Brazil has become Latin America's preferred hunting ground for ransomware and cyber extortion. By Intel 471's count, the country absorbed roughly 30% of the region's ransomware victims in 2025 — more than Mexico (~14%) and Argentina (~13%) combined — and led the region in access-broker targeting; other trackers such as SOCRadar put Brazil's share closer to half. Whichever methodology you trust, the conclusion is the same: Brazil is the most-attacked nation in the region, and hospitals, manufacturers, courts and city halls are paying for it.
So when the National Cybersecurity Committee (CNCiber), a body under the Presidency's Institutional Security Office (GSI), finalized the anteprojeto of the Lei Geral da Cibersegurança in early April 2026 and forwarded it toward Congress, it was answering a genuine gap. Brazil has the LGPD for data protection and sector-specific rules for banks and telecoms, but no overarching cybersecurity statute and no single authority to coordinate incident response across the economy.
The case for the framework is strong
It is worth stating the strongest argument for the draft before quibbling with it. Brazil's cyber-defense posture is fragmented: responsibilities are scattered across ministries, mandatory incident reporting barely exists, and smaller public bodies are effectively undefended. The anteprojeto fixes the structural problem. It creates a National Cybersecurity System (SNCiber) coordinated by the GSI, a national monitoring and incident-response center (CENCiber) to issue alerts and support response teams, and a single national cybersecurity authority empowered to set technical baselines, mandate incident response, and apply sanctions.
Crucially, the obligations are risk-based rather than universal. They fall on operators of critical infrastructure, essential-service providers, municipalities above 100,000 residents, their supply-chain partners, and financial institutions already regulated by the Central Bank. That is the right instinct: regulate where systemic harm concentrates, not everywhere.
The pragmatic choice: reuse, don't rebuild
The draft's smartest decision is institutional. By an 18-2 vote, CNCiber recommended that Anatel — the telecom regulator — assume the national authority role, over objections from the Justice Ministry (which wanted a brand-new agency) and the Management Ministry (which preferred a secretariat). For a publication that favors proportionate regulation, this is the correct call.
The government had already flagged that standing up a greenfield agency faces hard budget limits; internal scenarios ranged from 33 to 440 staff and R$24.4 million to R$325 million a year. Anatel is the most cyber-mature regulator Brazil already has, with normative, oversight and sanctioning machinery in place. Reusing that capacity — the draft envisions roughly 120 new specialists — is faster, cheaper and less prone to the empire-building that afflicts new regulators. A coordination-and-information-sharing center beats yet another bureaucracy.
Where proportionality is still at risk
The architecture is sound. The execution is where Brazil can still go wrong, in four ways.
1. Don't turn victims into defendants. The draft provides graduated administrative sanctions, escalating from warnings to revenue-based fines (reported in coverage of the text at up to 2% of turnover, capped at R$50 million per violation). Penalties have their place for negligence and non-cooperation. But if a breached hospital that did everything reasonable still faces a multimillion-real fine, the predictable result is under-reporting — organizations will hide incidents rather than invite a regulator with a checkbook. That is the opposite of resilience. The law should carry an explicit safe harbor for good-faith, timely disclosure, and calibrate fines to demonstrated negligence, not to the mere fact of victimhood.
2. Two bills, one authority. Brazil now has parallel tracks: the executive's anteprojeto and the Senate's PL 4752/2025, the Marco Legal da Cibersegurança introduced by Senator Esperidião Amin and colleagues, which cleared the Constitution and Justice Committee in December 2025 (rapporteur: Hamilton Mourão) and is now before the Science and Technology Committee. Both create a national cybersecurity authority. If Congress merges them carelessly, the country could end up with overlapping mandates, duplicate reporting channels and turf disputes — the regulatory fragmentation the reform was meant to cure. A clean merger around a single authority and a single incident-reporting interface is non-negotiable.
3. Telecom DNA, whole-economy scope. Anatel is mature at regulating telecoms; healthcare, energy, water and manufacturing have different threat models and operational realities. The authority should coordinate with sector regulators rather than impose telecom-style command across industries it does not understand. Mission creep is the failure mode to watch.
4. Don't hand cities mandates without means. Extending obligations to municipalities over 100,000 residents is defensible on risk grounds, but many of those city governments lack the budget and staff to comply. An unfunded mandate produces paperwork, not security. Encouragingly, PL 4752/2025 pairs its national program with priority access to federal resources for those who adhere — exactly the carrot the merged law should keep.
Bottom line
Brazil genuinely needs this law, and the draft gets the hard structural calls right: a coordinating system, a real incident center, risk-based scope, and an existing regulator instead of a new one. Whether it becomes a regional model or expensive compliance theater now turns on three details — sanction calibration with a reporting safe harbor, a clean merger with PL 4752/2025, and money to match the municipal mandate. Get those right, and attackers lose ground. Get them wrong, and the people punished will be the ones already being extorted.