Regulación de IA en Brasil — PL 2338/2023

Why Brazil's AI regulation is the regulatory anchor for Latin America The most common framing of Brazil's AI regulation describes it as a delayed implementation of EU AI Act principles in a Latin American context, often treated as a derivative…

Resumen ejecutivo

Why Brazil’s AI regulation is the regulatory anchor for Latin America

The most common framing of Brazil’s AI regulation describes it as a delayed implementation of EU AI Act principles in a Latin American context, often treated as a derivative regulatory exercise. The framing captures the structural inspiration and misses the regional significance entirely. Brazil is the regulatory anchor for Latin America’s AI governance, and the trajectory of PL 2338/2023 will shape how AI is regulated across South America for the next decade. Argentina, Chile, Colombia, Peru, and Uruguay are all monitoring the Brazilian process and will draw substantively from whatever framework finally emerges.

The dominant narrative reads PL 2338/2023 as a Brazilian adaptation of the EU AI Act — risk-tiered, with prohibited and high-risk categories, with administrative penalties and a coordinating regulator. The reading is correct as taxonomy and incomplete as architecture. Brazil’s choice is structurally distinct from both the EU AI Act and the other comprehensive AI regulatory regimes in three concrete ways. First, Brazil chose a National AI Regulation and Governance System (SIA) as a coordinated institutional framework rather than a single centralized AI regulator, where the EU created a multi-tier structure with EU AI Office plus national competent authorities, and Korea created MSIT as a single horizontal regulator. The Brazilian SIA reflects a deliberate regulatory federalism that respects existing sectoral regulator competence while creating coordination. Second, Brazil places the AI regulation explicitly on top of the LGPD foundation, with ANPD as both the LGPD enforcer and the proposed SIA coordinator, creating a unified personal data and AI regulatory architecture. Third, the legislative process has been extraordinarily participatory: 24 meetings, 14 public hearings, the Commission of Jurists’ 900-page report, and multi-stakeholder input from civil society, industry, and academia. This contrasts with the more contained legislative processes of the EU AI Act and the South Korean AI Basic Act.

This matters in three concrete ways. First, Brazil is the test case for whether comprehensive risk-based AI regulation can succeed in a major emerging economy with strong industrial policy ambitions and significant cross-border AI development relationships. Brazil cannot simply copy the EU AI Act’s enforcement intensity without compromising its industrial competitiveness, but it cannot adopt minimal regulation without losing alignment with major trading partners. PL 2338/2023 is the operational answer to that tension. Second, Brazil’s regulatory choices will substantively influence Argentina, Chile, Colombia, and other regional jurisdictions: the bill’s copyright provisions, civil liability rules, risk categorization, and SIA institutional design are explicitly referenced in regional drafts. Third, the LGPD plus PL 2338/2023 architecture creates a recognizable template for emerging economies: privacy law as the binding foundation, comprehensive AI regulation as the substantive overlay, sectoral regulators retaining vertical competence, with a coordinating authority for cross-cutting issues.

What makes Brazil’s 2025-2026 legislative cycle particularly significant is the legislative uncertainty itself. As of May 2026, PL 2338/2023 has been under review in the Chamber of Deputies for 14 months. Special committee hearings ran throughout 2025 and a floor vote is expected in early 2026, but no fixed enactment date has been announced. The political dynamics around the 2026 Brazilian elections, the Lula administration’s digital policy priorities, and the influence of US trade relationships under the Trump administration’s deregulatory posture all create significant uncertainty about both timing and final content. Organizations operating in Brazil must plan for a regulatory transition under conditions of genuine timeline ambiguity.

What Brazil represents in the global AI regulatory landscape, then, is the most carefully constructed risk-based AI regulation outside the EU, currently navigating its decisive legislative phase, and positioned to anchor AI governance across Latin America for the next decade. The rest of this reference treats both the proposed framework and the existing legal backbone (LGPD) as the dual operational reality.

The legislative trajectory: from Commission of Jurists to Chamber of Deputies

Understanding PL 2338/2023’s legislative trajectory matters because the participatory process explains both the bill’s substantive structure and the political dynamics shaping its final form.

