Compliance & Product Regulatory ApproVals

Act 2436/2022 – ANATEL Cyber Security requirements for CPE

Brazil, like many other countries, has experienced a significant increase in cyberattacks over the past few years, leading to an increased demand for cybersecurity regulations. In response, the Brazilian telecom authority ANATEL (Agência Nacional de Telecomunicações) implemented Resolution No. 740 and Act No.77 in 2021, which require manufacturers of equipment with internet connection to submit a declaration letter for ANATEL’s review, confirming that the device meets basic cybersecurity requirements as defined in Act 77.

On 7th March 2023, ANATEL published Act No. 2436, which outlines “Minimum Cybersecurity Requirements for Assessing the Conformity of CPE (Customer Premises Equipment) Equipment.” This Act mandates a set of minimum cybersecurity requirements for the assessment of compliance for CPE equipment used by the general public to connect to internet networks. This new Act covers devices such as cable modems, xDSL modems, Optical Network Units (ONU/ONT), routers or modems intended for fixed wireless access (FWA), routers or modems for fixed broadband access via satellite, and wireless routers or access points. These added requirements include guidelines related to passwords, defense against unauthorized access, and policies for software/firmware updates to fix security vulnerabilities.

The added requirements are aligned with various cybersecurity standards, including US NIST Special Publication 800-63B, the Broadband Forum-TR-181 Issue 2, and international standards ISO/IEC 29147:2018 and IEC 30111:2019.

more insights