Normative Ordinance No. 371 introduced a mandatory certification for IT equipment (Voltage stabilisers) as of July 2011. Generally, testing must be performed in-country unless the necessary capability is not available in Brazil. Moreover, entities engaged in product testing and mandatory certification must be accredited by the National Institute of Metrology, standardisation and Industrial Quality (INMETRO).

Brazil is a member of the System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE), which is based on the principle of mutual recognition (reciprocal acceptance) by its members of test results for obtaining certification or approval at the national level. Pursuant to Resolution No. 715, the Brazilian National Telecommunications Agency (ANATEL; Agência Nacional de Telecomunicações) implements testing requirements for telecommunication products and equipment. Through subsequent implementing acts, ANATEL has reduced the frequency of testing requirements and introduced the use of a declaration of conformity with test results procedures for certain products based on a risk analysis.
However, it has been reported that ANATEL needs to approve products that connect to the public telephone network. This approval process requires in-country testing, not accepting test reports from foreign accredited labs. This is the case with the following products, among others: Network routers with E1 WAN ports; WiFi 802.11a/b/g/n access points; GSM and CDMA cellular phones; Network switches; Satellite, Bluetooth; ZigBee products. Other products need certification by ANATEL. Examples include cell phones, Bluetooth headsets, Wireless telephones, including DECT systems, Antenna systems, Digital communication systems, Security gateways, and Wi-Fi modules.

Homologation is mandatory for the use and commercialisation of telecommunication products in the country (Art. 55 of Resolution No. 715), and the country accepts third-party certification from Conformity Assessment Bodies from several countries with Mutual Recognition Agreements (Art. 8 of Resolution No. 715).
Act No. 7280, of 26 November 2020 lists and clarifies the type of conformity assessment corresponding to radio frequency emitting telecommunications products. The majority of the products contained in the reference list of telecom products require testing and includes: antennas; energy accumulators (batteries); coaxial cables; optical cables and fibre optics; data transmission cables; telephone cables; chargers for mobile phones and lithium batteries; switching centres; broadcasting equipment; rf equipment (except broadcasting) such as BPL equipment, mobile phones, modems, digital transmitters, and transceivers; optical equipment; data communication equipment; terminal equipment; IP terminal equipment (wireless); telephone wires; protective modules; digital multiplex; rectifier systems; splitters; rectifier units. Act No. 3,939, of 1 June 2021 is the regulation for homologation in Brazil, guiding the necessary steps of the procedure.

According to the guidelines of Act No. 77, of 5 January 2021, when requesting the homologation of the product for telecommunications with ANATEL (Agência Nacional de Telecomunicações), the applicant must present a declaration expressing which cybersecurity requirements the equipment and its supplier meet. There are concerns from the industry regarding the scope and definitions of this Act, including to which products the regulation applies and the lack of reliance on international standards. Among other provisions, it is reported that the Act vaguely mandates the guarantee of appropriate encryption methods.

The Brazilian Government charges a flat 60% duty for all express shipments imported through the Simplified Customs Clearance process. The Simplified Customs Clearance process limits commercial shipments to USD 100,000 per importer per year, according to Art. 37 of Normative Instruction 1737/2017. Moreover, Brazilian Customs have established express services maximum per-shipment value limits of USD 3,000 for imports, according to Art. 1 of Ministerial Ordinance 156/1999. This is reported to affect particularly online sales.

According to Art. 86 of the General Telecommunications Law, a telecommunication service license can only be granted to companies organised and existing under Brazilian law and which have their principal place of business and administration in Brazil. Furthermore, Art. 87 determines that any company or holding company granted a concession that already renders, in the same geographical area, the same type of service subject to a bidding procedure will be obliged to transfer the service previously rendered to a third party within 18 months from the execution date of the concession agreement. Failure to observe this provision can result in forfeiture of the license, as well as other sanctions set out in the grant procedure.

