Brazil's 2026 Criminal Law Reforms, What Corporate Compliance Officers and Senior Executives Need to Know

Last updated: 18 May 2026

Executive Summary, Criminal Compliance Brazil: What Changed and What to Do Now

Criminal compliance Brazil requirements shifted dramatically in May 2026. Three new federal laws, Law 15.358/2026, Law 15.397/2026 and Law 15.402/2026, combined with the government’s “Brazil Against Organized Crime” (Brasil Contra o Crime Organizado) enforcement program, have broadened corporate criminal exposure, stiffened penalties for executives, expanded the definition of cybercrime offences, and armed enforcement agencies with stronger interagency coordination powers. For General Counsel, chief compliance officers and board members of companies operating in or through Brazil, the reforms demand immediate action.

Here is what every compliance leader must know right now:

• Expanded corporate criminal liability. Law 15.358/2026 widens the scope of offences for which a legal entity, and its officers individually, can face criminal prosecution, and elevates the evidential weight of corporate compliance programmes in mitigation.
• New and broader cybercrime offences. Law 15.397/2026 expands the criminalisation of data-related conduct, creating new obligations around evidence preservation and incident response.
• Stronger seizure and forfeiture powers. Law 15.402/2026 strengthens asset seizure provisions in property and organised-crime cases, increasing supply-chain and third-party risk.
• Enforcement acceleration. The “Brazil Against Organized Crime” program prioritises interagency coordination between federal police, the Ministério Público Federal (MPF), the Office of the Comptroller-General (CGU) and financial regulators, making multi-front enforcement actions more likely.
• Immediate action required. Compliance officers should preserve evidence, refresh risk assessments, update compliance programmes and engage external criminal counsel within the first 72 hours of any suspected exposure under the new provisions.

Industry observers expect the practical effect of this legislative package to be a significant acceleration in white-collar crime compliance enforcement activity throughout 2026 and into 2027. Companies that wait to update their programmes risk being caught without the mitigating defences the new framework now formally recognises.

Key Legislative Changes, What Laws 15.358/2026, 15.397/2026 and 15.402/2026 Do

Law 15.358/2026, Corporate Criminal Liability and Executive Exposure

Law 15.358/2026 (Lei nº 15.358/2026) represents the most significant reform in the package. Published in the Diário Oficial da União in May 2026, the statute materially expands the catalogue of offences for which companies and their senior officers can be prosecuted under a dual-track liability framework. Previously, corporate criminal liability in Brazil was largely confined to environmental offences under Law 9.605/1998. Law 15.358/2026 extends the principle across a wider range of economic and financial crimes.

Key changes under Law 15.358/2026 include:

• Broader dual-track liability. Both the legal entity and individuals who authorised, directed or failed to prevent the relevant conduct can now face separate criminal proceedings for the same facts.
• Compliance programmes as mitigating factors. The statute formally recognises the existence and adequacy of a corporate criminal compliance programme as a factor that may reduce penalties, but it does not provide a complete defence or immunity.
• Increased executive exposure. Senior officers, directors and compliance officers face heightened personal criminal risk where investigations demonstrate that they had knowledge of, or the ability to prevent, the offending conduct.
• Enhanced penalties. Maximum custodial sentences and fine thresholds have been increased for several categories of economic crime, and disqualification orders for directors have been broadened.

The practical implication for compliance teams is straightforward: the adequacy and genuine operationalisation of a company’s criminal compliance programme is now a live forensic issue in any prosecution. Paper programmes will not suffice.

Law 15.397/2026 and Law 15.402/2026, Cybercrime, Property Offences and Organised Crime

Law 15.397/2026 expands and updates Brazil’s cybercrime framework. The statute broadens the definition of criminal conduct related to unauthorised access to computer systems, data manipulation and the fraudulent use of digital assets. It introduces new evidence-preservation obligations that affect companies directly: organisations that become aware of a data breach or cyber incident now face tighter timelines for preserving digital evidence and, in certain circumstances, for notifying authorities.