Commission of Jurists (2022). In 2022, the Brazilian Senate established a Commission of Jurists led by Justice Ricardo Villas Bôas Cueva of the Superior Court of Justice. The Commission delivered a comprehensive 900-page report in December 2022 that became the substantive foundation for PL 2338/2023. The Commission’s work explicitly drew from the EU AI Act, the OECD AI Principles, the UNESCO Recommendation on the Ethics of AI, and the Council of Europe negotiations.

Senate process (May 2023 — December 2024). Senate President Rodrigo Pacheco introduced PL 2338/2023 in May 2023. The Senate’s Temporary Internal Commission on Artificial Intelligence in Brazil (CTIA) processed the bill through 24 meetings and 14 public hearings, with input from legal experts, industry stakeholders, and civil society organizations. The Senate approved the bill on 10 December 2024.

Chamber of Deputies process (March 2025 — early 2026 expected). The Senate forwarded the bill to the Chamber of Deputies on 17 March 2025. The Chamber initially referred the proposal to six standing committees: Labor; Culture; Education; Consumer Protection; Science, Technology and Innovation; and Constitution, Justice and Citizenship. Because the proposal was directed to more than three standing committees, the Chamber’s Internal Rules required the establishment of a special committee, which was created on 29 April 2025.

Special committee hearings (2025). The special committee took expert testimony throughout 2025 from civil society, industry, academic experts, and government officials. Particular attention focused on copyright provisions, civil liability rules, sectoral implementation, and the cost of compliance for Brazilian SMEs.

Floor vote and beyond (2026). A floor vote in the Chamber of Deputies is expected in early 2026. If approved with amendments, the bill returns to the Senate for reconciliation. If approved without amendments, it goes directly to the President for signature. Once enacted, secondary regulations follow within 18 months, defining operational details for AI audits, documentation, sectoral implementation, and enforcement methodology.

The proposed risk-based framework

PL 2338/2023 adopts a three-tier risk classification structurally inspired by the EU AI Act but with Brazilian-specific scope and obligations.

Tier 1: Excessive risk (prohibited)

AI systems that pose excessive risk to fundamental rights are prohibited. The category is intentionally narrow and includes:

  • Subliminal techniques that cause significant harm to physical or mental health
  • Exploitation of vulnerabilities of specific groups (children, elderly, vulnerable populations)
  • Social scoring by public authorities
  • Mass real-time biometric identification in publicly accessible spaces (with narrowly defined exceptions for serious crimes)
  • AI systems designed to undermine democratic processes

Prohibited applications cannot be developed, marketed, or deployed in Brazil regardless of the operator’s risk mitigation efforts.

Tier 2: High risk

High-risk AI systems are permitted but subject to stringent compliance obligations. The category covers AI systems used in:

  • Critical infrastructure (energy, water, transport, telecommunications)
  • Law enforcement (predictive policing, evidence analysis)
  • Justice administration (judicial decision support, sentencing assistance)
  • Credit scoring and financial services (lending decisions, insurance underwriting)
  • Employment (hiring, performance evaluation, termination)
  • Education (admissions, evaluation, educational opportunity)
  • Medical diagnosis and healthcare
  • Public services and government benefits determination
  • Migration, asylum, and border control
  • Democratic processes and elections

Additional sectors may be defined by ANPD or sectoral regulators based on criteria including impact on fundamental rights, vulnerable groups, systemic cybersecurity harm, and impact on the development of children and adolescents.

High-risk operators must:

  • Conduct algorithmic impact assessments prior to deployment and on an ongoing basis
  • Implement risk management systems with documentation
  • Ensure human oversight with meaningful review capability
  • Provide transparency and explainability for AI decisions
  • Establish incident reporting procedures
  • Implement bias mitigation mechanisms
  • Cooperate with ANPD or sectoral regulators on audits and corrective actions

Tier 3: Non-high/non-excessive risk

Low-risk AI systems are subject to general obligations focused on transparency, accountability, and basic rights protection. The compliance burden scales down significantly compared to the high-risk tier.

Civil liability and copyright provisions

Two features of PL 2338/2023 are particularly distinctive in international comparison: the civil liability framework and the copyright provisions.

