CEO
Diogo Goebel
Brazil has just officially established the third generation of the National Information Security Policy (PNSI) with Decree No. 12,573, which institutes the National Cybersecurity Strategy (E-Ciber).
And, personally, while reading the text, I had the impression of seeing something we have been waiting for years. Not because it is revolutionary, but because it formalizes what we have already seen in the field: security as an essential service, not as a technical accessory.
So, what does the E-Ciber define?
The E-Ciber is a high-level plan to guide how the country will protect its digital assets, everything: infrastructure, systems, services, devices, and especially, data.
The scope covers the entire Federal Executive Power, but the decree makes it clear that States, Municipalities, and private companies operating Critical Infrastructures (financial sector, energy, health, telecommunications, transport, etc.) are likely to be directly impacted.
The strategic pillars of E-Ciber
The decree brings the strategy together in four major axes:
Protection and awareness of society
Ensure that the population, companies, and public agencies understand digital risks and can react to them. It is to raise the "minimum acceptable" level of security in the country.
Security and resilience in essential services
The most sensitive axis. We are talking about energy, telecom, health, finance, transport. The goal is simple: if there is an attack, the country needs to keep functioning.
Public-private cooperation
No organization resolves security alone. The decree reinforces the exchange of information and encourages national solutions. For those who work with technology, this is a sign of maturity: we are building internal capacity and reducing external dependencies.
Sovereignty and governance
Includes the creation of a National Cybersecurity Maturity Model. In other words: the government wants a clear yardstick to measure evolution. This tends to become a basis for audits, certifications, and contractual requirements.
Additional context: cybersecurity risk is perceived as systemic risk
Beyond the text of the decree, the topic gains even more relevance when we look outside of it.
In the Financial Stability Report of November 2025, the Central Bank highlights that cybersecurity incidents are already perceived as systemic risk by financial institutions. The document cites financial losses, weaknesses in the use of APIs, problems involving third-party suppliers, and even cases of employee co-optation.
In other words: recent incidents are not isolated cases; they reveal that the attack surface has grown and that essential controls have failed in part of the financial system.
This view reinforces the importance of E-Ciber as a benchmark for alignment: the country places security on the same level as critical infrastructure, and when this happens, the entire ecosystem, public sector, private sector, and academia tends to evolve together.
Read more: The Challenge of Vulnerability Management [CVEs]: Insights from Getup Clients
Implementation of E-Ciber: open questions
In practice, the Decree defines the "north," but what is still lacking is the most difficult part: turning guidelines into something measurable, something that the Central Bank itself has been calling for by pointing out that a good part of the institutions still suffers from weak controls, poorly managed external dependencies, and significant operational exposure.
From here, some questions arise still without clear answers:
How will supervision be carried out? Who audits? With what methodology?
Will there be any type of certification, conformity seal, or NIST/ISO-like model adapted for Brazil? Article 10 opens room for this.
Will there be goals, indicators, and real consequences for non-compliance? Without incentives and penalties, the strategy becomes just paperwork.
How to ensure that the adoption of national solutions does not become just a generic guideline, but a real mechanism for strengthening the local industry? These questions will determine whether E-Ciber becomes a transformative project or just another well-intentioned document.
The technical foundation: traceability, SBOM, and Zero CVEs
There is an important point that the decree does not explicitly state, but that is implied in any modern security strategy: maturity depends on solid fundamentals.
The execution of E-Ciber presupposes practices such as:
Clear traceability of components (supply chain intelligence);
Updated and verifiable SBOM;
Supply chains that are signed and auditable;
Artifacts with near-zero vulnerabilities.
These pillars are not just good practices: they reflect exactly the problems that regulatory bodies have been observing in real life, as the Central Bank pointed out by highlighting incidents involving APIs, third-party suppliers, and fragile supply chains. The technical maturity provided for in E-Ciber directly addresses these mapped vulnerabilities.
And it is precisely at this level that solutions like Quor fit in: facilitating the adoption of these standards from the very source of software, bringing predictability, consistency, and technical evidence to meet future governance requirements.
Read more: Glossary of the software supply chain (Kubernetes, containers, SBOM, CVEs): Quor Edition
Next step: from decree to field, in Kubicast
This article is the introduction.
In the next Kubicast, we will talk to people who participated in the formulation of E-Ciber, to understand:
How to turn guidelines into auditable requirements;
How supervision will work;
If there is a path for national certification programs;
What changes for those who provide technology or operate critical services.
E-Ciber is the map. Now the most important part begins: traversing it.
References
Decree 12,573: https://www.in.gov.br/en/web/dou/-/decreto-n-12.573-de-4-de-agosto-de-2025-646200784
Financial Stability Report: https://www.bcb.gov.br/content/publicacoes/ref/202510/RELESTAB202510-refPub.pdf
Quor Newsletter
With Quor, security becomes your competitive edge. See how in a personalized demo.