Brazil AI Proposed Legislation: Risk-Based Compliance Assessment Guide

**Published: **3rd February 2025 Updated: 8th July 2025 to reflect the latest developments
Brazil's proposed AI legislation, Bill 21/2020, is a risk-based framework that would set proportionate obligations for AI systems according to their potential for harm, integrated with Brazil's existing data protection law.
Brazil is developing comprehensive AI legislation through Bill 21/2020 that would establish one of Latin America's most sophisticated AI governance frameworks, creating a risk-based approach with clear accountability measures and strong integration with Brazil's existing data protection law (LGPD). This proposed legislation positions Brazil as a regional leader in responsible AI governance while maintaining the innovation-friendly environment essential for Brazil's growing technology sector.
The Brazilian approach stands out for its comprehensive scope and integration with established data protection frameworks, creating coherent governance that addresses both AI-specific concerns and broader digital rights protections central to Brazil's digital development strategy.
Brazil's Proposed Risk-Based Framework
Comprehensive AI System Classification
Bill 21/2020 proposes a risk-based classification system that categorises AI systems according to their potential for harm, with proportionate obligations based on risk levels.
The classification approach recognises that different AI applications pose varying levels of risk to individuals and society, enabling targeted regulation that addresses the highest risks while avoiding unnecessary burden on lower-risk applications.
Risk classification considers factors including the AI system's application domain, potential impact on fundamental rights, and consequences of system failures or misuse.
This approach enables efficient resource allocation for both organisations and regulators while ensuring appropriate protection levels for different types of AI applications.
Proportionate Obligations by Risk Level
The proposed framework establishes different obligation levels based on AI system risk classification, creating scalable compliance requirements that match regulatory burden to actual risk.
High-Risk AI Systems High-risk applications would face comprehensive requirements including risk assessments, transparency obligations, human oversight mechanisms, and regular monitoring throughout the system lifecycle.
Medium-Risk AI Systems Medium-risk systems would have moderate requirements focusing on key protection areas while maintaining flexibility for innovation and operational efficiency.
Low-Risk AI Systems Low-risk applications would face minimal additional obligations beyond existing legal requirements, enabling continued innovation without unnecessary regulatory burden.
The proportionate approach ensures compliance efforts focus on areas where they can provide the greatest protection benefits while avoiding over-regulation of applications with minimal risk potential.
Regular Assessment Throughout Lifecycle
The proposed legislation requires ongoing risk assessment and compliance verification throughout AI system lifecycles rather than one-time compliance determinations.
This approach recognises that AI systems evolve over time through learning, updates, and changing deployment contexts that may affect their risk profiles and compliance requirements.
Regular assessment enables adaptive regulation that maintains appropriate protection levels as AI systems and their deployment contexts change over time.
Core Compliance Requirements Under Bill 21/2020
Transparency and Disclosure Obligations
User Notification Requirements The proposed legislation requires clear disclosure when individuals interact with AI systems, ensuring people understand when and how AI affects their experiences and decisions.
Disclosure requirements are tailored to different types of AI interactions, providing appropriate information without overwhelming users or disrupting legitimate business operations.
Transparency obligations extend beyond simple notification to include meaningful information about AI system capabilities, limitations, and potential impacts on users.
Documentation and Reporting Organisations must maintain comprehensive documentation of AI system design, operation, and impacts, with specific reporting requirements for high-risk applications.
Documentation requirements enable regulatory oversight while supporting organisational accountability and continuous improvement in AI governance practices.
Public reporting requirements for certain AI applications would enhance democratic oversight and public understanding of AI deployment across Brazilian society.
Accountability and Responsibility Framework
Clear Responsibility Assignment The legislation would establish clear frameworks for assigning responsibility for AI system development, deployment, monitoring, and outcomes throughout the AI lifecycle.
Accountability requirements ensure responsible parties can be identified and held accountable for AI system design decisions, operational choices, and outcomes affecting individuals and society.
