On 18 December 2025, Brazil’s Central Bank (BCB) and National Monetary Council (CMN) issued new resolutions strengthening cybersecurity for financial institutions. The rules mandate 14 security controls, including encryption, intrusion detection, and monitoring of the Deep/Dark Web. Additional requirements apply to PIX and RSFN systems, cloud computing isolation, and annual independent intrusion tests. Institutions must comply by 1 March 2026.
On 19 November 2025, Colombia reinforced its legal framework to combat smuggling and the facilitation of smuggling, emphasizing risks, prevention, and corporate accountability.
The measures target unauthorized import/export practices and concealment of goods, with penalties escalating for goods exceeding statutory thresholds. Companies face heightened criminal liability for executives and representatives, even if goods are later regularized, alongside intensified enforcement by DIAN and the Prosecutor’s Office.
The framework underscores obligations for traceability, documentation, and internal compliance controls, while promoting employee training and reporting mechanisms. These actions aim to safeguard tax collection, fair competition, and economic integrity, signalling a strategic push toward stricter customs compliance and corporate governance.
On 22 November 2025, Brazil’s National Council for Advertising Self-Regulation (CONAR) introduced new rules to combat greenwashing in advertising. The changes cover biodiversity, climate change, and waste disposal, reinforcing the sector’s commitment to environmental protection.
Two new articles encourage responsible socio-environmental communication and set guidelines for sustainability claims and technical terminology.
Advertisers must provide detailed data on emissions, carbon offsets, and product life cycles, along with specific deadlines and action plans for environmental goals. These changes aim to ensure transparency and prevent misleading sustainability claims.
On 8 October 2025, Brazil’s Superior Court of Justice (STJ) issued a binding precedent on the criminal offense of pollution under Article 54. The ruling, delivered through Special Appeal under the system of repetitive appeals, clarifies that the offense is of a formal nature and constitutes an abstract danger crime. It establishes that potential harm to human health is sufficient for liability, without requiring proof of actual harm or technical expertise. Evidence may be provided through any suitable means. This precedent simplifies prosecution and will guide lower courts nationwide, reinforcing environmental compliance obligations.
The Brazilian Data Protection Authority (ANPD) has become an autonomous regulatory agency with expanded powers under Provisional Measure No. 1.317/2025 and Decree No. 12.622/2025. It now oversees digital protections for children and adolescents, including enforcing court orders, setting security standards, and coordinating with other agencies. The ANPD can issue regulations, supervise entities, and ensure proportional obligations for tech providers, prioritizing children’s rights and data protection in digital environments.
Organizations domiciled in Colombia can now adopt the international standard ISO/IEC 42001:2023, which will make them among the first organizations in Latin America to have a certifiable standard for the responsible management of artificial intelligence (AI) systems.
Colombia has adopted ISO/IEC 42001:2023, becoming the first country in Latin America to implement a certifiable international standard for AI systems. This standard promotes responsible AI governance, transparency, and risk management. It aligns with Colombia’s national AI strategy and offers competitive advantages for organizations, including global recognition and regulatory compliance. The standard covers AI-specific risk assessment, operational controls, and integration with other ISO standards.
On 5 September 2025, the European Commission published the Draft Adequacy Decision recognizing Brazil as a country that ensures an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (GDPR). This proposal marks the beginning of the formal procedure to authorize the transfer of personal data from the European Union to Brazil without the need for additional safeguards, effectively treating such transfers as equivalent to those occurring within the EU.
On 13 August 2025, Mexico’s Ministry of Economy launched an anti-dumping investigation into adult bicycle imports from China, citing price discrimination from 2022–2024. Five Mexican companies filed the petition, and 261 importers/exporters are named. The probe may lead to countervailing duties if injury to domestic producers is confirmed. Interested parties must submit evidence by 23 September 2025, with possible extensions.
Colombia’s Law 2502 of 2025 adds an aggravating factor to identity theft committed using AI, increasing penalties and formally recognizing deepfakes. It mandates traceability systems and coordinated public policy to address AI-related crimes. The law also strengthens biometric data protections, requiring explicit consent and strict processing safeguards. Implementation begins July 2026, reflecting Colombia’s commitment to digital ethics and cybersecurity.