Brazil is quietly rewriting its cyber extortion playbook. Between the 2023 National Cybersecurity Policy (PNCiber), the active enforcement of the Lei Geral de Proteção de Dados (LGPD) by the Autoridade Nacional de Proteção de Dados (ANPD), and a live debate in Congress over a permanent National Cybersecurity Agency (ANCiber), the country is moving from ad-hoc incident response toward something resembling a coherent national framework. The question now is whether that framework will calibrate itself for resilience and innovation — or harden into a compliance regime that punishes victims and crowds out the security industry it claims to nurture.
From decree to durable institution
PNCiber, established by Decree 11.856/2023, was Brazil's first attempt to articulate a national cybersecurity strategy across federal agencies, critical infrastructure operators, and the private sector. It sets objectives — risk reduction, capability building, international cooperation — but stops short of creating a standalone regulator. Operational coordination still runs through the Gabinete de Segurança Institucional (GSI) and CTIR.Gov, the federal incident response team.
That gap is what the proposed ANCiber is meant to fill. Bills circulating in the Chamber of Deputies would establish a permanent, autonomous agency to set standards, supervise critical-infrastructure reporting, and coordinate with ANPD, BACEN, and ANATEL. Supporters argue Brazil cannot run a 21st-century cyber strategy out of a presidential office; opponents worry about overlapping jurisdiction and the cost of yet another federal body.
Our view: an independent technical agency, narrowly scoped to coordination and standard-setting, is preferable to either the status quo or a sprawling super-regulator. The risk is institutional creep — an ANCiber that drifts into content regulation, mandatory product certification, or licensing of security researchers would do real harm. Brazil's vibrant infosec community, from independent researchers to a growing managed-security industry, depends on regulatory restraint.
ANPD and the breach-notification squeeze
While Congress debates structure, ANPD is already shaping ransomware response through LGPD enforcement. Article 48 of the LGPD requires controllers to notify the authority and affected data subjects of incidents that may create relevant risk or damage. ANPD's published guidance sets a reference window of two business days for initial notification, and the authority has issued sanctions in cases where companies delayed or under-disclosed.
The practical effect is significant. A Brazilian company hit by ransomware now faces a compressed timeline in which it must triage the technical incident, negotiate (or refuse to negotiate) with attackers, coordinate with law enforcement, and disclose to ANPD — often before forensic analysis can confirm what data was actually exfiltrated. Reports of ransomware incidents affecting Brazilian banks, health operators, and state governments over the past two years illustrate how quickly notification obligations can collide with operational reality.
Tight reporting clocks are defensible — opacity helps attackers. But notification rules should reward good-faith disclosure, not turn victims into defendants.
The ransom-payment debate
The thorniest question is whether Brazil should restrict ransom payments outright. Proposals along these lines have surfaced in legislative discussions and in commentary tied to the PNCiber implementation process, echoing measures debated in the United States, the United Kingdom, and Australia. Some variants would ban payments by public-sector entities and critical-infrastructure operators; others would require pre-payment reporting to a federal authority.
The instinct is understandable: payments fund the criminal ecosystem. But the evidence on outright bans is mixed. A blanket prohibition risks pushing payments underground, leaving small and mid-sized businesses — which lack the reserves to rebuild from backups — without legal options when their operations are frozen. A more proportionate path is:
- Mandatory reporting of ransom demands and payments to a designated authority, with confidentiality protections;
- Targeted prohibitions on payments to OFAC- or UN-sanctioned groups, aligned with international financial-crime regimes;
- Public-sector restrictions on payments by federal agencies and operators of essential services, paired with real funding for backup, segmentation, and recovery capability;
- Safe-harbor protections for victims who promptly report, cooperate with law enforcement, and meet basic security baselines.
Critical infrastructure: where the real leverage sits
The most consequential piece of Brazil's evolving framework may be how it defines critical-infrastructure reporting. PNCiber gestures at sectoral obligations; an ANCiber statute would need to operationalize them. Done well, this could look like the EU's NIS2 or the U.S. CIRCIA model — clear sector definitions, proportionate timelines, confidential information-sharing with the regulator, and immunity for shared threat intelligence.
Done badly, it would replicate the worst of compliance theater: long checklists, mandatory product approvals, and reporting forms that consume the very security teams meant to defend networks. Brazilian regulators should resist the temptation to import every fashionable mandate. The marginal returns on a well-funded national CSIRT, tax incentives for SMB security investment, and faster information-sharing with industry will almost certainly exceed those of a thicker rulebook.
What good policy looks like from here
Brazil has an opportunity most jurisdictions no longer have: it can design its cybersecurity institutions on a relatively clean slate, with the benefit of watching the EU, US, and India iterate. A pro-innovation path would establish ANCiber as a lean coordination body, harmonize its mandate with ANPD's data-protection role rather than duplicating it, calibrate breach-notification timelines to encourage honest reporting, and treat ransom-payment restrictions as a scalpel — sharp at the public-sector and sanctioned-entity edges, not a blunt instrument that criminalizes victims.
The alternative — a maximalist regulatory stance built around the fear of the next big incident — would saddle Brazilian businesses with costs that fall hardest on the small firms least able to absorb them, while doing little to deter cross-border ransomware operators who do not care about São Paulo's compliance regime. Proportionate regulation is not soft regulation. In cybersecurity, it is the only kind that works.