On November 26, 2024, ANATEL published Ato No. 16417, establishing the official guidelines for auditing the cybersecurity practices of telecom equipment suppliers. The compliance with this act has become mandatory starting November 26, 2025. A new mandate means it’s no longer enough for your product to be compliant; your company’s cybersecurity policy is now under the microscope.
What is Ato 16417?
At its core, Ato 16417 is an operational procedure that requires suppliers of telecommunications products and equipment to undergo a formal audit of their corporate Cybersecurity Policy (PSC).
This isn’t a suggestion; it’s a prerequisite for market participation. Brazilian telecom service providers will be required to use equipment only from suppliers who can prove they have an implemented and audited cybersecurity policy.
Beyond the Box: Auditing the Entire Lifecycle
This is an evolution from traditional product-centric certifications. ANATEL is shifting focus from simply what a device does to how it was made and how it’s supported. The audit will scrutinize your company’s commitment to security across the entire product lifecycle, including:
- Security by Design: Demonstrating that security principles are embedded in your product from the very first stages of conception and development.
- Secure Development Practices: Including the use of secure coding, vulnerability analysis, and robust testing cycles.
- Vulnerability Management: Having a clear process for identifying, managing, and patching security flaws.
- Coordinated Vulnerability Disclosure (CVD): Maintaining a public channel for security researchers and users to report vulnerabilities.
- End-of-Life Support: A clear policy for providing security updates, even as a product ages.
The Auditors: Who Can Certify You?
The new procedure allows for audits to be conducted by three types of qualified entities:
- Designated Certification Bodies (OCDs): These are the ANATEL-authorized bodies that are already central to the Brazilian certification process.
- IAF-Accredited Independent Entities: Bodies accredited by a member of the International Accreditation Forum (IAF).
- Internationally Recognized Schemes: Entities that are part of established international certification schemes covering cybersecurity policy.