Law 15.402/2026 amends provisions relating to property crimes and organised criminal activity. The amendments strengthen asset seizure and forfeiture powers available to prosecutors and introduce broader definitions of complicity in organised crime. Early indications suggest that these provisions will increase risk for companies embedded in complex supply chains, particularly where third-party intermediaries or agents are involved in transactions later characterised as linked to organised crime.

The “Brazil Against Organized Crime” Program, Enforcement and Interagency Priorities

Launched alongside the legislative package, the government’s Brasil Contra o Crime Organizado program establishes a coordinated enforcement framework bringing together the Federal Police, the MPF, the CGU, the Central Bank and financial-sector regulators. The program’s stated priorities include combating financial fraud, corruption-related economic crimes and cybercrime, all areas where corporate actors may be drawn into investigations. The likely practical effect will be faster, multi-agency enforcement operations with broader investigative reach.

Corporate Exposure and Penalties Under Criminal Compliance Brazil Rules

Corporate Criminal Liability Mechanics, Corporate vs Executive Exposure

Under the reformed framework, corporate criminal liability in Brazil now operates on a genuinely parallel basis. Prosecutors can bring proceedings against the corporate entity, seeking fines, operational restrictions and debarment, while simultaneously pursuing individual criminal charges against officers and directors. The decision to prosecute the company does not depend on first securing a conviction against an individual, and vice versa.

Executive liability Brazil exposure now extends beyond the direct perpetrator. Officers in supervisory, compliance and governance functions may be charged where the prosecution establishes that they had sufficient knowledge, authority or duty to prevent the criminal conduct and failed to act. This “failure to prevent” dimension is the most consequential change for senior leadership teams.

Penalties Matrix, Fines, Disqualifications and Custodial Risk

Cross-Border and Secondary Exposures

Foreign parent companies with Brazilian subsidiaries or operations face secondary exposure. Where a Brazilian subsidiary is prosecuted, investigations may extend to the conduct of foreign officers who exercised decision-making authority over the relevant operations. Supply-chain participants, including foreign vendors, distributors and agents, face increased risk under the broadened organised-crime and complicity provisions of Law 15.402/2026. International companies should review their compliance frameworks for Brazilian operations as a matter of urgency.

Reform Timeline, Key Dates and Practical Effects for Companies

Immediate Decisions, Priority Actions for Criminal Compliance Brazil Teams

The 2026 reforms do not include long transitional periods. Companies must act now. Below is a structured decision framework for compliance officers and boards confronting either a known incident or the need to prepare for the new enforcement landscape.

Decision Checklist for Compliance Officers

1. Preserve evidence immediately. Issue a litigation hold across all relevant systems. Stop routine data-deletion schedules for any matter that may touch the expanded offence categories. Under Law 15.397/2026, failure to preserve digital evidence in a cyber incident may itself carry criminal consequences.
2. Stand up an internal investigation team. Appoint an investigation lead (ideally external counsel) and define the scope, mandate and reporting line. Ensure the team has access to IT forensic resources.
3. Assess voluntary disclosure triggers. Evaluate whether the facts warrant early engagement with prosecutors or regulators. Under the reformed framework, voluntary disclosure and cooperation can serve as mitigating factors in sentencing.
4. Engage external criminal counsel. Specialised criminal defence counsel should be engaged before any substantive contact with enforcement agencies. Internal legal teams should not attempt to manage potential criminal exposure without external specialist support.
5. Activate board notification and crisis protocol. Escalate to the board (or audit/risk committee) any matter that may give rise to criminal liability under the new provisions. Document the notification and the board’s response.

Board and Executive Escalation Thresholds

The following escalation timeline reflects best practice for criminal compliance Brazil programmes operating under the 2026 rules:

Boards that fail to document their response to escalated matters risk personal liability for directors under the “failure to prevent” provisions of Law 15.358/2026.

How to Update Your Criminal Compliance Programme, 10-Point Practical Checklist

The 2026 reforms make the adequacy of a company’s compliance programme a direct factor in mitigation. This means compliance programmes must be genuinely operational, not aspirational. Below is a 10-point checklist for updating white-collar crime compliance programmes to meet the new standard.

