Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Brazil is close to approving its first Cybersecurity Legal Framework with Bill No. 4752/2025, which creates a National Cybersecurity Authority and introduces important reforms impacting both public and private sectors.
Compliance will become a requirement for public procurement; supply chains will face risk assessments; agencies and suppliers will share responsibility for security incidents; and research and development of national technologies will be incentivized.
This discussion comes at a critical moment. In recent years, Brazil has suffered several cyberattacks, resulting in hospital disruptions, prolonged outages of public services, and the exposure of millions of personal records. These cases underscore the persistent vulnerability of critical infrastructures.
Even as one of the largest economies in the world, Brazil does not yet have a single federal law to coordinate defense in cyberspace. The new framework tries to solve this by concentrating powers in the ANC, which will regulate, inspect and audit cybersecurity practices at the national level.
For government, this means moving away from fragmented policies to a unified approach. Agencies and ministries will have to follow standards created by the ANC instead of developing isolated rules.
While the impact on citizens may be indirect, it remains significant: enhanced cybersecurity across public and private services reduces the risk of disruptions and strengthens the protection of personal data.
The bill represents a big change for companies. To deliver solutions to the government, it will be necessary for organizations to prove compliance with minimum cybersecurity standards. This creates a new layer of competitiveness. The ANC will also publish official lists of conforming suppliers, which could serve as a kind of certificate of trust, not only for the public sector but also for private partnerships.
The law also brings the supply chain network into focus. Public entities will have to evaluate the risks of their suppliers; when a breach happens, liability will be shared. This recognizes that vulnerabilities in one part of the chain can affect the whole ecosystem. Incidents connected to suppliers must also be reported to the ANC, turning the authority into a central point for monitoring and response.
The bill not only imposes obligations but also creates opportunities. Companies can access financing for cybersecurity projects through the National Public Security Fund; local technologies that meet security requirements will have priority in procurement; and the private sector will be able to join the National Cybersecurity Program through agreements and partnerships.
What is still undetermined is how the ANC will use its powers in practice. The bill sets general rules, but details will be defined later by regulation. As a result, companies should act immediately. It is important to evaluate current maturity in cybersecurity, prepare to adapt services and products, and closely follow the developing legislative process. Those who act early will be in a stronger position when the framework becomes reality.
The legislative process is still ongoing. The bill must pass in both the Chamber of Deputies and the Federal Senate before the president can sign it. The debate may change some points, but the main idea — to create a national authority and a legal framework — should remain.
If approved, Brazil will be one of the first Latin American countries with such a comprehensive cybersecurity law. While privacy laws in the region have advanced, cybersecurity is still fragmented. A strong framework in Brazil can influence its neighbors and increase international trust, showing that the country is ready to cooperate in global defense.
Ultimately, the Cybersecurity Legal Framework is not only about compliance; it is about how Brazil wants to protect its digital future and give citizens and companies confidence. With the ANC defining standards, enforcing rules and encouraging innovation, the country will take an important step to reduce risks and build resilience.
For companies, it is a challenge but also a chance. Those who prepare now will be more competitive and better positioned in a market where security is no longer optional.
Tiago Neves Furtado, CIPP/E, CIPM, CDPO/BR, FIP, is a partner and Guilherme Ochsendorf de Freitas is an attorney at Opice Blum.