It has been reported that although Brazil permits Brazilian-owned entities to acquire the exclusive right to operate a satellite and its associated frequencies from specific positions, foreign-licensed satellite operators may obtain only a non-exclusive right (a landing right) to provide service in Brazilian territory. The National Telecommunications Agency (ANATEL) grants these landing rights for a fixed term of no longer than 15 years, after which the operator must reacquire the landing rights in order to continue providing services. Foreign operators are also required to pay higher annual landing fees than Brazilian firms.

Brazil has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Brazil has a telecommunications authority: The National Telecommunications Agency (ANATEL). However, it is reported that the decision making process of this entity is not fully independent from the government.

According to Section 5.3 of Ordinance No. 9/2018, data, metadata, information and knowledge produced or stored by Federal Public Administration (FPA) bodies and its backups shall reside in the Brazilian territory. In addition, Section 5.4 stipulates that the data, metadata, information and knowledge generated or held by a FPA entity or body relating to personal data (relating to intimacy, privacy, honour and image), information with restricted access under current legislation and preparatory documents may be processed in a cloud computing environment at the discretion of the FPA entity or body, taking into account current legislation, but must reside exclusively on Brazilian territory. According to the Complementary Standard 09/IN01/DSIC/GSI/PR, the bodies and entities of the FPA must comply with certain procedures, one of which can be found in Section 5.3, which states that all confidential information can only be stored in a data processing centre provided by the bodies and entities of the FPA, in accordance with the legislation in force. Confidential information is defined as information that is temporarily restricted from public access due to its indispensability for the security of society and the State.
Also, Section 5.2.2.1 of Ordinance No. 9/2018 states that processing of classified information in a cloud computing environment is prohibited. Classified information is defined as confidential information that has been assigned a degree of secrecy in accordance with specific classification procedures set out in applicable legislation.

Art. 12 of Resolution CMN No. 4,893 and Art. 12 of Resolution BCB No. 85 state that institutions authorised to operate by the Central Bank of Brazil (Banco Central do Brasil, BCB) may contract cloud and data processing services in Brazil or abroad as long as they adopt corporate governance practices proportionate to the service hired and the risks to which they are exposed to, and verify the capability of the potential service to ensure compliance with the current legislation, institution's access to data, the confidentiality and integrity of data, adherence to certification patterns required by the institution, access to auditing reports, provision of information and management resources appropriate to the monitoring of services provided, identification of the institution's customer data and quality of access controls aimed at protecting customers data. In addition, Art. 15 of both Resolutions establishes that the companies should notify BCB of the countries where financial data is processed. Also, Art. 16 of both Resolutions provides that the contracting of data processing, data storage and cloud computing relevant services provided abroad must fulfil the following requisites:
- The existence of an agreement for the exchange of information between the BCB and the supervisory authorities of the countries where the services may be provided;
- The contracting institution must ensure that the provision of the services does not cause damage to its own functioning, neither do they deter the action of the BCB;
- The contracting institution must define, previously to the contracting, the countries and the regions in each country where the services can be provided and the data can be stored, processed and managed;
- The contracting institution must anticipate alternatives for business continuity, either in the case of the impossibility of continuing the contract or terminating it.
The BCB's prior approval must be obtained if the institution retains a cloud service provider in countries where there is no agreement to exchange information between the BCB and the competent authorities. The institutions must request such approval from the BCB at least 60 days before retaining the cloud services in question.

The Personal Data Protection Law allows the international transfer of personal data only under certain conditions (Arts. 33-36). The main conditions for such a transfer are that the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given their consent explicitly; or the transfer is necessary for the performance of a contract between the data subject and the controller. Art. 11 provides stricter conditions for processing sensitive personal data, and it is reported that, in practice, these conditions forced many organisations to store privacy-sensitive data in Brazil. The law applies extraterritorially to all companies that target Brazilian consumers, even when the company is not established in the Brazilian market.

Brazil has joined an agreement with binding commitments to open data transfers across borders: the Chile-Brazil Bilateral Trade Agreement (Art. 10.12).

The Personal Data Protection Law provides a framework for comprehensive data protection in Brazil. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.

Art. 13 of the Civil Rights Framework for the Internet states that connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year. The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.