Brazil

Act No 2436 update: mandatory cybersecurity requirements for Customer Premises Equipment (CPE)

ANATEL has released Letter No. 100/2024/ORCN/SOR-ANATEL – Clarification on the scope of cybersecurity requirements for CPE equipment.

This letter is confirmation from ANATEL that equipment intended exclusively for corporate use, installed and configured by a team with specialized technical knowledge, is not applicable to the to the cybersecurity testing.

Official letter information:
Anatel’s Certification and Numbering Management (ORCN) has received questions, both from industry representatives and Designated Certification Bodies (OCDs), about the applicability of the minimum mandatory cybersecurity requirements for assessing the conformity of CPE (Customer Premises equipment) approved by  Act No. 2436 on devices classified as access points intended for exclusive corporate use.

According to the scope contained in item 1.1 of the Annex to  Act No. 2436/2023, requirements are applicable to CPE equipment for use by the general public to connect subscribers to the Internet service provider’s network.

Therefore based on the requirements, the general public is understood as any person who uses and/or has access to the product and who does not have specialized technical knowledge about the telecommunications equipment and who is only interested in using its functionalities and consuming the telecommunications services.

It is understood that equipment intended exclusively for corporate use is installed and configured by a team with specialized technical knowledge. Additionally, such equipment operates on corporate networks that have different layers of security and, for this reason, normally do not connect directly to the Internet service provider’s network.

This letter released by ORCN clarifies to those interested in certifying this type of product that the requirements approved by Act No. 2436/2023  are not applicable to CPE equipment intended exclusively for corporate use.