Blog

Anatel's Cyber Security Requirements (Act 77/21)

Written by SiDi | Oct 3, 2025 7:09:42 PM

We at SiDi's cybersecurity team do a lot of security assessments of mobile platform applications/frameworks, web applications/services and embedded devices using various security requirement bases, such as the OWASP Top 10 or the OWASP Mobile Security Testing Guide.

The approval, earlier this year, of an Anatel regulation (Act 77/21) defining cyber security requirements for telecommunications equipment sold in the country made us very curious.

This blog post contains an overview and brief discussion of Ato 77/21 and its requirements.

We are planning another blog post soon to share our experience with a security evaluation trial of an IoT device based on these Anatel requirements.

 

Anatel's Act 77/21

Approved at the beginning of January this year, Act No. 77 of 2021 of the National Telecommunications Agency (Anatel) establishes cybersecurity requirements for "terminal equipment with Internet connection and telecommunications network infrastructure equipment".

This includes not only network equipment such as routers, gateways, firewalls and modems, but also cell phones, computers and IoT devices such as IP cameras, baby monitors, smart TVs, smart speakers and IoT hubs.

The main objective of the act is to induce suppliers of this equipment to "minimize or correct vulnerabilities through software/firmware updates or through recommendations in configurations", helping to protect the security of the country's telecommunications infrastructure and its users.

 

Act 77/21 and the GT-Ciber

At least in principle, compliance with the requirements of Act 77/21 is not mandatory.

The definition of which requirements of the act will be mandatory for the various types of equipment approved by Anatel still depends on proposals for additional regulations to be made and submitted to the agency's Board of Directors by the recently created Technical Group on Cyber Security and Critical Infrastructure Risk Management (GT-Ciber).

The GT-Ciber is coordinated by Anatel and made up of representatives from telecommunications service operators, equipment manufacturers and various other interested organizations, including SiDi.

One of the tasks of the GT-Ciber is to draw up studies and propose "procedures for conformity assessment and homologation of products for telecommunications", which includes the technical procedures needed to assess the conformity of products to Act 77/21.

The result of this work by Anatel's GT-Ciber is essential so that equipment manufacturers can have the minimum clarity necessary to effectively meet the regulated requirements.

 

Declaration of Conformity for Homologation

Since the beginning of July, when the act came into force, Anatel has required that applications for approval of equipment for use in Brazil include a declaration that the equipment and the supplier meet the security requirements of Act 77/21.

Anatel's official form for this declaration, according to the version dated 26/3/2021, accessed for the writing of this article, offers the supplier only two options for each of the act's requirements:

  1. Affirm that, yes, the product/supplier meets the requirement; or,
  2. Justify why the requirement does not apply to the product/supplier.

As these declarations may contain proprietary and confidential information from suppliers, they will not be disclosed by Anatel along with the equipment approval certificates.

This is a shame, because these declarations could be a very useful source of information for consumers to know, before they buy, which (and why) some of Anatel's security requirements do not apply, according to the manufacturer, to the various products available on the market.

In any case, a voluntary disclosure of these statements by the manufacturer itself could serve as an important marketing differentiator, demonstrating to consumers the manufacturer's transparency and commitment to the safety of its products. That's the tip!

 

Market Surveillance by Anatel

Once equipment has been approved, Anatel begins to monitor compliance with the act's requirements through its Market Supervision Program, which includes the continuous collection of approved products on the market for security evaluation, as well as action when it becomes aware of pending vulnerabilities in products on the market.

A product with a vulnerability that puts the security of telecommunications services and their users at risk may have its approval suspended by Anatel until the vulnerability is resolved.

This means that critical vulnerabilities with a pending fix could cause the product's distribution in the Brazilian market to be suspended until the supplier resolves the issue.

 

Overview of the Security Requirements of Act 77/21

The act contains security requirements for both equipment and suppliers. Below is an overview of the main requirements.

 

Equipment requirements

The requirements for equipment are divided into the following categories:

Software/firmware update

  • Secure software/firmware updates are required to correct vulnerabilities in the field.

Remote management

  • Remote management of equipment requires the use of appropriate and secure access control mechanisms.

Installation and operation

  • The factory default configuration must be secure (secure defaults);
  • Secure boot of the equipment is required;
  • Monitoring of anomalies in software behavior is required;
  • Logging of security-related events is required.

Access to equipment configuration

  • Initial factory passwords for equipment configuration must be changed to strong passwords by the user on first use; and, they must not be the same for all equipment, nor derived from easily obtainable information such as MAC address;
  • Software/firmware must not contain hardcoded passwords, credentials or cryptographic keys;
  • Passwords, credentials and access keys must be adequately protected both in transit and in storage.

Data communication services

  • Use of secure protocols for data transmission is required;
  • Backdoors or any undocumented functionalities that allow remote access, use or control of the device by the manufacturer or third parties for any purpose, including testing or support, are prohibited;
  • Undocumented communications with the manufacturer or third parties are also prohibited, including sending information for analytics purposes;
  • Unusual data communication services must be disabled by factory default (secure defaults and attack surface minimization).

Personal data and sensitive personal data

  • The transmission and storage of sensitive and personal data must use appropriate encryption methods;
  • Users must be informed through documentation about what personal data is collected, used and stored;
  • Users need to be able to delete their stored personal data for safe disposal from the equipment.

Ability to mitigate attacks

  • Equipment needs to prevent and mitigate its use in denial of service attacks by supporting mechanisms such as limiting the upload rate of data, anti-spoofing filtering of IP addresses, and mechanisms for containing large volumes of successive authentication attempts.

 

Requirements for suppliers

Anatel's Act 77/21 also includes security requirements for equipment suppliers:

  • The supplier must guarantee that the development of the product followed Security by Design principles, which are a set of good system design practices aimed at making security an inherent quality of the end product;
  • The supplier must have a clear policy to support making software/firmware updates available to consumers to correct security vulnerabilities in the product;
  • The supplier must make security updates available for the product for a minimum of 2 years, or for as long as the product is being distributed on the market, whichever is longer;
  • The supplier must have a coordinated vulnerability disclosure program, and provide a communication channel through which consumers and the general public can report vulnerabilities found in the product.

Act 77/21 and the Market

In terms of the market, meeting the cybersecurity requirements of Anatel's Act 77/21 could represent a very significant advance on the average level of security currently offered by many of the devices available on both the national and international markets.

On the other hand, many manufacturers, such as those of IoT devices for homes or small businesses, currently have the production of low-cost devices as their main market priority (in Brazil and worldwide), treating security as something secondary.

Manufacturers like these would, at least initially, if they were obliged to meet the requirements of the act, find it very difficult to keep costs at current levels.

The eventual adoption of similar requirements by markets in other countries could help make the security of these devices a priority for manufacturers and their supply chains, helping, by volume, to lower the cost of meeting the requirements.

 

Conclusion

Anatel's Act 77/21 could represent a major step forward for the cybersecurity of telecommunications equipment and equipment with Internet access.

However, it is not an easy task to define a set of cyber security requirements for equipment that is so diverse in terms of purpose and capabilities, and that remains relevant over time in a scenario with a very fast pace of technological change and constant evolution of cyber attack and defense methods.

Many practical aspects of applying these requirements have yet to be proposed, especially by the GT-Ciber/Anatel. We at SiDi intend to accompany and contribute to this effort.

 

To find out more: Anatel's page on Cyber Security.
View full post