Civil liability framework. The Senate-approved version of PL 2338/2023 includes detailed civil liability rules for damages caused by AI systems. The framework distinguishes liability among AI developers, AI providers, AI operators, and AI users, with allocation rules that depend on the role each played in the AI system’s deployment and use. The civil liability provisions create concrete legal exposure separate from the administrative penalty regime under Article 36, providing private remedies for individuals harmed by AI systems.

Copyright provisions. PL 2338/2023 addresses the use of copyrighted material for AI training, a topic of substantial debate during the Senate process. The Senate-approved text includes provisions on:

  • Authorization requirements for use of copyrighted material in AI training
  • Compensation mechanisms for rightsholders
  • Exceptions for research and educational purposes
  • Treatment of AI-generated outputs

The Brazilian copyright framework adds a Southern perspective to ongoing World Intellectual Property Organization (WIPO) discussions and provides a model that other Latin American jurisdictions may adapt.

INPI patent consultation (September 2025). Separately from PL 2338/2023, the National Institute of Industrial Property (INPI) launched a public consultation in September 2025 on AI-related patent applications, asking how Brazil should classify and define AI-related inventions, what evidence creators must provide for novelty, whether autonomously AI-generated inventions can receive patent protection, and how Brazil should align with international patent guidelines. The consultation signals Brazilian recognition that AI is both a governance challenge and a driver of innovation requiring updated IP infrastructure.

The institutional architecture: SIA and ANPD

The institutional architecture proposed by PL 2338/2023 reflects Brazilian regulatory federalism: distributed authority across sectoral regulators, with a coordinating system overseen by the existing data protection authority.

National AI Regulation and Governance System (SIA). The bill creates the SIA as a coordinated institutional framework rather than a centralized AI regulator. Under SIA:

  • Existing sectoral regulators retain primary competence within their sectors (BACEN for financial services, ANATEL for telecommunications, ANS for health insurance, CADE for competition)
  • A coordinating authority promotes coherence and addresses cross-sectoral issues
  • ANPD acts as the residual regulator for AI matters not clearly allocated to another authority
  • The exact governance structure of SIA, including expert committees and civil society participation, will be detailed in secondary regulations

Autoridade Nacional de Proteção de Dados (ANPD). Brazil’s National Data Protection Authority, established under the LGPD. ANPD has been progressively building AI-specific regulatory capacity since 2023, treating AI as a strategic priority within its mandate. ANPD’s principal AI-related responsibilities under the proposed framework include:

  • Coordination of the SIA
  • Residual regulation for AI matters not allocated to sectoral authorities
  • Enforcement of LGPD obligations as they apply to AI processing
  • Issuance of technical guidance on AI compliance
  • International coordination on AI regulation (OECD, Council of Europe, regional cooperation)

Existing sectoral regulators retain competence for AI uses within their domains. The Central Bank of Brazil (BACEN) supervises AI in financial institutions. ANATEL regulates AI in telecommunications. ANVISA regulates AI medical devices. The Securities Commission (CVM) governs AI in capital markets. CADE addresses AI’s competition implications. The Federal Public Ministry has prosecutorial authority over AI-related criminal matters.

Subnational frameworks. Goiás State Law No. 205/2025 is the first Brazilian state-level AI law, focused on promoting ethical, responsible, and innovative use of AI within state government operations. Other Brazilian states are likely to follow once PL 2338/2023 establishes the federal framework.

The LGPD operational backbone

While PL 2338/2023 awaits enactment, Law No. 13,709/2018 (LGPD — Lei Geral de Proteção de Dados Pessoais) remains the principal binding legal framework for AI uses involving personal data in Brazil. The LGPD substantively covers most AI applications because most AI systems process personal data.

Scope. The LGPD applies to any processing of personal data conducted in Brazil, by Brazilian organizations, or affecting Brazilian residents — including AI training, deployment, and inference involving personal data. The extraterritorial reach captures global AI vendors with Brazilian users.

Substantive obligations relevant to AI.

