Decree No. 12,573 and the E-Ciber: why it matters and what really changes

Brazil has just officialized the third generation of the National Information Security Policy (PNSI) with Decree No. 12,573, which institutes the National Cybersecurity Strategy (E-Ciber).

And, personally, while reading the text, I had the impression of seeing something we had been waiting for years. Not because it is revolutionary, but because it formalizes what we already saw in the field: security as an essential service, and not as a technical accessory.

After all, what does E-Ciber define?

E-Ciber is a high-level plan to guide how the country will protect its digital assets, absolutely everything: infrastructure, systems, services, devices and, especially, data.

The scope covers the entire Federal Executive Branch, but the decree makes it clear that States, Municipalities, and private companies operating Critical Infrastructures (financial sector, energy, healthcare, telecommunications, transport, etc.) tend to be directly impacted.

The strategic pillars of E-Ciber 

The decree organizes the strategy into four major axes:

Society protection and awareness

Ensuring that the population, companies, and public bodies understand digital risks and can react to them. It means raising the "acceptable minimum" of security in the country.

Security and resilience in essential services

The most sensitive axis. We are talking about energy, telecom, healthcare, finance, transportation. The goal is simple: if there is an attack, the country must keep functioning.

Public-private cooperation

No organization solves security alone. The decree reinforces information sharing and encourages national solutions. For tech professionals, this is a sign of maturity: we are building internal capacity and reducing external dependencies.

Sovereignty and governance

Includes the creation of a National Cybersecurity Maturity Model. In other words: the government wants a clear yardstick to measure evolution. This tends to become the basis for audits, certifications, and contractual requirements.

Additional context: cyber risk is perceived as systemic risk

Beyond the text of the decree, the topic becomes even more relevant when we look outside of it.

In the November 2025 Financial Stability Report, the Central Bank highlights that cyber incidents are already perceived as systemic risk by financial institutions. The document cites financial losses, weaknesses in API usage, problems involving third-party vendors, and even cases of employee co-optation.

In other words: recent incidents are not isolated cases, they reveal that the attack surface has grown and that essential controls failed in part of the financial system.

This view reinforces the importance of E-Ciber as an alignment milestone: the country places security on the same level as critical infrastructure, and when this happens, the entire ecosystem—public sector, private sector, and academia—tends to evolve together.

Read more: The Vulnerability Management Challenge [CVEs]: Insights from Getup Customers

E-Ciber implementation: open questions

In practice, the Decree defines the "north star," but the hardest part is still missing: turning guidelines into something measurable, something that the Central Bank itself has already been demanding by pointing out that a large portion of institutions still suffer from weak controls, poorly managed external dependencies, and significant operational exposure.

From here, some questions arise  that still lack a clear answer:

• How will enforcement be conducted? Who audits? With which methodology?

• Will there be some kind of certification, compliance stamp, or a NIST/ISO-like model adapted for Brazil? Art. 10 opens the way for this.

• Will there be real goals, indicators, and consequences for non-compliance? Without incentives and penalties, the strategy becomes just paper.

• How to ensure that the adoption of national solutions does not become just a generic guideline, but a real mechanism for strengthening the local industry? These questions will define whether E-Ciber becomes a transformative project or just another well-intentioned document.

The technical foundation: traceability, SBOM, and Zero CVEs

There is an important point that the decree does not make explicit, but which is implicit in any modern security strategy: maturity depends on solid foundations.

The execution of E-Ciber assumes practices such as:

• Clear traceability of components (supply chain intelligence);

• Updated and verifiable SBOM;

• Signed and auditable supply chains;

• Artifacts with near-zero vulnerabilities.

These pillars are not just best practices: they reflect exactly the problems that regulatory bodies have already been observing in real life, as the Central Bank pointed out when highlighting incidents involving APIs, third-party vendors, and fragile supply chains. The technical maturity envisioned in E-Ciber speaks directly to these mapped vulnerabilities.

And it is exactly at this level that solutions like Quor fit in: facilitating the adoption of these standards right from the software’s origin, bringing predictability, consistency, and technical evidence to meet future governance requirements.

Read more: Software Chain Glossary (Kubernetes, containers, SBOM, CVEs): Quor Edition

Next step: from decree to the field, on Kubicast

This article is just the introduction.

In the next Kubicast, we will talk to people who participated in the formulation of E-Ciber, to understand:

• How to translate guidelines into auditable requirements;

• How the auditing process will work;

• If there is a path for national certification programs;

• What changes for those who provide technology or operate critical services.

E-Ciber is the map. Now begins the most important part: walking it.

References

1. Decree 12.573: https://www.in.gov.br/en/web/dou/-/decreto-n-12.573-de-4-de-agosto-de-2025-646200784

2. PNSI: https://agenciagov.ebc.com.br/noticias/202508/governo-federal-institui-a-terceira-geracao-da-politica-nacional-de-seguranca-da-informacao

3. Financial Stability Report: https://www.bcb.gov.br/content/publicacoes/ref/202510/RELESTAB202510-refPub.pdf