The framework addresses complex AI supply chains where multiple parties contribute to system development and deployment, ensuring accountability doesn't get lost in technical complexity.
Incident Reporting and Response Organisations would be required to establish incident reporting systems that enable rapid identification and response to AI system problems or harmful outcomes.
Incident reporting requirements support both individual protection and systemic learning about AI risks and mitigation strategies across Brazilian AI development.
Response obligations require not just incident identification but also corrective measures and prevention of similar future incidents.
Liability Frameworks for AI Harm
Harm Prevention and Mitigation The proposed legislation establishes frameworks for preventing AI-related harm and providing appropriate remedies when harm occurs despite preventive measures.
Liability frameworks balance innovation incentives with appropriate protection for individuals and communities potentially affected by AI system operation or failure.
The approach considers both direct harm from AI decisions and indirect harm from system failures, misuse, or inappropriate deployment contexts.
Compensation Mechanisms The legislation would establish mechanisms for compensating individuals harmed by AI systems, ensuring access to remedies when preventive measures prove insufficient.
Compensation frameworks address the challenge of attributing harm to AI systems and determining appropriate remedies for different types of AI-related damage.
Data Protection Integration with LGPD
Coherent Data Governance
Brazil's proposed AI legislation integrates closely with the Lei Geral de Proteção de Dados (LGPD), creating coherent data governance frameworks that address both AI-specific and general privacy concerns.
The integration ensures AI systems comply with established data protection principles while addressing unique challenges of AI processing that may not be fully covered by traditional privacy frameworks.
Purpose Limitation and Data Minimisation AI systems must comply with LGPD principles requiring clear purposes for data processing and collection of only data necessary for those purposes.
Data minimisation in AI contexts requires careful consideration of training data requirements, ongoing learning needs, and operational data collection practices.
Data Subject Rights Preservation The framework ensures individuals maintain rights established under LGPD including access, correction, and deletion rights even when their data is processed by AI systems.
Implementing data subject rights for AI systems requires technical capabilities for explanation, modification, and deletion that may not be straightforward for complex AI applications.
Cross-Border Data Considerations
Brazil's approach addresses international data flows common in AI operations while maintaining appropriate protection for Brazilian personal data.
The framework supports Brazil's broader digital economy strategy that emphasises regional leadership while ensuring appropriate protection for Brazilian citizens' data and rights.
Understanding these requirements is essential for multinational organisations using Brazil as a regional hub or integrating Brazilian operations with global AI systems.
Brazil AI Legislation Readiness Self-Assessment
Business Context Assessment
Brazilian Operations:
☐ Operations in Brazil
☐ Serving Brazilian customers or residents
☐ Using Brazil as Latin American regional hub
☐ Planning expansion to Brazilian market
Core Compliance Assessment Questions
1. Risk-Based Classification Implementation How does your organisation classify AI systems according to risk-based frameworks similar to Brazil's proposed approach?
☐ No risk classification system for AI applications (0 points)
☐ Basic risk awareness but no formal classification (1 point)
☐ Informal risk assessment for some systems (2 points)
☐ Documented risk classification aligned with proposed Brazilian framework (3 points)
☐ Comprehensive risk classification with regular lifecycle reviews (4 points)
2. Transparency and Disclosure Capabilities How effectively does your organisation implement transparency requirements for AI interactions?
☐ No transparency measures for AI systems (0 points)
☐ Basic disclosure of AI use in some contexts (1 point)
☐ Transparency for most systems but gaps remain (2 points)
☐ Comprehensive transparency aligned with proposed Brazilian requirements (3 points)
☐ Advanced transparency framework exceeding proposed requirements (4 points)
3. Accountability Framework Implementation How clearly defined are accountability frameworks for your AI systems throughout their lifecycle?
☐ No specific accountability frameworks for AI (0 points)
☐ Basic responsibility assignment but gaps remain (1 point)
☐ Accountability frameworks for most systems (2 points)
☐ Comprehensive accountability aligned with proposed Brazilian framework (3 points)
☐ Advanced accountability with continuous governance and oversight (4 points)
4. LGPD Integration for AI Systems How well integrated are your AI governance procedures with Brazilian data protection (LGPD) requirements?
