Brazil’s National Health Surveillance Agency (ANVISA) issued Portaria RDC No. 22/2026 on May 8, 2026, extending medical-device-level cybersecurity requirements to in-vehicle AI voice interaction modules—including integrated solutions such as Amazon Alexa Auto and Google Assistant Auto. This regulatory shift directly impacts automotive electronics exporters, OEM suppliers, and aftermarket manufacturers serving the Brazilian market—and signals a tightening of compliance expectations for connected vehicle components with health-relevant data handling capabilities.

Event Overview

On May 8, 2026, ANVISA published Portaria RDC No. 22/2026, formally incorporating in-vehicle AI voice interaction modules into its regulatory scope for cybersecurity of health-related devices. The regulation mandates compliance with ISO/IEC 27001-based penetration testing and ANSI/ISA 62443-3-3 security level certification. Chinese auto electronics exporters must complete these certifications within 120 days of the regulation’s effective date—or face exclusion from both the Brazilian OEM and aftermarket automotive supply chains.

Which Subsectors Are Affected

Direct Exporters of Auto Electronics

Chinese manufacturers exporting voice-enabled infotainment or telematics modules to Brazil are subject to immediate compliance obligations. Because the regulation applies to modules deployed in vehicles—regardless of whether they are embedded during manufacturing or added post-purchase—their products now fall under ANVISA’s medical-device-associated cybersecurity framework. Impact manifests as mandatory third-party certification, extended time-to-market, and potential re-engineering of firmware and cloud API interfaces to meet audit criteria.

OEM and Tier-1 Automotive Suppliers

Suppliers integrated into Brazilian vehicle assembly lines must verify that voice modules in their systems comply with RDC No. 22/2026 before delivery. Non-compliant modules may trigger contractual liability, shipment holds, or rejection by local OEMs—especially where voice functionality processes user health-related inputs (e.g., emergency voice commands, driver wellness monitoring). This adds a new layer to supplier technical documentation and quality assurance protocols.

Aftermarket Device Manufacturers and Distributors

Firms supplying plug-in or retrofit voice modules—including those marketed for fleet management or driver assistance—now require ANVISA-aligned certification. Since the regulation explicitly covers “aftermarket” applications, distributors risk customs delays or import bans if documentation does not demonstrate adherence to ISO/IEC 27001 penetration testing and ANSI/ISA 62443-3-3 requirements.

Cybersecurity Certification and Testing Service Providers

Third-party labs and consultants offering ISO/IEC 27001 or ISA 62443-3-3 certification services may see increased demand from Chinese exporters preparing for Brazilian market access. However, only test bodies accredited by INMETRO (Brazil’s national accreditation body) or recognized under mutual recognition arrangements with ANVISA are accepted—limiting viable options for many exporters unfamiliar with Brazil’s conformity assessment infrastructure.

What Enterprises and Practitioners Should Monitor and Do Now

Track official implementation guidance from ANVISA and INMETRO

Portaria RDC No. 22/2026 establishes the legal basis but defers technical implementation details—including acceptable test scopes, reporting formats, and transitional arrangements—to subsequent normative instructions. Enterprises should monitor ANVISA’s official portal and INMETRO bulletins for updates issued within Q3 2026.

Identify which product variants contain regulated voice functionality

Not all audio or speech-related features are captured; only modules enabling AI-driven voice interaction with potential health-data implications (e.g., voice-triggered emergency calls, biometric voice analysis, or integration with health-monitoring sensors) fall under the scope. Companies should conduct internal scoping reviews—notably distinguishing between basic voice command support and health-context-aware processing—before initiating certification.

Distinguish between regulatory signal and enforceable requirement

The 120-day deadline begins upon the regulation’s official entry into force, not its publication date. As of May 8, 2026, the effective date has not been separately announced in the Diário Oficial da União. Enterprises should confirm the official effective date before calculating compliance deadlines.

Prepare documentation and coordinate with certified testing partners early

ISO/IEC 27001 penetration testing requires evidence of information security management system (ISMS) implementation—not just one-off vulnerability scans. Firms should begin aligning internal development, cloud infrastructure, and data-handling policies with ISMS controls well ahead of formal testing. Concurrently, pre-qualify INMETRO-accredited labs familiar with automotive AI use cases to avoid bottlenecks.

Editorial Perspective / Industry Observation

Observably, this regulation reflects ANVISA’s broader strategic pivot toward regulating digital health-adjacent technologies—even when deployed outside traditional clinical settings. It is less a standalone enforcement action and more a signal that Brazil is aligning its regulatory posture with evolving global expectations for cybersecurity in connected medical- and health-relevant devices. Analysis shows that ANVISA’s inclusion of voice modules suggests an interpretation of ‘health relevance’ that extends beyond direct diagnostics to include context-aware safety-critical interactions. From an industry perspective, this move is better understood as an early-stage policy signal rather than an immediately executable compliance regime—given the absence of finalized technical annexes and enforcement timelines. Continued observation is warranted, particularly regarding how ANVISA defines ‘health-related data processing’ in voice module contexts and whether exemptions apply for modules without cloud connectivity or local data storage.

In summary, ANVISA’s RDC No. 22/2026 marks a material escalation in regulatory expectations for automotive electronics entering Brazil—not as general consumer goods, but as components bearing implicit health and safety responsibilities. Its practical impact remains contingent on forthcoming implementation rules, but its directional intent is unambiguous: cybersecurity compliance is no longer optional for AI-enabled vehicle interfaces with potential health implications. Currently, it is more appropriate to interpret this measure as a structural warning than a fully operationalized barrier—yet one requiring proactive alignment by affected stakeholders.

Source: ANVISA Portaria RDC No. 22/2026, published May 8, 2026. Implementation details—including effective date, scope clarifications, and accredited testing pathways—remain pending official release and are subject to ongoing monitoring.