What is PNCiber?

PNCiber provides a framework for cybersecurity governance across the government, private sector, and society that aims to protect critical infrastructure, personal data, and uphold national digital sovereignty. The policy sets guiding principles for responsible behavior, incident prevention, and international cooperation. It also creates mechanisms for continuous policy improvement and oversight.

Compliance requirements

PNCiber has a total of 15 articles that encompass various requirements. Let's look at a detailed explanation of each article.

Article 1: Establishment and purpose

This article officially establishes the National Cybersecurity Policy (PNCiber), specifying its main purpose: To guide cybersecurity activities across Brazil by providing a strategic national framework for securing digital assets and information infrastructures.

Article 2: Principles

PNCiber is based on the following core principles:

• Upholding national sovereignty and prioritizing national interests.
• Guaranteeing fundamental rights: freedom of expression, personal data protection, privacy, and access to information.
• Preventing incidents and cyberattacks, especially on critical infrastructure and essential services.
• Enhancing resilience of public and private organizations to incidents.
• Promoting education and technological development in cybersecurity.
• Encouraging collaboration between public/private entities and international technical cooperation in cybersecurity.

Article 3: Objectives

The objectives of PNCiber include:

• Developing national cybersecurity products, services, and technologies.
• Ensuring confidentiality, integrity, authenticity, and availability of data.
• Promoting responsible behavior online, with a focus on children, adolescents, and the elderly.
• Supporting the fight against cybercrime.
• Encouraging adoption of cyber risk management measures.
• Fostering education, research, technological development, and innovation in cybersecurity.
• Facilitating coordinated actions and information sharing among government levels, private sector, and society.
• Enhancing oversight and control mechanisms for cyber resilience.
• Strengthening international cooperation strategies.

Article 4: Strategic instruments

PNCiber is operationalized through:

• The National Cybersecurity Strategy
• The National Cybersecurity Plan

Article 5: National Cybersecurity Committee (CNCiber)

The decree creates the CNCiber under the Chamber of Foreign Affairs and National Defence, tasked with monitoring PNCiber’s implementation and progress.

Article 6: CNCiber responsibilities

CNCiber’s responsibilities include:

• Proposing updates to policies, strategies, and plans.
• Suggesting measures to enhance national cybersecurity.
• Improving incident prevention, detection, and response.
• Guiding the development of cybersecurity education.
• Facilitating dialogue with government and society.
• Advancing international cooperation in cybersecurity.
• Providing expert opinions for government decision-making.

Article 7: CNCiber composition

CNCiber is comprised of representatives from:

• Multiple government ministries and regulatory agencies
• Civil society organizations active in cybersecurity
• Scientific and innovation institutions
• Business sector entities related to cybersecurity

Article 8: Approval process for CNCiber deliberations

All CNCiber decisions regarding its core responsibilities must be submitted to the Chamber of Foreign Affairs and National Defense for approval.

Article 9: CNCiber meetings

CNCiber holds quarterly regular meetings and extraordinary meetings as needed. Quorum rules: Absolute majority to meet, simple majority to approve, and the president has a tie-breaking vote.

Article 10: Working groups

CNCiber may establish temporary thematic working groups, lasting up to one year and with a cap of five active groups at a time.

Article 11: Meeting format

Members in the federal district may meet in person or by video conference; others outside this area participate by video conference.

Article 12: Public service status

Participation in CNCiber and its working groups is a recognized public service but unpaid.

Article 13: Executive secretariat

The Institutional Security Office of the Presidency of the Republic serves as the Executive Secretariat for CNCiber and drafts its internal regulations.

Article 14: Initial CNCiber composition

For the initial committee, certain members are appointed temporarily by the Minister Chief of the Institutional Security Office until a formal selection process is completed.

Article 15: Revocations of previous decree provisions

This article formally revokes specified provisions from an earlier decree (No. 9,637, of December 26, 2018), marking the transition to the new PNCiber governance structure.

PNCiber compliance checklist

• Identify and classify all sensitive and critical digital assets.
• Enact security controls to ensure confidentiality, integrity, and availability of data.
• Establish risk management processes and incident response capabilities.
• Train staff and raise organizational cyber awareness.
• Verify supply chain and partner compliance with cybersecurity standards.
• Document and report all security incidents systematically.
• Participate in relevant sectoral and national cybersecurity coordination and forums.

Challenges of implementing PNCiber

• Navigating a complex, evolving policy landscape across multiple public and private entities.
• Implementing effective cybersecurity across legacy infrastructure and modern digital platforms.
• Building sufficient cyber skills and awareness in the workforce.
• Coordinating timely incident response and sector reporting.

Benefits of PNCiber compliance

• Significantly improved protection against cyberthreats and attacks.
• Enhanced trust and credibility within Brazil and for international stakeholders.
• Alignment with global cybersecurity best practices and data protection norms.
• Legal certainty and clarity across industries and government bodies.

How to achieve PNCiber compliance

1. Map existing cybersecurity measures against PNCiber requirements and identify areas for improvement.
2. Ensure buy-in from leadership, IT, legal, HR, and operational staff.
3. Draft clear policies for security, data protection, and incident response that align with the decree’s principles.
4. Launch continuous awareness and training programs.
5. Keep systems monitored, update risk assessments frequently, and maintain detailed compliance records.
6. Participate actively with sector and national committees; promptly report incidents and adapt to CNCiber recommendations.

Conclusion

PNCiber establishes critical cybersecurity requirements for Brazilian financial institutions, emphasizing continuous monitoring, threat detection, incident response, and access controls to safeguard against evolving risks. ManageEngine Log360 and AD360 delivers comprehensive coverage for PNCiber compliance through advanced capabilities for log management, threat hunting, reporting, privileged access governance, identity life cycle management, and user behavior analytics.