The National Telecommunications Agency (ANATEL) has published Resolution No. 767, amending the Cybersecurity Regulation Applied to the Telecommunications Sector, known as R-Ciber. These amendments will take effect on September 2, 2024, requiring telecommunications service providers to modify their internal policies to comply with the new regulations. The changes primarily focus on information security and data protection, aiming to enhance the overall cybersecurity framework within the telecommunications sector.
One significant change is the extension of the obligation for service providers to notify ANATEL about information security incidents. Previously, only incidents affecting the security of telecommunications networks and user data needed to be reported. Now, all relevant incidents that must be reported to the Brazilian Data Protection Authority (ANPD) will also require notification to ANATEL, thus broadening the scope of incident reporting for telecom companies.
Another key amendment involves the expansion of cybersecurity requirements for suppliers that telecommunications service providers must assess. Under the previous R-Ciber regulations, suppliers were already required to undergo independent audits and compliance assessments of their cybersecurity policies. The new resolution enhances this obligation, particularly for data processing, storage, and cloud computing service providers, requiring telecom companies to evaluate the compliance of these third parties with both the General Data Protection Law (LGPD) and ANPD requirements.
These amendments reflect a concerted effort to align the telecommunications sector’s cybersecurity measures with broader Brazilian regulatory frameworks. By requiring detailed assessments of third-party suppliers and ensuring timely notifications of security incidents, ANATEL aims to strengthen data protection and bolster the resilience of telecommunications networks against potential cyber threats.
Reference:
