April 3, 2023

Brazil adds cyber security requirements for certain devices

Written by: Nemko

Anatel

Like many other countries, Brazil has during the past few years experienced significant increase in cyberattacks, whereby cybersecurity has become a high-profile issue with an increasing demand for regulations.

Already in 2021 the Brazilian telecom authority ANATEL (Agência Nacional de Telecomunicações) implemented Resolution No 740 and Act No.77 with cybersecurity requirements for products with Internet connection, which made it mandatory for manufacturers of equipment and the local applicant to submit for ANATEL’s review a declaration letter that the device meets basic cybersecurity requirements as defined in Act 77 and provides cybersecurity.

Now, on 7 March this year, ANATEL published Act No. 2436, with “Minimum Cybersecurity Requirements for
Assessing the Conformity of CPE (Customer Premises Equipment) Equipment.” This Act establishes a set of
mandatory enforceable minimum cybersecurity requirements in the assessment of compliance for CPE Equipment for general public use that connects subscribers to Internet networks. The new Act covers the below listed types of devices and shall become effective 10 March in 2024

Cable Modem
xDSL modem
Optical Network Unit (ONU/ONT)
Router or modem intended for fixed wireless access (FWA)
Router or modem for fixed broadband access via satellite
Wireless router or access point.

The added requirements are related to amongst other passwords, unauthorized access attempts and policies for
releasing software/firmware updates to fix security vulnerabilities.

Other than Resolution No 740 and Act No 77, the added requirements are aligned with, amongst other, the US NIST Special Publication 800-63B, the Broadband Forum-TR-181 Issue 2 and the international standards ISO/IEC 29147:2018 and IEC 30111:2019.

For further information, please contact Michelle.Furrow@nemko.com

(Article is based on text provided by Michelle Furrow edited by T.Sollie)