The National Telecommunications Agency (Anatel) has announced that, effective November 26, 2025, telecommunications service providers in Brazil must comply with mandatory cybersecurity audits for certain telecom products and equipment. This new requirement stems from Act No. 16417, issued in November 2024, and is intended to enhance the cybersecurity posture of telecommunications infrastructure across the country.
Only equipment audited in accordance with the new operational procedure will be authorized for use. Providers failing to meet the requirements will be barred from deploying non-compliant equipment in their networks.
Qualified Audit Bodies and Supplier Obligations
Audits must be performed by qualified organizations, including:
Designated Certification Bodies (DCBs) recognized by Anatel
Internationally accredited certification institutions
Suppliers are responsible for obtaining and providing audit compliance certificates from these entities to their telecom service provider clients. These certificates must demonstrate adherence to Anatel’s established Cybersecurity Policy for telecom suppliers.
Standards and Oversight
The audit guidelines were developed by the Technical Subgroup for Equipment, Suppliers, and Requirements under the broader GT-Ciber group, which oversees cybersecurity and risk management for critical telecom infrastructure. This subgroup includes representatives from telecom operators, industry stakeholders, testing labs, academia, and Anatel officials.
The guidelines align with the Cybersecurity Policy outlined in Decision No. 16/2023/COQL/SCO, ensuring audits cover both documentation and evidence of compliance from manufacturers.
Audit Scope and Security Requirements
Audits will evaluate manufacturers’ internal controls and production processes, ensuring the integration of key cybersecurity principles:
Security by design: Use of automated code analysis tools and structured error remediation methods
Security by default: Default password protections and documentation of all communication methods, including the ability to disable non-essential communications
Privacy by design: Encryption of sensitive data during transmission
Support and updates: Clear security update policies and communication channels for reporting vulnerabilities
Coordinated Vulnerability Disclosure (CVD): Processes for informing customers, end users, and third parties about security risks
This move signals a regulatory shift toward proactive cyber risk management in telecom infrastructure, emphasizing design-level protections and transparent vulnerability handling.
For this article’s source information and any product certification guidance, please contact Global Validity.
Quick Country Facts
Brazil
Certification Body: Agencia Nacional de Telecomunicaciones (ANATEL)
Certification Type: Mandatory
License Validity: 24/36 Months
Application Language: Portuguese
Legal License Holder: Local Representative
In-Country Testing Requirement: In-Country Testing
The regulatory information above is based on radio type approval certification. Access additional certification requirements in over 200 countries and territories with Global Validity’s free proprietary product certification management software, Access Manager. Learn more about the platform here or fill our quick contact form!
Global Validity is your partner for global certification success
Want to learn more about regulatory compliance and how we can help? Simply fill out the form below and we’ll be in touch!