVM), the National Telecommunications Agency (ANATEL) and the Brazilian Private Insurance Authority (SUSEP).   

The BACEN's Resolution No. 4,893/2021 and Resolution No. 85/2021 regulate how financial and payment institutions adopt cybersecurity measures. These resolutions require covered institutions to have cybersecurity policies in place and fully comply with the regulation by 31 December 2021.  Notably, the resolutions also encompass third-party services contracted by covered institutions, including those outside Brazil. 

Under both resolutions, covered institutions are required to appoint an officer responsible for implementing and overseeing their cybersecurity policies and must also adopt controls and procedures for preventing and responding to cybersecurity incidents.  Though the regulations do not specify deadlines for data breach notifications, they state that regulated entities must make any notifications promptly. Covered financial institutions are also required to submit an annual report to the BACEN disclosing any cybersecurity incidents, as well as remediation efforts. 

Furthermore, the BACEN's resolutions require covered institutions to enter into agreements with third-party providers (including those outside Brazil) to ensure they comply with certain requirements when contracted for data processing, data storage or cloud computing. This includes a requirement to notify the covered institution of any relevant subcontractors and authorise the BACEN's access to all related documents and information. Covered institutions must also provide the BACEN with certain information on third-party providers in advance. Notably, neither resolution contains any requirements regarding data localisation.

Meanwhile, the CVM's Instruction No. 505/2011 establishes rules and procedures for operations in regulated securities markets. As part of the mechanisms and controls that intermediaries must adopt, this regulation sets out several information security requirements, including rules for contracting relevant third-party services and notifying security incidents.

The ANATEL has also issued Resolution No. 740/2020 (the "cybersecurity regulation"), which applies to public interest telecoms services with certain exceptions. The regulation establishes measures and procedures to enhance security in telecoms networks and services, addressing both cybersecurity and critical telecoms infrastructure protection. The cybersecurity regulation sets out that telecoms service providers must use products, services and equipment from service providers that have a cybersecurity policy which complies with the regulation and that also conduct regular independent audits. When requested, the results of these audits must always be made available to the ANATEL.

In August 2021, the SUSEP published Circular No. 638/2021, which includes cybersecurity requirements that insurance companies, pension companies, capitalisation companies and local reinsurers must observe. These requirements align with a broader public agenda towards strengthening cybersecurity and data governance within Brazil's financial institutions. SUSEP Circular No. 638/2021 establishes:

  • guiding principles for internal cybersecurity policies;
  • new guidelines for identifying and limiting risks;
  • failure prevention; and
  • security measures concerning information security incidents.

It also redefines requirements and procedures, and establishes the extent to which entities are liable for incidents.

Regulations for data processing

Brazil's General Data Protection Law (Law No. 13,709/2018) (LGPD) has established detailed rules regarding how personal data is collected, used, processed and stored. This affects all economic sectors, including the relationships between customers and suppliers, employees and employers and other relationships where personal data is collected, whether in the digital world or the real world.

The LGPD applies to any personal data processing carried out by a natural person or legal entity, irrespective of where it is based or where the data is located, provided that:

  • the data processing is carried out in Brazil;
  • data is processed in order to offer goods or services in Brazil, or the data processing is related to individuals located in Brazil; or
  • the personal data subject to processing was collected in Brazil.

The LGPD does not provide for specific security mechanisms, standards or certifications. It simply states that controllers and processors must:

implement technical and organizational security measures capable of protecting personal data from unauthorised access, unlawful or accidental situations involving destruction, loss, change, communication or any other unlawful processing activity.

The Brazilian Data Protection Authority (ANPD) will also consider how measures have been adopted when assessing the penalties for companies liable for data breaches or non-compliance with the LGPD.

Under the LGPD, data controllers must also inform the ANPD and affected data subjects of any security incidents that could harm or put them at risk. This law sets out several requirements for notifying personal data security incidents.

Cybersecurity and infrastructure

In a separate but related matter, Federal Decree No. 10,569/2020 has set out rules concerning "critical infrastructure" – defined as facilities, services and assets whose interruption or destruction would have serious social, economic, political, national or international security impacts. The decree refers to strategic infrastructure for communications, energy, transport, finance, water and other areas that play an essential role in Brazil's national security, sovereignty, integration and sustainable economic development.

Presidential decrees have also been issued on cybersecurity and critical infrastructure as part of the Brazilian government's efforts to provide guidelines on these matters. Notably, Decree No. 9,573/2018 defines the National Policy for Critical Infrastructure Security, while Decree No. 10,569/2020 defines the National Strategy for Critical Infrastructure Security. However, it is important to note that the strategies and plans for protecting critical infrastructure are yet to be properly implemented, and merely constitute guidelines at this stage. Currently, the decrees can be considered "soft" normative, instructing documents – they cannot be enforced, nor can penalties be issued for non-compliance – although there are long-term plans for a regulatory framework with mandatory rules and concrete measures.

Approved in 2020, the National Cybersecurity Strategy (the "E-cyber") is a soft law via which the government aims to guide Brazilian society on the main cybersecurity-related measures it intends to take between 2020 and 2023. Although the E-cyber is not legally binding, it is an important instrument that supports government planning in relation to improving the security and resilience of critical infrastructure and national public services.

International cooperation

Brazil is making an effort to strengthen regulations on cybersecurity, requiring regulated entities to implement robust cybersecurity policies. However, as the Internet has a global reach and transcends international borders, Brazilian authorities' ability to investigate cybercrimes has been identified as one of the main challenges going forward. Brazil has recently been invited to accede to the Budapest Convention on Cybercrime, to which it currently holds observer status. Originating in Europe, more than 60 countries have already signed the convention, which facilitates information exchanges between different jurisdictions for investigating cybercrimes. Ratifying the convention should ensure Brazil heads in the right direction in keeping up with the fast pace and evolution of cybercrime.

For further information on this topic please contact Fabio Ferreira Kujawski, Paulo Marcos Rodrigues Brancher or Thiago Luís Sombra at Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados by telephone (+55 11 3147 7600) or email ([email protected], [email protected], [email protected] or [email protected]). The Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados website can be found at

An earlier version of this article was first published on Único.

Nuria Debaza Baxauli and Luiza Mendonça da Silva Belo Santos, associates, also participated in the preparation of this article.