On May 8, 2026, Brazil’s National Health Surveillance Agency (ANVISA) updated Resolution RDC No. 112/2026 to formally include in-vehicle AI voice interaction systems under medical-device-level cybersecurity regulation. This development directly impacts automotive OEMs, Tier-1 suppliers, and cybersecurity validation service providers—particularly those exporting intelligent cockpit solutions to Brazil.

Event Overview

On May 8, 2026, ANVISA issued Resolution RDC No. 112/2026, extending its regulatory scope to cover in-vehicle AI voice modules. Under the updated resolution, all imported vehicle models equipped with such modules must submit ISO/SAE 21434 Tier-2 penetration testing reports and documented evidence of vulnerability remediation closure. The measure applies to new model imports effective immediately upon publication.

Industries Affected by Segment

Automotive OEMs Exporting to Brazil

OEMs—especially Chinese manufacturers supplying smart cockpit systems to the Brazilian market—are directly affected because their voice modules now fall under ANVISA’s medical-device cybersecurity framework. Impact manifests as extended time-to-market: average delivery cycles for compliant smart cockpit solutions have increased by 21 days due to mandatory third-party validation and documentation review.

Automotive Tier-1 Suppliers Providing Voice Modules

Tier-1 suppliers integrating AI voice stacks into head units or domain controllers must now align product development and certification workflows with ISO/SAE 21434 Tier-2 requirements. Their impact includes revised design assurance protocols, additional test planning overhead, and tighter coordination with cybersecurity labs accredited under ANVISA’s recognition criteria.

Cybersecurity Validation Service Providers

Labs offering automotive cybersecurity testing face heightened demand for Tier-2–level penetration assessments validated against ANVISA’s interpretation of ISO/SAE 21434. Impact centers on capacity allocation, report formatting compliance (e.g., evidence traceability to specific vulnerabilities and remediation timestamps), and potential need for ANVISA-specific accreditation alignment.

Importers and Regulatory Compliance Agents

Entities responsible for customs clearance and regulatory submission in Brazil must now verify inclusion of both the penetration test report and closed-loop vulnerability evidence before ANVISA clearance. Impact includes added document review steps, risk of shipment hold-ups for incomplete submissions, and greater reliance on technical translators familiar with ISO/SAE 21434 terminology.

What Relevant Enterprises or Practitioners Should Monitor and Do Now

Track Official Interpretive Guidance from ANVISA

ANVISA has not yet published implementation guidelines or a list of recognized testing laboratories for Tier-2 assessments. Enterprises should monitor ANVISA’s official portal and RDC No. 112/2026 addenda for updates on acceptable report formats, evidence standards (e.g., required detail level for vulnerability closure logs), and transitional provisions.

Prioritize Validation for High-Volume or Flagship Models

Given the 21-day average delay, exporters should triage which vehicle variants require immediate validation—starting with models representing >15% of projected annual volume into Brazil or those designated as launch priorities. This avoids bottlenecks across multiple SKUs simultaneously entering the pipeline.

Distinguish Between Policy Signal and Enforceable Requirement

The resolution is legally binding as of May 8, 2026, but enforcement timing for non-compliant shipments remains unconfirmed. Observably, ANVISA has historically allowed a 90-day grace period for new RDCs affecting imported devices. Companies should treat the rule as active but verify whether enforcement actions (e.g., import rejections) will begin immediately or follow a phased rollout.

Prepare Documentation and Cross-Functional Alignment Now

Teams involved in product certification, supply chain management, and regulatory affairs should jointly map current voice module architecture against ISO/SAE 21434 Annex G (Threat Analysis and Risk Assessment) and Clause 8 (Testing). Pre-validate internal evidence templates (e.g., vulnerability tracking logs with timestamps, tester sign-offs, patch verification records) to reduce external lab turnaround time.

Editorial Perspective / Industry Observation

This update is better understood as a regulatory signal—rather than an isolated compliance checkpoint—that reflects ANVISA’s broader strategic shift toward treating safety-critical automotive software as functionally equivalent to medical device software, particularly where human interaction and health-related outcomes (e.g., driver distraction mitigation, emergency command reliability) intersect. Analysis shows ANVISA is increasingly referencing international automotive cybersecurity standards—not just medical ones—to build enforceable frameworks. While RDC No. 112/2026 currently targets only voice modules, observably, future amendments could extend similar requirements to other ADAS-adjacent components (e.g., biometric driver monitoring systems) if precedent holds. The agency’s move also signals growing convergence between automotive and healthcare regulatory logic in emerging markets—a trend requiring sustained attention beyond Brazil alone.

Conclusion: This regulatory update does not represent a one-off compliance hurdle but rather marks the institutionalization of automotive cybersecurity as a non-negotiable import condition in Brazil. It is more accurately interpreted as the formal start of a multi-year alignment process—between global OEM practices, local regulatory expectations, and third-party validation infrastructure—in Latin America’s largest auto market. Current readiness hinges less on achieving full compliance overnight and more on establishing traceable, auditable validation workflows that can scale with future scope expansions.

Source: Brazil’s National Health Surveillance Agency (ANVISA), Resolution RDC No. 112/2026, published May 8, 2026.
Note: Implementation timelines for enforcement actions, laboratory recognition criteria, and transitional arrangements remain under observation and are not yet publicly specified by ANVISA.