Brazil set to adopt Cybersecurity Legal Framework
Contributors:
Tiago Neves Furtado
CIPP/E, CIPM, CDPO/BR, FIP
Partner
Opice Blum
Guilherme Ochsendorf de Freitas
Attorney
Opice Blum
Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Brazil is close to approving its first Cybersecurity Legal Framework with Bill No. 4752/2025, which creates a National Cybersecurity Authority and introduces important reforms impacting both public and private sectors.
Compliance will become a requirement for public procurement; supply chains will face risk assessments; agencies and suppliers will share responsibility for security incidents; and research and development of national technologies will be incentivized.
This discussion comes at a critical moment. In recent years, Brazil has suffered several cyberattacks, resulting in hospital disruptions, prolonged outages of public services, and the exposure of millions of personal records. These cases underscore the persistent vulnerability of critical infrastructures.
Even as one of the largest economies in the world, Brazil does not yet have a single federal law to coordinate defense in cyberspace. The new framework tries to solve this by concentrating powers in the ANC, which will regulate, inspect and audit cybersecurity practices at the national level.
For government, this means moving away from fragmented policies to a unified approach. Agencies and ministries will have to follow standards created by the ANC instead of developing isolated rules.
While the impact on citizens may be indirect, it remains significant: enhanced cybersecurity across public and private services reduces the risk of disruptions and strengthens the protection of personal data.
Contributors:
Tiago Neves Furtado
CIPP/E, CIPM, CDPO/BR, FIP
Partner
Opice Blum
Guilherme Ochsendorf de Freitas
Attorney
Opice Blum