Amendment to ANATEL's Cybersecurity Regulations - Incident Notification and Prior Evaluation of Suppliers

The National Telecommunications Agency (ANATEL) published Resolution No. 767 of August 2024 (the “Resolution”), which amended Resolution No. 740 of 2020, also known as the Cybersecurity Regulation Applied to the Telecommunications Sector (“R-Ciber”). The amendments to the Resolution will come into force on September 2, 2024, by which time the internal policies of telecommunication service providers must have been modified.

With regard to aspects of information security and data protection, the Resolution essentially changed two points:

1. Extension of the obligation to notify ANATEL of information security incidents

R-Ciber created an obligation to notify ANATEL of relevant incidents that substantially affect the security of telecommunications networks and user data. R-Ciber’s specific definition of an “incident” includes an event that allows, or may allow, a breach of the confidentiality, availability, or integrity of protected information, or an event which involves a critical information asset or critical activity for a period of time shorter than the recovery target time.

The Resolution extends this obligation, now requiring telecommunications service providers, regardless of size, to notify ANATEL of incidents that must also be notified to the Brazilian Data Protection Authority (ANPD). It should be noted that no effective prior notification to the ANPD is required – if the Brazilian General Data Protection Law (LGPD)’s incident notification trigger detailed below is met, ANATEL must be notified.
The trigger for notification to the ANPD is provided for in Article 48 of the LGPD and applies to any incident that may cause relevant risk or damage to data subjects. The ANPD considers an incident to be any confirmed, adverse event that could affect confidentiality, integrity, availability and/or authenticity of personal data.¹ In other words, the notification triggers for ANATEL are more restricted and specific than under the LGPD. Therefore, incidents that would previously only trigger notification to the ANPD will now also have require notification to ANATEL.

2. Expansion of the cybersecurity requirements of suppliers to be assessed by telecommunications service providers

As part of the supplier evaluation process, Article 7 of R-Ciber already required suppliers to carry out periodic independent audits and a compliance assessment of their cybersecurity policies – ensuring alignment with the principles and guidelines of R-Ciber. This evaluation process must be documented and presented to ANATEL upon request.

The Resolution deepened this obligation with regard to data processing and storage and cloud computing service providers, mirroring regulations in place for other Brazilian entities, such as the Central Bank of Brazil.² requirements, such as the controls adopted by third parties to mitigate risks, should be assessed, covering critical network functions and the processing of personal data. In short,  telecommunications service providers must assess the compliance of these third parties with the LGPD and ANPD.

¹ Art. 3 of Resolution CD/ANPD no. 15, of April 24, 2024.

² CMN Resolution No. 4,893 of February 26, 2021 and BCB Resolution No. 85 of April 8, 2021.