Brazil – ANATEL Important Updated Information on The Scope of Cybersecurity Testing for CPE Equipment

Important update for ANATEL Act No 2436 mandatory cybersecurity requirements for Customer Premises Equipment (CPE) devices. Today March 20, 2024, ANATEL has released Letter No. 100/2024/ORCN/SOR-ANATEL – Clarification on the scope of cybersecurity requirements for CPE equipment.

This letter is a confirmation from ANATEL that equipment intended exclusively for corporate use installed and configured by a team with specialized technical knowledge, are not applicable to the to the cybersecurity testing.

Official letter information:

Anatel’s Certification and Numbering Management (ORCN) has received questions, both from industry representatives and Designated Certification Bodies (OCDs), about the applicability of the minimum mandatory cybersecurity requirements for assessing the conformity of CPE (Customer Premises) equipment . Equipment ), approved by  Act No. 2436, of March 7, 2023 , on devices classified as access points intended for exclusively corporate use.

According to the scope contained in item 1.1 of the Annex to  Act No. 2436/2023 , the aforementioned requirements are applicable to CPE equipment for use by the general public used to connect subscribers to the Internet service provider’s network.

According to the definition contained in the requirements, the general public is understood as any person who uses and/or has access to the product and who does not have specialized technical knowledge about the telecommunications equipment and who is only interested in using its functionalities and consuming the telecommunications services.

It is understood that equipment intended exclusively for corporate use is installed and configured by a team with specialized technical knowledge. Additionally, such equipment operates on corporate networks that have different layers of security and, for this reason, normally do not connect directly to the Internet service provider’s network.

Considering these characteristics, ORCN clarifies to those interested in certifying this type of product that the requirements approved by  Act No. 2436/2023  are not applicable to CPE equipment intended exclusively for corporate use. 

For further assistance regarding the new Act Nº 2436 and its cybersecurity requirements for Customer Premises Equipment (CPE), please contact iCertifi.