1. Refresh risk assessments. Conduct a law-specific risk assessment mapped to the expanded offence categories under Laws 15.358/2026, 15.397/2026 and 15.402/2026. Sector-specific risks (e.g., financial services, technology, infrastructure) should be identified and scored.
2. Update policies and codes of conduct. Revise the company’s code of ethics, anti-corruption policy and incident-response policy to reference the new criminal offences explicitly. Add a standalone cyber-incident policy if one does not already exist.
3. Strengthen third-party due diligence. Update vendor and agent onboarding processes to include criminal-compliance screening. Insert contractual audit rights and compliance warranties into all significant third-party agreements.
4. Enhance reporting and whistleblowing channels. Ensure that internal reporting channels are accessible, confidential and genuinely protected against retaliation. Under the new framework, the existence of functional whistleblowing channels is evidence of programme adequacy.
5. Implement monitoring and KPI tracking. Define compliance KPIs (investigation timeliness, case closure rates, training completion, audit findings) and report them quarterly to the board or audit committee.
6. Deliver targeted training. Board members, senior executives and employees in high-risk functions (finance, procurement, IT, legal) must receive training specifically addressing the 2026 reforms. Document all attendance and assessment results.
7. Ensure evidence preservation and IT forensics readiness. Establish protocols for litigation holds, data preservation and forensic imaging. Pre-engage a digital forensics provider so that response times are immediate in the event of an incident.
8. Build a sanctions and remediation escalation matrix. Define clear internal consequences for compliance failures, including disciplinary, operational and reporting escalation pathways.
9. Review insurance and indemnities. Confirm that D&O insurance policies and corporate indemnities cover criminal defence costs under the new offence categories. Notify insurers of the legislative changes and any material changes in the company’s risk profile.
10. Maintain comprehensive record-keeping and audit logs. All compliance programme activities, training records, investigation files, board reports, policy approvals, must be documented and retained in accordance with statutory retention periods. Complete records are the primary evidential foundation for demonstrating programme adequacy.

Sample Policy Extract Language

Companies may consider incorporating language such as the following into their updated compliance policies:

• Evidence preservation clause. “Upon becoming aware of any matter that may give rise to criminal, regulatory or civil liability, all employees and officers are required to preserve, and refrain from deleting, altering or destroying, any documents, data, communications or records that may be relevant to the matter. Failure to comply with this obligation may constitute a criminal offence under Law 15.397/2026 and will be treated as gross misconduct.”
• Compliance programme acknowledgement. “All directors, officers and employees acknowledge that the Company’s Criminal Compliance Programme is a material part of its governance framework. Adherence to this Programme is a condition of employment and appointment. The Company will rely on the existence and genuine operation of this Programme as a mitigating factor in any proceedings under Laws 15.358/2026, 15.397/2026 or 15.402/2026.”

Running Internal Investigations Brazil, Process, Privilege and Best Practice Under the 2026 Rules

Internal investigations are the first line of defence when a potential criminal compliance Brazil issue is identified. The 2026 reforms increase both the stakes and the procedural complexity of running such investigations, particularly where cybercrime or cross-border elements are involved.

Best practice for internal investigations under the new framework follows a structured sequence:

1. Define scope and mandate. Issue formal terms of reference specifying the investigation’s objective, scope, reporting line and authority to access documents and interview employees.
2. Appoint an independent investigation lead. Ideally, this should be external criminal counsel to maximise the potential for legal privilege to attach to investigation materials.
3. Preserve the chain of custody. All evidence, electronic and physical, must be collected, stored and tracked in a manner that is forensically defensible. Engage certified digital forensics specialists for any data extraction.
4. Conduct interviews under counsel supervision. Employee interviews should be conducted by or under the supervision of qualified legal counsel. Issue Upjohn-style warnings (adapted for Brazilian law) to clarify that counsel represents the company, not the individual.
5. Report findings and recommend remediation. The investigation report should be delivered to the board or audit committee with clear findings, liability assessments and remediation recommendations.

Privilege and Confidentiality in Brazil, Best Practice

Brazil’s legal professional privilege (sigilo profissional) framework differs materially from common-law litigation privilege. Attorney-client communications are generally protected, but the scope of protection for internal investigation materials, particularly documents created by non-lawyers or shared with third parties, is narrower than in jurisdictions such as the United States or the United Kingdom. To maximise privilege protection, companies should ensure that all investigation activities are directed by external counsel, that investigation reports are addressed to counsel and marked as privileged, and that distribution of investigation materials is strictly controlled. Early coordination between Brazilian counsel and counsel in the parent company’s home jurisdiction is essential where cross-border data transfers are anticipated.

