Brazil now has more cybersecurity governance on paper than at any point in its history. Decree 11.856/2023, signed in December 2023, established the National Cybersecurity Policy (PNCiber) and created the National Cybersecurity Committee (CNCiber) to coordinate federal action. A year later, Decree 12.069/2024 formalised the Federal Cyber Incident Management Network, knitting together public-sector CSIRTs under a shared playbook. Yet for all this institutional scaffolding, the country still lacks the one thing the threat landscape most urgently demands: a federal statute that addresses ransomware and cyber extortion head-on.
The consequences of that gap are no longer theoretical. Through 2025 and into 2026, ransomware operators have repeatedly hit Brazilian targets that sit at the heart of the digital economy and public research. Affiliates of the Sicoob cooperative system — a network that handles savings and payments for millions of Brazilians outside the big private banks — have been disrupted by extortion-driven intrusions. The Rede Nacional de Ensino e Pesquisa (RNP), Brazil's federal research and education backbone, has faced incidents that interrupted services to universities. State government systems, from prefectures to health secretariats, continue to be locked up by encryptors on a near-monthly cadence. None of this is unique to Brazil, but the policy response is.
Governance by decree has limits
Decrees can stand up committees, designate coordinating bodies and write incident-response procedures into the federal executive. They cannot create criminal offences, impose disclosure duties on private companies, allocate budget for a permanent agency, or grant the kind of cross-sector regulatory authority that ransomware demands. That is the structural ceiling that PNCiber is now bumping against.
Two legislative vehicles are meant to fix this. PL 4.939/2023, a federal cybersecurity bill currently pending in Congress, would lift much of PNCiber's architecture into primary law and define obligations for operators of essential services. Parallel proposals would create a National Cybersecurity Agency (ANCiber) with rule-making and supervisory powers, modelled loosely on telecoms regulator ANATEL or data-protection authority ANPD. Neither has cleared committee. Until they do, Brazil will keep relying on a patchwork: the LGPD's breach-notification duties for personal data incidents, sector-specific rules from the Central Bank for financial institutions, and the criminal code's generic computer-intrusion provisions.
The case for a proportionate federal framework
From a pro-innovation perspective, the temptation to over-regulate after each incident is real and should be resisted. Some proposals in Brasília have flirted with outright criminalisation of ransom payments — an approach that sounds tough but tends to drive disclosure underground, punish victims twice, and make incident response harder for the very firms regulators want to help. The better template, and one Brazil should study closely, is a tiered duty-to-report model: mandatory incident notification to a designated national CSIRT within a defined window, voluntary disclosure of ransom interactions with safe-harbour protections, and sanctions reserved for genuine concealment rather than for paying under duress.
This is the direction the EU's NIS2 Directive and the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) have taken, and it is broadly the model that Brazil's own CGI.br multistakeholder community has long endorsed. A federal Brazilian framework should:
- Make incident reporting to a designated CSIRT (CTIR Gov or its successor) mandatory for operators of essential services, with clear thresholds and a 72-hour window aligned with LGPD.
- Create a safe harbour for victims that disclose ransom demands and payments in good faith, so insurers, law-enforcement and threat-intelligence teams can build a shared picture.
- Avoid blanket bans on ransom payments. Instead, narrowly prohibit payments to sanctioned entities and require pre-payment notification to financial intelligence unit COAF.
- Empower a properly funded National Cybersecurity Agency with rule-making authority, rather than scattering responsibilities across CNCiber, ANPD, the Central Bank and GSI.
- Fund baseline security uplift for states, municipalities and public universities, which are now the soft underbelly of national cyber resilience.
Cooperatives and research networks are not edge cases
The Sicoob ecosystem matters because Brazil's financial inclusion story runs through credit cooperatives, fintechs and Pix — not just incumbent banks. A serious extortion event inside that layer is a systemic risk dressed up as a sectoral one. RNP matters because federal universities depend on it for everything from enrolment to research data. When these targets get hit and there is no federal statutory duty to report, no agency with clear authority to investigate, and no harmonised victim-support framework, the response defaults to ad-hoc coordination between the Office of Institutional Security (GSI), CTIR Gov and the affected entity. That is workable for one incident. It is not a national strategy.
What Congress should do next
The pragmatic path is to move PL 4.939/2023 with focused amendments rather than wait for a perfect omnibus bill. Three priorities stand out: codify PNCiber's coordination structure in statute, create ANCiber with a narrow but real mandate, and add a ransomware-specific chapter that pairs mandatory reporting with safe-harbour protections. Brazil does not need to copy NIS2 or CIRCIA wholesale; it needs a Brazilian framework that respects the country's federal structure, protects victims rather than punishing them, and gives the private sector legal certainty to invest in defence.
Decrees got Brazil from zero to baseline. The next step has to come from Congress.