On May 1, 2026, Brazil’s National Health Surveillance Agency (ANVISA) implemented Resolution No. 187/2026, mandating cybersecurity penetration testing for all automotive electronic devices entering the Brazilian market—including OBD-II scanners, T-Box units, and ADAS controllers. This requirement directly affects automotive electronics exporters, certification service providers, and distribution partners operating in or targeting the Brazilian market.

Event Overview

ANVISA Resolution No. 187/2026 entered into force on May 1, 2026. It requires that all automotive electronic devices subject to health-related regulatory oversight in Brazil undergo third-level cybersecurity penetration testing aligned with ISO/SAE 21434. Testing must be conducted by laboratories accredited by INMETRO, Brazil’s national institute of metrology, quality, and technology. A formal test report issued by such a laboratory is mandatory for market access.

Industries Affected

Direct Exporters of Automotive Electronics

Exporters—particularly those based in China supplying OBD-II diagnostic tools, T-Box modules, or ADAS control units to Brazilian importers—are directly impacted. Compliance now adds an unavoidable pre-market validation step. The regulation has already extended average delivery timelines by 22 days, as confirmed in industry reports.

Distribution and Channel Partners in South America

South American distributors and authorized resellers are adjusting procurement terms. Some have begun requesting not only the final INMETRO-recognized test report but also summarized raw penetration test logs—indicating heightened due diligence on technical accountability and traceability.

Supply Chain Certification Service Providers

Laboratories and conformity assessment bodies offering ISO/SAE 21434 testing services face increased demand—but only those formally recognized by INMETRO qualify. Non-accredited labs cannot issue valid documentation for ANVISA submission, narrowing the pool of eligible service providers for affected manufacturers.

Key Focus Areas and Recommended Actions

Monitor official ANVISA and INMETRO guidance updates

While Resolution 187/2026 is effective, implementation details—including acceptable test scope boundaries for specific device classes and transitional arrangements—remain subject to clarification. Stakeholders should subscribe to official notices from both agencies.

Prioritize high-volume or high-risk product categories for early testing

OBD-II diagnostic devices and T-Box units represent the most widely traded items under this rule. Manufacturers should allocate testing resources first to these categories, given their prevalence in Brazilian aftermarket and OEM supply chains.

Distinguish between regulatory signal and operational readiness

The requirement is enforceable as of May 1, 2026, but enforcement cadence (e.g., customs hold procedures, post-import audits) is not yet publicly documented. Companies should treat compliance as mandatory for new shipments while preparing for possible verification steps at port or during registration renewal.

Prepare documentation workflows for log summaries and report handover

Since some Brazilian channel partners now request penetration test log summaries, exporters should standardize internal processes for extracting, anonymizing, and delivering non-sensitive technical evidence—without compromising proprietary system architecture or test methodology confidentiality.

Editorial Perspective / Industry Observation

Observably, this regulation signals Brazil’s broader alignment with global automotive cybersecurity governance frameworks—notably ISO/SAE 21434—and reflects growing regulatory attention to embedded electronics in health-adjacent domains (e.g., telematics systems linked to emergency response or driver wellness monitoring). Analysis shows it functions less as an isolated compliance hurdle and more as an early indicator of tightening cyber-resilience expectations across Latin American markets. From an industry perspective, the 22-day average delay suggests current bottlenecks lie in lab capacity and cross-border report validation—not conceptual resistance. Continued observation is warranted for potential harmonization efforts with Mercosur technical regulations or future extensions to other vehicle subsystems.

Conclusion
This regulation marks a concrete shift in market access conditions for automotive electronics in Brazil—not merely a procedural update, but a structural recalibration of technical due diligence expectations. It is best understood not as a temporary administrative burden, but as the formal institutionalization of cybersecurity as a core product requirement in regulated vehicle electronics segments. Stakeholders should plan for sustained compliance integration—not one-time adaptation.

Information Sources
Main source: Official text of ANVISA Resolution No. 187/2026, published by the Brazilian National Health Surveillance Agency (ANVISA), effective May 1, 2026.
Note: Enforcement mechanisms, audit frequency, and potential exemptions remain under observation and are not yet formally detailed in publicly available documents.