Brazilian Government Sets New Rules For Online Platforms

The Brazilian Internet Civil Rights Framework has just received its most significant regulation since the year of 2016.

With the publication of Executive Order No. 12,975/2026 on 21 May, 2026, the Executive Branch set out a new regulatory landscape for companies operating in the Brazilian digital market, centred on stricter governance and liability obligations for internet application providers. The Executive Order enters into force in sixty days and inaugurates a phase of greater governance requirements and transparency between digital platforms, users, and the Brazilian Government.

The provision's most impactful element mandates that internet application providers establish and maintain a registered office and legal representative within Brazil, with that representative's contact information readily accessible on the provider's website or application.

The measure has significant practical effects, as it shortens the operational distance between Brazilian authorities and companies that supply digital services in the country even where those companies are incorporated abroad, a tension that came into sharp focus during recent disputes between Supreme Court Justices and X over governance requirements and compliance with judicial decisions. The Executive Order seeks to address precisely that conflicting relationship.

Accordingly, the legal representative must hold effective powers to act on behalf of the provider in both administrative and judicial proceedings. This includes responding to public authorities, furnishing information on how the platform operates, explaining moderation rules, transparency reports, systemic risk management mechanisms, and the criteria used for profiling, advertising, and content amplification, as well as complying with judicial orders and bearing penalties, fines, and any other financial consequences imposed on the represented entity.

Therefore, the Executive Order sets out three further obligations that round out the new regime of duties applicable to application providers. The first is the maintenance of a permanent, accessible, and functional reporting channel, intended in particular for the flagging of criminal or unlawful content.

The second requires providers to adopt measures to curb artificial distribution networks for such content, including inauthentic amplification structures, automated accounts, and coordinated dissemination mechanisms.

The third imposes on providers a duty to adopt the means necessary to ensure the security and transparency of their services—a broadly worded provision that grants significant interpretative leeway to the enforcement authority. In practice, the new regulation creates a series of governance obligations that should be regarded as robust and difficult to implement, given that not every application provider operating in the country possesses infrastructure and financial resources comparable to those of Big Tech.

Another notable point concerns liability for systemic failure. Under the rules, there is a clear shift in the axis of platform civil liability towards a model that draws on the logic of the duty of care. The provider thus becomes liable where it fails to promptly remove content falling within an exhaustive list of crimes, such as terrorism, incitement to suicide, incitement to discrimination and racism, crimes against women, and sexual crimes against children and adolescents.

The configuration of systemic failure, however, does not depend on the isolated existence of unlawful content. Articles of the regulation are explicit in rejecting that reading, indicating that isolated cases will continue to be handled under the ordinary notice-and-takedown regime. What will be required of the platform is evidence that it has adopted adequate measures, in accordance with the state of the art, capable of delivering high levels of security and inhibiting the mass circulation of such content. The assessment falls to the competent authority, the Brazilian Data Protection Agency, on the basis of supervision and periodic review.

The Executive Order also formalizes a procedure for extrajudicial notifications addressed to providers. As an example, it establishes the minimum requirements for the validity of the notification. The notifying party must indicate the conduct that is potentially criminal or unlawful, supply elements that allow the specific location of the content to be identified and present its own identification. For crimes such as defamation, libel, and slander, the Executive Order preserves the logic of Article 19 of the Marco Civil da Internet, as construed by the Brazilian Supreme Court in its ruling on Theme 987 (which has not yet become final and binding).

The regulation will also become stricter for advertisements and boosted content, as it provides for a presumption of provider liability where unlawful content is conveyed through advertisements, paid amplification, or artificial distribution networks, even absent prior notice. To rebut that presumption, the provider must demonstrate that it acted diligently and within a reasonable timeframe to render the content unavailable.

Finally, the Brazilian Government assigns to the Brazilian Data Protection Agency (local acronym ANPD) the competence to regulate and enforce the duties applicable to application providers. The institutional weight of this choice is significant. By concentrating supervision of this new regime in the ANPD, the regulation reinforces its position as the central regulator of the Brazilian digital environment and broadens its remit beyond personal data protection in the strict sense.

In sixty days, therefore, three priority compliance fronts will demand immediate attention from companies operating in the digital environment. The first regards corporate governance. Foreign providers without a Brazilian establishment will need to assess the setting up of a representative structure in the country, with sufficient powers to respond to authorities, comply with orders, and bear the administrative, judicial, and financial consequences arising from their operations in the Brazilian market. The second is operational. Terms of service, reporting channels, notification and contestation flows, moderation policies, transparency reports, and systemic risk management mechanisms will all need to be reviewed. The third concerns advertising. Platforms that offer advertisements and paid amplification will need to revisit their contracts with advertisers, in particular the liability framework. Paid media governance ceases to be a purely commercial issue and becomes part of the regulatory risk matrix for platforms.

Ultimately, the new regulation consolidates an objective message from the current federal administration, which has consistently pursued greater regulation and oversight of the digital environment: anyone operating digitally in Brazil must be legally present in Brazil.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.