On April 24, 2026, the National Cybersecurity Agency (ANCI) published in the Official Gazette the resolution containing the second preliminary list of entities susceptible to being classified as Vital Importance Operators (OIV), within the framework of Law No. 21,663 (Framework Cybersecurity Law) and its regulation, Supreme Decree No. 285/2024. If your company provides services in sectors such as transportation, energy, telecommunications, health, or digital infrastructure and was not yet notified in the first round of 2025, this second stage may change that scenario — with a 30-calendar-day deadline to submit observations that is already running.
What changed
The OIV classification process began in 2025 with a first preliminary list. This second stage expands its scope. The resolution published on April 24, 2026 incorporates new public and private entities linked to strategic sectors that were not included in the first list — or that, being considered in the original framework of the law, had not yet been formally integrated into the process.
The sectors that now enter the radar include transportation and distribution of fuels; supply of potable water and sanitation; land, air, rail, and maritime transportation, together with their associated infrastructure; concessionaires of public services; administration of social-security benefits; postal and courier services; and production and research of pharmaceutical products. To that are added the sectors that were already defined in the law but that did not appear in the first list: electricity generation and distribution, telecommunications, digital infrastructure, IT services, health providers, and State agencies.
The included entities have 30 calendar days from the publication of the resolution to formulate observations and provide the evidence they deem pertinent, in accordance with article 13 of Supreme Decree No. 285/2024. The same resolution begins a public-consultation process: ANCI must enable an electronic platform to receive it, according to article 11 of the same decree.
The consequence of a possible final classification as an OIV is no small matter. It marks the move from a general cybersecurity standard to a reinforced regime with specific obligations of risk management, incident response, operational continuity, and mandatory reporting to the National CSIRT.
What it may mean for your company
The starting point is the list. If your company appears on it, the deadline is already running from April 24, 2026 — which means the expiration falls approximately in the third week of May 2026. Not formulating observations within the deadline does not mean tacitly accepting the classification, but it does limit the ability to influence the foundations of the process.
The decision whether or not to submit observations first requires a technical and legal assessment: does your company effectively meet the OIV criteria defined in Law No. 21,663? Does the available evidence —operational, technical, regulatory— allow supporting a well-founded challenge, or does the profile fit what the law defines as a vital importance operator?
There is another angle that matters regardless of the previous answer. If the final classification arrives, the requirements that will be activated are no small matter: internal cybersecurity governance, formal risk-management plans, incident detection and response protocols, operational-continuity standards, and mandatory reporting to the National CSIRT within deadlines more demanding than those of the general standard. Companies that operate in strategic sectors without having mapped their level of maturity in these matters will face a significant gap.
The gray area is in the limits of the concept of "essential service." The law defines OIV in terms of impact thresholds, but the concrete application to each entity depends on factors that may vary: operational scale, geographic coverage, interdependence with other infrastructures. Not every company in the energy or telecommunications sector automatically qualifies. But if your company has not done that analysis, the time to do it is now — not after the classification is final.
The process also has a dimension that is often overlooked: the public consultation. ANCI must enable a platform to receive observations from the general public on the list. That opens a broader window of participation, but it does not replace the right —and the deadline— of the entities directly included in the list.
Do you know whether your operation fits the OIV criteria of Law 21,663 or whether you have evidence to challenge the inclusion? Schedule a technical and legal assessment while the deadline is still running.
What you can do
If your company appears in the second list or belongs to any of the mentioned sectors, three actions are a priority at this moment:
- Verify whether your company is included in the resolution published on April 24, 2026 and review the technical and regulatory foundations of that inclusion. The resolution is available in the Official Gazette and on the ANCI platform.
- Assess the advisability of formulating observations within the 30-calendar-day deadline. That assessment must combine the legal analysis of the fit with the OIV criteria, the gathering of operational and technical evidence, and the strategic decision on whether or not it is advisable to participate actively in this stage of the process.
- Conduct a cybersecurity maturity diagnostic regardless of the outcome of the classification process. If the final classification arrives, the time to implement governance, risk management, incident protocols, and continuity plans is before — not after. Companies that reach the final classification with that work done reduce the compliance gap and the regulatory risk.
If any of these fronts raises questions —the inclusion in the list, the observations, or your level of cybersecurity maturity—, a 30-minute diagnostic session is enough to size up your gaps. Schedule here.
If you need to assess whether your company should submit observations in this process, map your level of compliance against the OIV standards, or prepare the response to a possible final classification, schedule a meeting with our team.
This content is informational and does not constitute legal advice for a specific case.