ANATEL Act No. 77/2021 Instructions Regarding Cybersecurity Rules

by Guido Rodrigues, UL do Brasil

ANATEL Act No. 77 of January 5, 2021, has been in effect since July 5, 2021.

This act establishes cybersecurity rules that must be followed for all telecommunications products with any internet connection capability.

To comply with these rules, the Applicant must submit a declaration to the Designated Certification Body (OCD) stating that their product was developed in accordance with the cybersecurity parameters and list out the requirements the equipment and its supplier meet.

In the submitted statement, the Applicant acknowledges that cybersecurity requirements are subject to change, whenever necessary, when new vulnerabilities arise.

Tests are required at the market supervision stage, not the certification stage. Tests or verifications will be carried out based on the declaration presented at the certification stage.
The cybersecurity declaration submitted for product certification must be presented in Portuguese.

The declaration to be presented to the National Telecommunications Agency (ANATEL) must include the following topics:

1. Applicant ID:

   Identification of the Applicant for approval must be signed by a professional who is legally responsible for the company in question, i.e., an individual listed in the articles of association or delegated by it.

2. Requirements for terminal equipment that connects to the Internet as well as for infrastructure equipment for telecommunications networks that are in their final versions and are intended for commercialization:

   Technical aspect parameters must be discussed and obtained with the support of the product manufacturer.

3. Requirements for suppliers of terminal equipment that connects to the internet and infrastructure equipment for telecommunications networks:

   Product support information, updates regarding product cybersecurity, availability of software and firmware updates, and means of disclosing the history of vulnerabilities found for the product subject to certification.

To complete the declaration, one of the following options should be considered:

If the item is declared Compliant (C), no evidence or justification is required at this stage. However, the item must be implemented and include proper records that are kept so that the item can be presented to ANATEL during market supervision, or at any other time upon request by the agency.

If the item is declared NA, the applicant must provide justifications that can be:

1. Technically justifiable reason:

   The product does not implement the item and has a technical justification for why it does not do so.

2. Item not yet implemented in the product:

   At this moment, the declaration is mandatory, and items not implemented must be justified to ANATEL.  However, the justification that the item is under study for future implementation is permitted.

3. Telecommunications modules:

   Generally, telecommunications modules, even when connected to the internet, do not have the necessary resources to comply with the items of Act No. 77 and can instead be justified with the argument that negotiations must be carried out on the final product provided they are consistent with the manufacturer’s justification.

In the final items of the declaration, the Applicant must declare full knowledge of Act No. 77 of January 5, 2021, as well as declare awareness of the market monitoring policy to which the product may be submitted.

Finally, additional treatment must be given to equipment defined as customer-premises equipment (CPE), which is equipment used to connect subscribers to the telecommunications service provider network. For the purposes of applying this set of requirements, CPE shall be considered equipment associated with fixed telecommunications services. Include the information in Table 1 of the LAC-BCOP-1 document (May/2019).

The table below outlines typical examples of products and suggested classifications under Act 77.

The declaration must be signed by the applicant for approval, i.e., by a company duly instituted under Brazilian law.

We are available for any questions or clarifications you may need.

This document is for general information purposes only and is not intended to constitute a definitive or complete statement of the law or regulation on any subject and should not be relied upon for legal or regulatory compliance purposes. UL, its subsidiaries, employees and agents shall not be responsible to anyone for the use or nonuse of the information contained in document, and shall not incur any obligation or liability for damages, including consequential damages, arising out of or in connection with the use, or inability to use, the information contained in document.