ANATEL amends Cybersecurity Regulation and indicates upcoming direct regulation of data centers and cloud computing

On August 08, 2024, the National Telecommunications Agency (“ANATEL”) published in the Federal Official Gazette (Diário Oficial da União – “DOU”, in Portuguese) Resolution No. 767, of August 07, 2024, which amends the Cybersecurity Regulation Applicable to the Telecommunications Sector (“R-Cyber”).

R-Cyber, approved by Resolution No. 740 of December 21, 2020, establishes guidelines and procedures to promote security in telecommunications networks and services, including cybersecurity and the protection of critical infrastructures.

Resolution No. 767/2024 will enter into force on September 02, 2024. Among the key amendments to R-Cyber are:

• The addition of new companies subject to ANATEL’s ex-ante control

Considering the critical nature of the services and infrastructures they own and operate, ANATEL decided to include in the list of ex-ante obligated parties (article 2-B):

1. 1. Subsea cable operators with international destination;
   2. Personal Mobile Service (Serviço Móvel Pessoal – “SMP”) providers (i.e., mobile telephony) with their own network; and
   3. Network operators offering traffic in the wholesale market belonging to economic groups with Significant Market Power (Poder de Mercado Significativo – “PMS”) in the High Capacity Data Transport Market, as  defined in the General Competition Goals Plan (Plano Geral de Metas de Competição – “PGMC”).

• • The abovementioned entities are now subject to a series of regulatory obligations, such as: (1) implementing a cybersecurity policy; (2) using products and equipment from suppliers that have cybersecurity policies compliant with R-Cyber and that conduct periodic audits; (3) notifying ANATEL of relevant incidents that could significantly affect the security of networks and user data; (4) conducting regular assessments of cybersecurity vulnerabilities; and (5) providing ANATEL information on their critical telecommunications infrastructures.

• ANATEL will soon enact an ordinance nominally identifying the list of providers and operators that will be subject to compliance with the ex-ante provisions. These companies:

1. 1. will have a period of one year from the date of publication of the ordinance to comply with the regulations; and
   2. will become members of the Technical Group on Cybersecurity and Critical Infrastructure Risk Management (“GT-Cyber”).

• Extension of the obligation to change the default configuration of equipment to small-sized telecom service providers

To mitigate vulnerabilities related to the equipment provided to consumers, ANATEL has determined that all collective interest providers (e.g., internet service providers – ISPs), regardless of their size, must change the default authentication configuration of the equipment loaned to their users (Article 2-A).

• Mandatory notification to ANATEL of incidents reported to the ANPD

To strengthen transparency and coordination between regulatory authorities, ANATEL established that all providers, regardless of size, must notify ANATEL in cases where communication of the occurrence of security incidents to the National Data Protection Authority (“ANPD”) is required (Article 2-C).

• Waiver for hiring suppliers classified as startups

According to R-Cyber, telecommunications providers must use, within the scope of their networks and services, telecommunications products and equipment from suppliers that have a cybersecurity policy compatible with the principles and guidelines set out in the regulation and that conduct periodic independent audits (article 7). Resolution No. 767/2024 creates an exception to this rule, allowing the procurement of startups that do not meet the R-Cyber requirements, provided that the providers assume responsibility for cybersecurity and the compatibility of the contracted solution to the telecommunications networks and their users (article 7 paragraphs 3 and 4).

• Indirect regulation of data centers and cloud computing

As a measure of indirect regulation of data centers and cloud computing services, ANATEL now requires telecommunications service providers to adjust their cybersecurity policies to include aspects related to the procurement of such services (e.g., the supplier’s capacity and the compatibility of its practices with the principles and guidelines of R-Cyber, risk mapping, assessment of the degree of the supplier’s dependency, etc.) (article 14, VIII-A).

In addition, ANATEL’s Board of Directors determined, through Ruling No. 198 of August 07, 2024 – which approved Resolution No. 767/2024 – the publication of a regulatory alert to notify interested parties, including telecommunications companies, consumers, investors and other regulators, about the initiation of studies for future direct regulation of the provision of data center and cloud computing services, which is currently the subject of item 29 of ANATEL’s Regulatory Agenda for the 2023-2024 biennium.

Demarest’s Telecommunications, Media and Technology (TMT) team is monitoring the topic and remains available to provide any clarifications that may be necessary.