Back Brazil

    Status regarding Budapest Convention

Status regarding Budapest Convention

Status : Party See legal profile

Cybercrime policies/strategies

Decreto Nº 9.637 (Dec 2018) launched Brazil’s National Policy on Information Security (Política Nacional de Segurança da Informação –PNSI), which introduces principles for national information security (including data protection, respect for human and fundamental rights; security of confidential information and critical infrastructures; and international cooperation). One of its key objectives is to continuously improve the legal and regulatory framework on information security. PNSI also introduced the roles of the Institutional Security Office of the Presidency of the Republic and its advisory body (the Information Security Management Committee), including the mandate of drafting the National Information Security Strategy.

PNSI established also the National System for Digital Transformation (SinDigital), which includes the Brazilian Strategy for Digital Transformation/ Estratégia Brasileira para a Transformação Digital (E-Digital, 2018) as a federal government initiative, coordinated by the Ministry of Science, Technology and Innovation/ Ministério da Ciência, Tecnologia e Inovações (MCTI). An Inter-Ministerial Working Group developed the said public policy which includes an axis focused on Building Trust and Confidence in the Digital Environment/ Defesa e Segurança no Ambiente Digital, referring also to “the need for a broad review and integration of legislation aimed at combatting cybercrime”.

In February 2020, the National Cyber Security Strategy – E-Ciber (Estratégia Nacional de Segurança Cibernética, Decreto Nº 10.222) was adopted. E-Ciber recognizes the importance of addressing cybercrimes in this context, from having an adequate cybercrime legal framework, to providing and ensuring for their reporting and investigation, to the training of professionals and improving citizens’ awareness and reporting of such crimes. Among its strategic objectives, it proposes the establishment of a centralized governance model for the country, through the creation of a national cybersecurity system. Some of its roles would be to:

  • promote joint analysis of the challenges faced in combating cybercrime;
  • improve the national cybercrime investigation infrastructure;
  • create a national cybersecurity council;
  • receive complaints, investigate incidents and promote awareness and education in society on the subject.

Other relevant strategic objectives focus on the improvement, review, and update of existing regulations and the legal framework on cybersecurity, addressing new issues and developing new instruments, as well as the expansion of Brazil’s international cooperation in the field. Examples of recommended actions:

  • identify and address issues missing from current legislation;
  • make efforts to include in the Penal Code, Decree-Law No. 2.848 (Dec 1940), new classifications for cybercrimes;
  • prepare regulations on emerging technologies;
  • expand the use of international mechanisms to combat cybercrime (e.g. pursue mutual legal assistance treaties).

E-Ciber notes that Brazil also needs to strengthen and improve its government bodies which deal with threats and the fight against cybercrimes. Among the actions recommended in this sense are: (1) the Government Cyber ​​Incidents Treatment and Response Center (CTIR Gov) – as the central government agency that coordinates and carries out actions aimed at the management of computer incidents, should be granted action at the national level; and (2) improve the national structure for investigating cybercrimes.

The Parliamentary Inquiry Commission on Cybercrime/ CPI de Crimes Cibernéticos (2015-2016), produced a report assessing the country’s legislation in 2016, in which it recommended a number of draft bills and other policy recommendations.

By Legislative Decree no. 37 of 2021, the Congress of Brazil approved the accession to the Budapest Convention.

Cybercrime legislation

Over the years, cybercrime has preoccupied the legislator significantly, with both houses of Congress proposing several amending draft laws to the Penal Code and Criminal Procedure Code in this respect. The following legislation incorporates or is dedicated to specific aspects regarding cybercrimes and electronic evidence:

Penal Code/ Código Penal – Decreto-Lei Nº 2.848 (Dec 1940);

Law/ Lei Nº 12.737 (Nov 2012), amending the Penal Code with some substantive provisions on cybercrimes;

Law/Lei Nº 14.155 (May 2021), amending the Penal Code and Criminal Procedure Code (with impact on cybercrime offences and competence);

Law/ Lei Nº 8.069 (Jul 1990) – statute of children and adolescents;

Criminal Procedure Code/ Código de Processo Penal – Decreto-Lei Nº 3.689 (Oct 1941).

Law/ Lei Nº 9.296 (Jul 1996) – on interception of communications;

Law/ Lei Nº 9.610 (Feb 1998) – Brazilian Copyright Law;

Law/ Lei Nº 9.609 (Feb 1998) – on intellectual property of computer programmes (Brazilian Software Law);

Brazilian Internet Law/ Marco civil da Internet – Lei Nº 12.965 (Apr 2014) – rights and obligations of internet use;

Lei Nº 12.965 (2014), known as the Brazilian Internet Law aims to consolidate the rights, duties and principles for the use and development of the Internet in Brazil. It also provides for the ISPs to retain connection data.

Currently, the Congress of Brazil is debating a draft law amending the Criminal Procedure Code, defining the rules for obtaining and admissibility of digital evidence in criminal proceedings.

Specialised institutions

Specialised institutions

  • The Federal Police has since 2003 a Cybercrime Enforcement Service (Serviço de Repressão a Crimes Cibernéticos – SRCC), under the command of the Directorate for Investigation and Combat of Organized Crime (DICOR).
  • At the level of the Ministry of Justice and Public Security (MJSP), there is a Cyber Operations Laboratory (Laboratório de Operações Cibernéticas) within the Integrated Operations Secretariat.
  • The Federal Prosecution Service has a National Advisory Group (Grupo de Apoio sobre Criminalidade Cibernética - GACC) under the Criminal Chamber of the Prosecutor General’s Office since 2011. São Paulo and Rio de Janeiro have specialized cybercrime units, mainly dedicated to online child pornography and hate speech cases, since 2003 and 2006, respectively.
  • Government Cyber Incident Treatment and Response Center (Centro de Tratamento e Resposta a Incidentes Cibernéticos de Governo): is part of the Information Security Department (DSI) of the Institutional Security Office of the Presidency of the Republic and is the national coordination Computer Security Incident Response Team (CSIRT).
  • The CTIR Gov is a "Computer Security Incident Response Team (CSIRT)", or Group Security Incident Response, responsible organization to receive, analyze and respond to reports and activities related to security incidents on computers.
  • The Internet Steering Committee (Comitê Gestor da Internet) is responsible for establishing strategic guidelines related to the use and development of the Internet in Brazil and also coordinates the activity of the Brazilian CERT.

Cybersecurity governance structure (mostly according to the E-Ciber policy - PT):

national responsibility centers:

international coordination centers:

critical infrastructure CSIRTs:

provider CSIRTs:

corporate CSIRTs: CERT-RS, SEGTIC UFRJ, CSIRT Unicamp;

public institutions CSIRTs:

military CSIRTs:

Jurisprudence/case law

Sources and links

Tools on Cybercrime & Electronic Evidence Empowering You!

These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe. 


  Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?

  Share this information with us helping to keep this platform up to date.

Useful links