On May 2, 2026, Brazil’s National Health Surveillance Agency (ANVISA) and the National Telecommunications Agency (ANATEL) jointly issued Portaria No. 88/2026, requiring all OBD-II automotive diagnostic devices entering the Brazilian market to undergo cybersecurity penetration testing per ISO/SAE 21434:2026 — conducted exclusively by ANVISA-accredited laboratories. Exporters of such auto electronics, particularly manufacturers and traders based in China, must now re-submit products for certification.

Event Overview

On May 2, 2026, ANVISA and ANATEL published Portaria 88/2026. The regulation applies to automotive electronic devices falling under the Auto Electronics category that interface with vehicle onboard diagnostics via the OBD-II port. It mandates compliance with ISO/SAE 21434:2026 for cybersecurity risk management, specifically requiring formal penetration testing and official test reports issued by laboratories recognized by ANVISA. No transitional period or grandfathering clause has been publicly announced.

Industries Affected

Direct Exporters (OEMs & Contract Manufacturers)
Manufacturers exporting OBD-II devices directly into Brazil — especially those previously certified only for electromagnetic compatibility (EMC) or basic safety — are affected because prior certifications do not satisfy the new cybersecurity requirement. Impact includes mandatory re-testing, potential delays in customs clearance, and increased time-to-market for new or existing models.

Supply Chain Service Providers (Certification Agents & Lab Representatives)
Firms facilitating ANATEL or INMETRO certification for foreign clients must now verify whether their accredited lab partners are also approved by ANVISA for ISO/SAE 21434:2026 testing. Gaps in accreditation may require switching service providers or extending lead times for documentation support.

Distribution & Channel Partners (Importers & Distributors)
Brazilian importers and distributors handling OBD-II tools — including code readers, telematics adapters, and aftermarket diagnostic scanners — face inventory validation risks. Products already cleared under older regimes may no longer be legally marketable unless retroactively tested and recertified, potentially triggering stock write-downs or sales suspension.

What Relevant Companies or Practitioners Should Focus On — And How to Respond

Monitor official updates on ANVISA’s recognition list of accredited labs

ANVISA has not yet published its full list of laboratories authorized to conduct ISO/SAE 21434:2026 penetration tests. Companies should track ANVISA’s official portal and subscribe to regulatory bulletins to confirm which labs are approved — as testing at a non-recognized facility will invalidate the report.

Verify scope alignment between existing product certifications and Portaria 88/2026 requirements

Not all OBD-II-adjacent devices may fall under this mandate. Firms should review whether their products are classified as ‘Auto Electronics’ under ANVISA’s definition — particularly distinguishing between diagnostic tools intended for professional repair versus consumer-grade data loggers or Bluetooth adapters without active vehicle control functions.

Prepare for documentation re-submission and timeline adjustments

Re-testing under ISO/SAE 21434:2026 typically requires updated threat analysis documentation, secure development lifecycle evidence, and test reports covering both hardware and firmware layers. Exporters should allocate additional weeks for internal technical preparation before lab submission — especially if firmware updates are needed to address identified vulnerabilities.

Engage early with Brazilian regulatory representatives

Given the joint enforcement role of ANVISA and ANATEL, coordination across both agencies is critical. Companies without local representation should consider appointing an officially designated Responsible Person in Brazil — as required under Portaria 88/2026 — to receive official communications and submit compliance evidence.

Editorial Perspective / Industry Observation

Observably, Portaria 88/2026 signals a structural shift in how Brazil regulates connected automotive hardware — moving beyond traditional safety and radiofrequency oversight toward proactive cybersecurity governance. Analysis shows this is less a one-off compliance update and more the first formal application of ISO/SAE 21434 in Latin America’s largest automotive market. From an industry perspective, it reflects growing alignment with EU-type regulatory expectations, though implementation remains nationally scoped and lab-accreditation dependent. Current enforcement appears focused on new market entries; however, the absence of a grace period means legacy products may face de facto market exclusion unless recertified.

Conclusion
This regulation marks a procedural inflection point for exporters of automotive diagnostic electronics to Brazil — transforming cybersecurity from a voluntary best practice into a mandatory, lab-verified entry condition. It does not introduce new technical standards beyond ISO/SAE 21434:2026, but rather enforces them through binding national procedure. For stakeholders, the immediate implication is not broad market disruption, but rather a tightening of pre-market gatekeeping — making timely access to accredited testing capacity the most operationally decisive factor in near-term compliance.

Information Sources
Primary source: Portaria No. 88/2026, jointly issued by ANVISA and ANATEL on May 2, 2026.
Note: The list of ANVISA-accredited laboratories for ISO/SAE 21434:2026 testing remains pending publication and is subject to ongoing monitoring.