☐ No integration with LGPD compliance (0 points)
☐ Basic LGPD compliance but gaps with AI-specific requirements (1 point)
☐ Integration for most requirements but some gaps remain (2 points)
☐ Comprehensive integration with LGPD and proposed AI legislation (3 points)
☐ Advanced integration exceeding LGPD requirements (4 points)
5. Incident Reporting and Response How does your organisation handle incident reporting and response for AI systems?
☐ No incident reporting process for AI systems (0 points)
☐ Ad-hoc reporting with no formal process (1 point)
☐ Basic incident management but not comprehensive (2 points)
☐ Comprehensive incident reporting aligned with proposed Brazilian requirements (3 points)
☐ Advanced incident management with stakeholder communication and prevention (4 points)
6. Harm Prevention and Mitigation How does your organisation prevent and mitigate potential harm from AI systems?
☐ No specific harm prevention measures for AI (0 points)
☐ Basic risk mitigation but limited scope (1 point)
☐ Harm prevention for high-risk systems (2 points)
☐ Comprehensive harm prevention aligned with proposed legislation (3 points)
☐ Advanced harm prevention with proactive risk management (4 points)
Assessment Scoring Framework
Calculate Your Base Score:
Maximum possible points: 24 (6 questions × 4 points each)
Add up your total points from all applicable questions
Brazil AI Legislation Readiness Levels:
0-6 points: Early Stage (25% or below) - Fundamental framework development needed
7-12 points: Developing (26-50%) - Basic foundation with significant improvements required
13-18 points: Advanced (51-75%) - Strong preparation with refinements needed
19-24 points: Leading (76-100%) - Excellent readiness for Brazilian legislation
Strategic Implications for Latin American Operations
Regional Market Leadership
Brazil's comprehensive approach to AI governance positions the country as a regional leader in responsible AI development, creating opportunities for organisations that demonstrate excellence in Brazilian compliance.
The proposed legislation's sophistication often exceeds requirements in other Latin American territories, making Brazilian compliance a strategic investment in regional market access and leadership.
Understanding and implementing Brazilian requirements early can provide competitive advantages across Latin American markets where responsible AI practices increasingly influence business relationships and market access.
Innovation and Protection Balance
Brazil's risk-based approach specifically aims to balance innovation promotion with appropriate protection, creating opportunities for organisations that demonstrate responsible AI development while maintaining competitive advantages.
The proportionate framework enables organisations to focus compliance resources on highest-risk applications while maintaining flexibility for innovation in lower-risk areas essential for competitive positioning.
This balance creates opportunities for thought leadership in responsible AI development while maintaining innovation capabilities essential for technology leadership in Latin American markets.
LGPD Integration Advantages
Organisations already compliant with Brazil's LGPD can leverage existing data protection capabilities for AI governance, potentially reducing overall compliance complexity compared to developing entirely new frameworks.
The integration approach means organisations can build on established privacy compliance while adding AI-specific requirements, creating efficiency opportunities for companies with mature data governance capabilities.
Understanding how LGPD principles apply to AI systems enables organisations to anticipate Brazilian AI legislation requirements and prepare accordingly.
Regional Compliance Strategy
Latin American Market Integration
Brazil's approach often provides effective foundation for broader Latin American strategies where responsible AI practices increasingly influence regional business relationships and market access.
The comprehensive nature of Brazilian proposed legislation often exceeds requirements in neighbouring countries, making Brazilian compliance a strategic investment in regional market leadership.
Understanding how Brazilian requirements relate to other regional frameworks enables efficient multinational strategies. Our comprehensive global AI compliance assessment provides detailed guidance on integrating Brazilian requirements with other territorial obligations.
Cross-Border Data Governance
Brazil's framework addresses international data flows while maintaining appropriate protection for Brazilian data, supporting regional AI operations with Brazilian components.