Data and Cyber Incident Investigations

Where the investigation concerns a potential offence under Law 15.397/2026, immediate evidence preservation is critical. Companies should isolate affected systems without powering them down (to preserve volatile data), engage forensic specialists within hours, and assess regulatory notification obligations under both the criminal law and Brazil’s data protection law (Lei Geral de Proteção de Dados, LGPD). Industry observers expect enforcement agencies to scrutinise whether companies acted promptly and in good faith when assessing evidence preservation timelines.

Executive Defence and Crisis Management Playbook

When executive liability Brazil exposure materialises under the 2026 reforms, the response strategy must balance legal defence, corporate governance obligations and reputational risk. A well-prepared crisis management playbook should address three dimensions: legal posture, corporate communications and insurance.

When to Consider Voluntary Disclosure vs Contesting Enforcement

The reformed framework provides clear incentives for cooperation and voluntary disclosure, including sentencing mitigation for companies and individuals who come forward before enforcement action commences. However, voluntary disclosure is not always the optimal strategy. The decision depends on the strength of the available evidence, the likelihood that enforcement agencies will independently discover the conduct, the exposure of individual officers and the company’s appetite for the operational disruption that accompanies a cooperative investigation. External criminal counsel should conduct a privilege-protected assessment of these factors before any disclosure is made.

Insurance, Indemnities and the D&O Interface

D&O insurance policies must be reviewed urgently. Many existing policies were underwritten before the 2026 reforms and may not cover defence costs arising from the newly expanded offence categories. Companies should notify insurers of the legislative changes, confirm coverage for investigation costs (including internal investigation expenses), and verify that policy exclusions do not inadvertently bar coverage for the “failure to prevent” charges now possible under Law 15.358/2026. Corporate indemnities granted to directors should also be reviewed to ensure they remain enforceable and adequately funded in light of the higher penalty ceilings.

Practical Annexes and Templates

To support compliance teams in implementing the actions described in this guide, the following templates and tools should form part of every company’s criminal compliance Brazil toolkit:

• 10-point compliance programme checklist, a printable version of the checklist set out in Section 4 above, formatted for board presentation and annual review sign-off.
• Internal investigation terms of reference template, a model document setting out the scope, mandate, reporting line and authority of an internal investigation team.
• Board notification memo template, a structured memorandum for notifying the board or audit committee of a matter that may give rise to criminal liability, including recommended immediate actions and a timeline for next steps.
• Sample compliance policy clauses, the evidence-preservation and programme-acknowledgement clauses set out above, ready for insertion into company policies.

For bespoke versions of these templates tailored to your organisation’s structure and risk profile, or for an independent audit of your current criminal compliance programme, contact a specialist through the Global Law Experts directory.

Conclusion, Criminal Compliance Brazil Priorities for 2026

The May 2026 criminal-law package represents a step change in corporate criminal risk in Brazil. Companies that operate in or through the country must treat these reforms as an immediate governance priority, not a future compliance project. The three most urgent actions are: refreshing the criminal risk assessment against the expanded offence categories, ensuring internal investigation and evidence-preservation protocols are operational, and confirming that D&O insurance and corporate indemnities reflect the new penalty landscape. For tailored guidance, independent programme audits or defence representation under the 2026 reforms, explore the criminal practice area or find a specialist through the Global Law Experts directory.

Sources

1. Diário Oficial / Federal Law Repository, Official Legislative Texts (Planalto)
2. Diário Oficial da União
3. Office of the Comptroller-General (CGU) / Ministry of Justice, Government Portal
4. Mattos Filho, Compliance & Corporate Ethics (2026)
5. FAS Advogados, Compliance & Corporate Criminal Law Trends 2026
6. Demarest, Corporate Investigations Newsletter (March 2026)
7. JOTA, Compliance and Criminal Business Law Trends for 2026
8. Chambers Practice Guides, Crisis Management Brazil 2026