  • Lawful basis for AI processing: consent, legitimate interest, legal obligation, or other LGPD-recognized basis
  • Data minimization and purpose limitation in AI training data
  • Transparency about automated processing
  • Right to review of decisions made solely on the basis of automated processing
  • Data subject rights including access, correction, deletion, portability
  • Privacy Impact Assessments (RIPDs) for high-risk processing
  • Breach notification to ANPD and data subjects
  • Data Protection Officer (DPO) designation

Article 20 — automated decision rights. LGPD Article 20 provides data subjects with the right to request review of decisions made solely on the basis of automated processing affecting their interests, including decisions intended to define personal, professional, consumption, credit, or personality profiles. ANPD has issued substantive guidance on Article 20’s application to AI systems.

Penalty structure. LGPD penalties can reach R$ 50 million per infraction or 2% of Brazilian revenue, whichever applies. ANPD can also order: warnings; daily fines; publicization of violations; blocking or deletion of personal data; partial or full prohibition of activities related to data processing.

ANPD’s AI agenda. ANPD has progressively integrated AI-specific work into its regulatory agenda since 2023, including guidance on automated decision-making, algorithmic discrimination, and AI risk assessment under LGPD. This builds institutional capacity for ANPD’s eventual SIA coordination role under PL 2338/2023.

International alignment and regional influence

Brazil’s AI regulatory approach is structurally oriented toward international convergence with EU and OECD frameworks while serving as the regional anchor for Latin American AI governance.

EU AI Act. PL 2338/2023 is structurally inspired by the EU AI Act, with similar risk-tiered classification, prohibited applications, high-risk obligations, and administrative penalty architecture. The structural alignment facilitates Brazilian organizations’ compliance with both regimes through unified compliance programs.

OECD AI Principles. Brazil is an OECD adherent and active participant in OECD AI Policy Observatory work. PL 2338/2023 explicitly incorporates OECD AI Principles into its substantive framework, providing the international consensus floor for Brazilian AI regulation.

UNESCO Recommendation on the Ethics of AI. Brazil supported and endorsed UNESCO’s Recommendation, with its ethical foundations echoed in Brazil’s national AI strategy and PL 2338/2023’s substantive principles, particularly concerning inclusion, non-discrimination, and societal impact.

Council of Europe Framework Convention on AI. Brazil is not a Council of Europe member but has engaged with the Convention’s negotiations as an observer. Brazilian future engagement with the Convention’s substantive principles is likely as the framework matures.

Regional influence. Argentina, Chile, Colombia, Peru, and Uruguay are all monitoring the Brazilian legislative process. Argentina’s National AI Strategy and draft legislation, Chile’s AI Policy and 2024 draft AI law, Colombia’s CONPES AI policy, and similar regional efforts all draw substantively from Brazilian regulatory choices. Mercosur and CELAC regional bodies have also begun discussions on AI regulatory coordination, with Brazilian regulatory developments serving as the principal reference point.

ISO/IEC 42001. Brazil is an active participant in ISO/IEC JTC 1/SC 42 (Artificial Intelligence) through ABNT (Associação Brasileira de Normas Técnicas), Brazil’s national standards body. ISO/IEC 42001 alignment is referenced in Brazilian regulatory discussions as the principal international AI management system standard. INMETRO/ABNT certification regimes are expected to develop AI-specific certification offerings aligned with ISO/IEC 42001 over 2026-2027.

Intersections with other regimes

Five intersections shape how Brazilian AI regulation operates within the broader international AI regulatory architecture.

EU AI Act. Direct structural inspiration. Brazilian organizations operating in or selling AI to the EU are subject to the EU AI Act independently of Brazilian law. The structural similarity between PL 2338/2023 and the EU AI Act allows multinational organizations to build unified compliance programs satisfying both, with EU AI Act technical documentation and fundamental rights impact assessments substantially covering Brazilian high-risk obligations.

LGPD and ANPD. The principal binding personal data framework, with extraterritorial reach and penalties up to R$ 50 million or 2% of Brazilian revenue per infraction. AI uses involving personal data are subject to LGPD independently of PL 2338/2023’s eventual enactment. ANPD’s AI guidance under LGPD is the operational compliance reality today.

Sectoral regulators. BACEN, ANATEL, ANVISA, CVM, and other sectoral regulators apply existing mandates to AI within their domains. Sectoral compliance is operationally substantive and continues regardless of PL 2338/2023’s legislative timeline.

