According to Arts. 41 and No. 42 of Ordinance 23 of July 2011 of the Secretary of Foreign Trade, the importation of used machinery, equipment, devices, instruments, moulds, and containers are prohibited unless these used goods are not produced in the country or are irreplaceable by other similar products manufactured in the country.

Normative Ordinance No. 371 introduced a mandatory certification for IT equipment (Voltage stabilisers) as of July 2011. Generally, testing must be performed in-country unless the necessary capability is not available in Brazil. Moreover, entities engaged in product testing and mandatory certification must be accredited by the National Institute of Metrology, standardisation and Industrial Quality (INMETRO).

Brazil is a member of the System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE), which is based on the principle of mutual recognition (reciprocal acceptance) by its members of test results for obtaining certification or approval at the national level. Pursuant to Resolution No. 715, the Brazilian National Telecommunications Agency (ANATEL; Agência Nacional de Telecomunicações) implements testing requirements for telecommunication products and equipment. Through subsequent implementing acts, ANATEL has reduced the frequency of testing requirements and introduced the use of a declaration of conformity with test results procedures for certain products based on a risk analysis.
However, it has been reported that ANATEL needs to approve products that connect to the public telephone network. This approval process requires in-country testing, not accepting test reports from foreign accredited labs. This is the case with the following products, among others: Network routers with E1 WAN ports; WiFi 802.11a/b/g/n access points; GSM and CDMA cellular phones; Network switches; Satellite, Bluetooth; ZigBee products. Other products need certification by ANATEL. Examples include cell phones, Bluetooth headsets, Wireless telephones, including DECT systems, Antenna systems, Digital communication systems, Security gateways, and Wi-Fi modules.

Homologation is mandatory for the use and commercialisation of telecommunication products in the country (Art. 55 of Resolution No. 715), and the country accepts third-party certification from Conformity Assessment Bodies from several countries with Mutual Recognition Agreements (Art. 8 of Resolution No. 715).
Act No. 7280, of 26 November 2020 lists and clarifies the type of conformity assessment corresponding to radio frequency emitting telecommunications products. The majority of the products contained in the reference list of telecom products require testing and includes: antennas; energy accumulators (batteries); coaxial cables; optical cables and fibre optics; data transmission cables; telephone cables; chargers for mobile phones and lithium batteries; switching centres; broadcasting equipment; rf equipment (except broadcasting) such as BPL equipment, mobile phones, modems, digital transmitters, and transceivers; optical equipment; data communication equipment; terminal equipment; IP terminal equipment (wireless); telephone wires; protective modules; digital multiplex; rectifier systems; splitters; rectifier units. Act No. 3,939, of 1 June 2021 is the regulation for homologation in Brazil, guiding the necessary steps of the procedure.

According to the guidelines of Act No. 77, of 5 January 2021, when requesting the homologation of the product for telecommunications with ANATEL (Agência Nacional de Telecomunicações), the applicant must present a declaration expressing which cybersecurity requirements the equipment and its supplier meet. There are concerns from the industry regarding the scope and definitions of this Act, including to which products the regulation applies and the lack of reliance on international standards. Among other provisions, it is reported that the Act vaguely mandates the guarantee of appropriate encryption methods.

Art. 12 of Resolution CMN No. 4,893 and Art. 12 of Resolution BCB No. 85 state that institutions authorised to operate by the Central Bank of Brazil (Banco Central do Brasil, BCB) may contract cloud and data processing services in Brazil or abroad as long as they adopt corporate governance practices proportionate to the service hired and the risks to which they are exposed to, and verify the capability of the potential service to ensure compliance with the current legislation, institution's access to data, the confidentiality and integrity of data, adherence to certification patterns required by the institution, access to auditing reports, provision of information and management resources appropriate to the monitoring of services provided, identification of the institution's customer data and quality of access controls aimed at protecting customers data. In addition, Art. 15 of both Resolutions establishes that the companies should notify BCB of the countries where financial data is processed. Also, Art. 16 of both Resolutions provides that the contracting of data processing, data storage and cloud computing relevant services provided abroad must fulfil the following requisites:
- The existence of an agreement for the exchange of information between the BCB and the supervisory authorities of the countries where the services may be provided;
- The contracting institution must ensure that the provision of the services does not cause damage to its own functioning, neither do they deter the action of the BCB;
- The contracting institution must define, previously to the contracting, the countries and the regions in each country where the services can be provided and the data can be stored, processed and managed;
- The contracting institution must anticipate alternatives for business continuity, either in the case of the impossibility of continuing the contract or terminating it.
The BCB's prior approval must be obtained if the institution retains a cloud service provider in countries where there is no agreement to exchange information between the BCB and the competent authorities. The institutions must request such approval from the BCB at least 60 days before retaining the cloud services in question.

The Personal Data Protection Law allows the international transfer of personal data only under certain conditions (Arts. 33-36). The main conditions for such a transfer are that the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given their consent explicitly; or the transfer is necessary for the performance of a contract between the data subject and the controller. Art. 11 provides stricter conditions for processing sensitive personal data, and it is reported that, in practice, these conditions forced many organisations to store privacy-sensitive data in Brazil. The law applies extraterritorially to all companies that target Brazilian consumers, even when the company is not established in the Brazilian market.

Brazil has joined an agreement with binding commitments to open data transfers across borders: the Chile-Brazil Bilateral Trade Agreement (Art. 10.12).

The Personal Data Protection Law provides a framework for comprehensive data protection in Brazil. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.

Art. 13 of the Civil Rights Framework for the Internet states that connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year. The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.

According to Art. 15 of the Civil Rights Framework for the Internet, internet application providers that are constituted as a legal entity and that carry out this activity in an organised manner professionally and with economic purposes must retain the respective records of access to the Internet applications for a period of six months. Internet applications are defined in Art. 5 (VII) as a set of functionalities that can be accessed through a terminal connected to the Internet.

According to Art. 17 of Criminal Organisation Law, concessionaires of fixed or mobile telephony must keep, for a period of five years, at the disposal of the Police Chief or the Public Prosecutor, records of identification of the terminal numbers of origin and destination of international, long distance and local phone calls.

The Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers clarify Art. 41 of the Data Protection Law, setting out that all institutions, either public or private, have an obligation to appoint a Data Protection Officer ("encarregado") (DPO). A previous reading of the Art. 23 of Law led to the conclusion that only public institutions would be obliged to appoint a DPO. However, the guidelines state that the Data Protection Law does not determine the circumstances in which an organisation should appoint a DPO. Therefore, as a general rule, one must assume that all organisations must appoint a DPO. However, §3 of Art. 41 states that future regulations of the National Authority may determine the hypothesis for the dispensation of the need to appoint a DPO, taking into account the nature, size, and volume of data treatment operations

The Civil Rights Framework for the Internet law establishes a safe harbour regime for intermediaries for copyright infringements. Art. 18 states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers), states that “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

The Civil Rights Framework for the Internet law establishes a safe harbour regime for intermediaries beyond copyright infringements. Art. 18 states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers), states that “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”