BRAZIL Trends and Developments Contributed by: Juliana Abrusio and Mario Cosac, Machado Meyer
or LGPD). Although the ANPD does not regulate cybersecurity specifically, it has already imple - mented several regulations to ensure a secure environment for data processing activities, pro - viding insights into the expectations for data processing agents. Among these, the following stand out: • case and technical studies on anonymisa - tion and regulatory sandboxes related to the topic; • informative notices on data breaches and security measures recommended for data subjects; • guidelines on information security for small business data processing agents, with an information security checklist that directly names cybersecurity controls, such as web application firewalls or multifactor authentica - tion; and • other regulations related to the topic, such as Resolution No 15/2024, which establishes the procedure for reporting incidents. As regards Resolution No 15/2024, the ANPD did not expressly establish the security mech - anisms that companies must adopt to ensure data protection – it simply indicated that compa - nies must implement the necessary mechanisms to ensure information security. However, the incident reporting form provided by the ANPD outlines certain expected security mechanisms, such as encryption, authentication methods, back-ups, and firewalls. Furthermore, several cybersecurity-related top - ics are included in the ANPD’s regulatory agenda for 2025‒26, such as security measures, tech - nical and administrative standards (including minimum technical security standards), and anonymisation and pseudonymisation. This
demonstrates the significance of the subject for the ANPD, as well as the obligations that data processing agents will need to adhere to in the future. Energy sector The energy sector is classified as critical infra - structure, making it a prime target for cyber- attacks. The vulnerability of this sector to cyber - security threats, such as ransomware attacks and data breaches, is a significant concern. Supervisory Control and Data Acquisition (SCA - DA) systems, which are integral to the operation of energy networks, are particularly susceptible to such attacks. To mitigate these risks, the sector has been increasingly adopting international cybersecu - rity frameworks such as the National Institute of Standards and Technology (NIST) Cyberse - curity Framework, the International Organiza - tion for Standardization (ISO)’s ISO 27001, and the International Electrotechnical Commission (IEC)’s IEC 62443. These frameworks provide comprehensive guidelines for securing critical infrastructure. Moreover, energy companies are held accounta - ble for any service disruptions caused by cyber- incidents, facing civil liabilities and administra- tive liabilities alike. Service-level agreements (SLAs) and stringent security requirements for suppliers further reinforce the sector’s resilience against cybersecurity threats. The energy sector in Brazil is governed by a robust regulatory framework aimed at ensur - ing digital compliance and cybersecurity. The National Electric Energy Agency ( Agência Nacional de Energia Elétrica , or ANEEL) plays a pivotal role in this regard, with specific regula - tions such as Resolution No 964/2021, which
64
CHAMBERS.COM
Powered by FlippingBook