ISO/IEC 42001 and international standards. Increasingly referenced in Brazilian regulatory discussions and ABNT standards work. Cross-recognition of AI certifications (ISO/IEC 42001, INMETRO/ABNT standards) is expected to accelerate over 2026-2027, creating routes for trusted-AI labelling across Latin America.

Latin American regional coordination. Brazil’s regulatory choices substantively influence Argentina, Chile, Colombia, Peru, Uruguay, and Mercosur/CELAC discussions. Multinational organizations with regional Latin American operations should expect substantive convergence with Brazilian frameworks across the region over 2026-2030.

## ⚖️ How Zertia operates within the Brazilian AI regulatory environment

Built for Brazilian AI regulation compliance from day one

Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory

Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London, and ANAB accreditation in the United States. Active accreditation processes are underway with UKAS (United Kingdom) and ENAC (Spain/EU). The Brazilian AI regulatory environment — comprehensive AI legislation in advanced legislative phase, LGPD as the operational binding backbone, ANPD as both LGPD enforcer and proposed SIA coordinator, regional anchor role for Latin America — makes accredited certification and standards-based assurance directly relevant for Brazilian organizations and for international organizations operating into the Brazilian market.

Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. Accredited ISO/IEC 42001 certification is the most operationally significant AI governance asset available to Brazilian organizations seeking international assurance recognized in EU, UK, and US markets, and to international organizations seeking demonstrable AI governance positioning aligned with PL 2338/2023’s eventual obligations. ISO/IEC 42001 alignment maps substantively to PL 2338/2023’s high-risk obligations (impact assessments, risk management, human oversight, transparency, incident reporting, bias mitigation), with documentation usable for both LGPD compliance today and PL 2338/2023 obligations once enacted. ISO/IEC 27001 and ISO/IEC 27701 are the operational complements for LGPD personal information protection requirements administered by ANPD. AIUC-1 provides agent-level technical assurance for AI vendors operating in Brazilian enterprise markets.

Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Algorithmic Impact Assessments structured to satisfy PL 2338/2023’s high-risk obligations (initial deployment, ongoing monitoring, substantial modification triggers), LGPD Article 20 review obligations, and parallel EU AI Act fundamental rights impact assessment requirements for multinational organizations. EU AI Act Conformity Assessment is operationally relevant for Brazilian AI organizations selling AI into the EU and for multinational organizations integrating Brazilian AI components into EU-bound AI systems, with structural alignment between Brazilian and EU frameworks reducing duplication.

Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to provide assurance evidence portable across Brazilian regulatory expectations (LGPD today, PL 2338/2023 once enacted), EU AI Act requirements, US state AI laws, and other Latin American jurisdictions as regional convergence develops. Particularly relevant for Brazilian multinationals with EU and US operations and for international organizations using Brazil as a regional hub for Latin American AI deployment.

Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat the Brazilian AI regulatory architecture explicitly, including PL 2338/2023’s three-tier framework, the SIA coordinated institutional structure, ANPD’s dual role under LGPD and proposed SIA, the existing LGPD operational backbone, sectoral regulator competences (BACEN, ANATEL, ANVISA, CVM), and integration with the EU AI Act and ISO/IEC 42001 for organizations operating across multiple jurisdictions. Particularly relevant for legal, compliance, and AI governance teams in Brazilian multinationals and in international organizations with Brazilian operations or Latin American supply chain integration. Available in Portuguese for Brazilian client engagements.

Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS and ENAC. Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.

🎯 Take action

🔍 Diagnose your gap 📊 Build the management backbone
Pre-Certification Assessment → ISO/IEC 42001 Certification →
Independent diagnosis against PL 2338/2023 high-risk obligations (Senate-approved Dec 2024), LGPD AI provisions, and ANPD/SIA expectations for organisations operating in Brazil. The accredited management system that operationalises Brazilian AI governance into auditable practice, with documentation that survives PL 2338 final passage and harmonises with EU AI Act exposure.

Discuss Brazilian AI regulation and Latin American AI governance positioning →

Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.

¿No estás seguro de si este marco aplica a tu organización? Hablemos.