Published Decree No. 11,856/2023 establishing the National Cybersecurity Policy and the National Cybersecurity Committee

On December 27, Decree No. 11,856/2023 was published, establishing the National Cybersecurity Policy and the National Cybersecurity Committee. The purpose of these entities is to guide cybersecurity activities in the country through the National Cybersecurity Strategy and the National Cybersecurity Plan.

According to the decree, the National Cybersecurity Policy will be guided by the following Principles:

• National sovereignty and prioritization of national interests.
• Guarantee of fundamental rights, especially freedom of expression, protection of personal data, privacy, and access to information.
• Prevention of incidents and cyber-attacks, particularly those targeting national critical infrastructures and essential services to society.
• Resilience of public and private organizations to incidents and cyber-attacks.
• Education and technological development in cybersecurity.
• Cooperation among public and private entities in cybersecurity matters.
• International technical cooperation in the field of cybersecurity.

The law outlines the objectives of the National Cybersecurity Policy:

• Promote the development of nationally oriented products, services, and technologies for cybersecurity.
• Ensure the confidentiality, integrity, authenticity, and availability of solutions and data used for the processing, storage, and electronic or digital transmission of information.
• Strengthen diligent action in cyberspace, especially for children, adolescents, and the elderly.
• Contribute to the fight against cyber-crimes and other malicious actions in cyberspace.
• Encourage the adoption of cybersecurity protection measures and risk management to prevent, avoid, mitigate, reduce, and neutralize vulnerabilities, incidents, and cyber-attacks and their impacts.
• Increase the resilience of public and private organizations to incidents and cyber-attacks.
• Develop education and technical-professional training in cybersecurity in society.
• Promote scientific research, technological development, and innovation related to cybersecurity.
• Enhance coordinated action and exchange of cybersecurity information among the Union, States, Federal District, and Municipalities; Executive, Legislative, and Judicial Branches; the private sector; and society in general.
• Develop mechanisms for regulation, supervision, and control to enhance national cybersecurity and resilience.
• Implement collaboration strategies to develop international cooperation in cybersecurity.

The National Cybersecurity Committee will include of representatives from the government, civil society, scientific institutions, and business sector entities. The committee will monitor the implementation and evolution of initiatives, oversee and propose actions to enhance cybersecurity and suggest strategies for international technical cooperation. As for the composition of the National Cybersecurity Committee, Anatel’s inclusion as the only representative among regulatory agencies is noteworthy. On the other hand, it is also notable that the ANPD is not included in the list of representatives.

The law’s effects came into force on December 27, 2023; however, the decree still needs specifications and practical guidelines for implementing actions, which are expected to be provided soon.

For more information on the subject, please visit the link.

Our Data Protection team is available for questions regarding the topic and its potential implications.