On May 6, 2026, Brazil’s National Health Surveillance Agency (ANVISA) issued RDC No. 112/2026, extending mandatory medical-device–level cybersecurity requirements to in-vehicle AI voice interaction modules. This regulatory shift directly impacts automotive electronics exporters—especially Chinese OEMs and Tier-2 suppliers—requiring ISO/SAE 21434 Tier-2 penetration testing reports from ANVISA-accredited laboratories for market access.

Event Overview

On May 6, 2026, ANVISA published Regulatory Directive RDC No. 112/2026. The directive formally includes车载AI语音交互模块 (in-vehicle AI voice interaction modules) under its cybersecurity regulatory scope for medical-grade devices. It mandates that all auto electronics products entering the Brazilian market must submit a Tier-2 penetration testing report compliant with ISO/SAE 21434, conducted by an ANVISA-recognized laboratory. Public information confirms that leading Chinese automotive-grade chip and TBox manufacturers have initiated localized testing partnerships in Brazil.

Industries Affected

Direct Exporters of Automotive Electronics to Brazil

These companies are directly subject to the new conformity requirement. Because the regulation applies at point-of-import, non-compliant products may face customs rejection or post-market withdrawal. Impact manifests in delayed shipments, increased certification lead times, and added third-party lab costs.

Chinese Tier-2 Automotive Suppliers (e.g., Chip, TBox, and Voice Module Manufacturers)

Tier-2 suppliers supplying components integrated into vehicles destined for Brazil now bear upstream responsibility for cybersecurity documentation. Their impact is procedural: they must generate—and often co-sign—ISO/SAE 21434 Tier-2 reports, even if final vehicle integration occurs elsewhere. This shifts verification burden earlier in the supply chain.

Automotive Cybersecurity Testing Service Providers

Service providers accredited—or seeking accreditation—by ANVISA face rising demand for Tier-2 penetration tests aligned with ISO/SAE 21434. The requirement specifies test execution by ANVISA-recognized labs, narrowing the pool of eligible vendors and increasing reliance on Brazil-based or ANVISA-authorized facilities.

What Relevant Companies or Practitioners Should Focus On and How to Respond

Monitor official ANVISA guidance on Tier-2 reporting scope and lab accreditation status

RDC No. 112/2026 references ISO/SAE 21434 Tier-2 but does not define implementation criteria (e.g., threat modeling depth, evidence retention period). Companies should track upcoming technical annexes or FAQs from ANVISA to clarify expectations before initiating testing.

Prioritize AI voice modules shipped as standalone units or pre-integrated systems

The regulation explicitly names ‘AI voice interaction modules’—not full infotainment systems or ADAS ECUs. Exporters should verify whether their product classification triggers the requirement (e.g., modules certified independently vs. embedded-only firmware), as scope interpretation will affect compliance effort.

Distinguish between regulatory signal and enforceable obligation

While RDC No. 112/2026 is effective upon publication, enforcement timelines—including grace periods, transitional arrangements, or phased rollout—are not specified in the current text. Companies should treat this as a binding requirement for new submissions but verify whether legacy approvals remain valid during ongoing reviews.

Initiate coordination with ANVISA-recognized labs now—not after design freeze

Lead times for Tier-2 penetration testing under ISO/SAE 21434 can exceed 8–12 weeks. Since only ANVISA-recognized labs qualify, early engagement with confirmed partners (e.g., those named in ANVISA’s updated Laboratory Recognition List) avoids bottlenecks ahead of planned market entries.

Editorial Perspective / Industry Observation

Observably, this move signals ANVISA’s strategic alignment of automotive cybersecurity with health-tech risk governance—not a one-off compliance extension. By applying medical-device–grade scrutiny to voice modules, ANVISA treats human-machine speech interfaces as potential vectors for patient-relevant harm (e.g., misinterpreted emergency commands in connected ambulances or telehealth-enabled fleet vehicles). Analysis shows this is less about immediate enforcement volume and more about establishing precedent: it positions Brazil to scale similar requirements to other AI-driven vehicle subsystems in future updates. From an industry standpoint, it reflects growing divergence among regional cybersecurity frameworks—making harmonized global testing strategies increasingly difficult.

Conclusion

This regulation marks a formal escalation in Brazil’s approach to automotive cybersecurity governance, shifting from voluntary standards toward mandatory, medical-informed verification. It does not yet represent broad-based enforcement across all vehicle software, but rather a targeted, high-risk-use-case intervention. Currently, it is best understood as a jurisdictional compliance threshold for specific voice-centric hardware entering Brazil—not a de facto global benchmark, nor a near-term mandate for non-voice automotive AI functions.

Source Attribution

Main source: ANVISA Regulatory Directive RDC No. 112/2026, published May 6, 2026.
Parts requiring continued observation: Enforcement timeline details, list of currently recognized laboratories, and official interpretation of ‘AI voice interaction module’ boundary conditions.