This is particularly important for organisations using Brazil as a regional hub or integrating Brazilian operations with global AI systems serving multiple Latin American markets.
Expert Assessment and Strategic Recommendations
At VerityAI, our analysis of Brazil's proposed AI legislation reveals significant opportunities for organisations seeking to establish leadership in Latin American responsible AI development while maintaining innovation advantages.
The comprehensive risk-based approach rewards organisations that invest in sophisticated governance frameworks, creating competitive advantages through demonstrated commitment to responsible AI practices.
Our emerging markets compliance tools help organisations understand how Brazilian requirements integrate with other regional and global frameworks, supporting comprehensive Latin American market strategies.
Brazil's balanced approach provides excellent foundation for regional operations while enabling global market leadership through governance excellence.
Implementation Roadmap for Brazilian Legislation Readiness
Immediate Preparation Actions
Legislative Monitoring: Track Bill 21/2020's progress through the legislative process and prepare for implementation requirements as they become finalised.
Risk Classification Development: Begin developing risk assessment frameworks that can address Brazilian requirements once legislation is enacted.
LGPD Integration Assessment: Evaluate current LGPD compliance and identify gaps that would need addressing for AI-specific requirements.
Stakeholder Engagement: Engage with Brazilian regulatory consultation processes and industry associations to influence implementation approaches.
Medium-Term Implementation Strategy
Comprehensive Framework Development: Develop AI governance procedures addressing all proposed Brazilian requirements applicable to your AI applications.
Accountability System Implementation: Establish clear accountability frameworks that can demonstrate responsibility assignment throughout AI lifecycles.
Incident Management Enhancement: Implement incident reporting and response capabilities that meet proposed Brazilian standards.
Regional Strategy Development: Develop Latin American AI governance strategy that leverages Brazilian compliance for broader regional market access.
Long-Term Excellence and Leadership
Innovation-Compliance Integration: Develop AI development processes that embed Brazilian compliance requirements while supporting continued innovation and competitive advantage.
Regional Market Leadership: Leverage Brazilian compliance excellence for leadership position across Latin American markets through demonstrated responsible AI practices.
Global Framework Integration: Integrate Brazilian compliance with global AI governance strategies to create comprehensive multinational capabilities.
Getting Started with Brazilian Legislation Assessment
Understanding your organisation's readiness for Brazil's proposed AI legislation requires systematic evaluation across risk classification, transparency, accountability, and data protection integration areas. VerityAI's Brazil-specific assessment provides detailed gap analysis and actionable recommendations tailored to your AI applications and Latin American market objectives.
Evaluate your Brazilian AI legislation readiness with our comprehensive framework covering all aspects of Brazil's proposed risk-based requirements. Our assessment identifies specific opportunities for Latin American market leadership through responsible AI excellence.
Brazil's comprehensive approach to AI governance creates opportunities for organisations that invest in sophisticated frameworks while maintaining innovation leadership. Understanding and preparing for these requirements positions organisations for success across Latin American markets.
Frequently asked questions
What is Brazil's Bill 21/2020?
Bill 21/2020 is Brazil's proposed AI legislation, designed as a risk-based framework that would classify AI systems by potential harm and apply proportionate obligations accordingly. It has not yet been enacted, so requirements described here reflect the proposal rather than settled law.
Has Brazil's AI bill become law?
Not at the time of writing. Bill 21/2020 remains part of Brazil's legislative process, and organisations should monitor its progress rather than treat its provisions as current legal obligations.
How does the proposed law interact with LGPD?
The bill is designed to integrate with Brazil's existing data protection law, the LGPD, rather than duplicate it. AI-specific obligations would sit alongside established LGPD principles such as purpose limitation and data subject rights.
Who would the risk-based classification apply to?
The proposed classification would apply to organisations developing or deploying AI systems that affect people in Brazil, with obligations scaled to whether a system is assessed as high, medium, or low risk.
If you want support with this, VerityAI offers AI risk and compliance advisory.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI