Summary
In September 2024, Brazil replaced its private security framework of 1983, Law 7,102/1983, with the publication of Law 14.967/2024, the Estatuto da Segurança Privada e da Segurança das Instituições Financeiras. The new statute has been in force since its publication, and it established a multi-year transition period for the sector to comply: providers have approximately three years from publication to fully meet the new requirements, with specific deadlines for minimum capital, technical staffing, and equipment standards staggered through 2026 and into 2027, depending on the service line.
On June 9–10, 2026, the federal government signed and published Decree 13.012/2026, the implementing regulation the statute had been waiting for nearly two years. The decree converts much of the law from general principle into an enforceable operational regime, with explicit penalties for clandestine providers and for the clients who engage them.
The New Legal Framework
Until the publication of the June 2026 decree, substantial portions of the statute existed without the operational detail required for consistent enforcement: the requirement for authorization was established, but the technical criteria governing staffing levels, equipment, insurance, and sanctions had not yet been defined. Decree 13.012/2026 addresses this gap and, in doing so, explicitly targets both clandestine operators and the parties that contract them.
Key Regulatory & Market Changes
The reform introduces several structural changes to the regulatory landscape.
Every company providing private security services — patrimonial guarding, armed escort, cash-in-transit, personal protection, risk management, or electronic monitoring — now requires prior authorization from the Federal Police, obtained and maintained through the GESP system (Gestão Eletrônica de Segurança Privada). Operating without this authorization constitutes a clandestine activity under the new framework.
Independent contractors and security cooperatives are no longer a lawful contracting structure. The law restricts the provision of these services to licensed legal entities, closing a channel that the market had previously relied upon for informal or temporary arrangements.
Minimum paid-in capital requirements now apply according to service type, functioning as a proxy for the provider’s financial standing. Indicative thresholds include approximately R$2 million for cash-in-transit operators, R$500,000 for general security providers (reducible to R$125,000 for companies whose personnel operate unarmed in patrimonial or event security), R$200,000 for risk-management firms and training schools, and R$100,000 for electronic monitoring companies, with an additional R$100,000 required for each additional licensed service line.
The scope of regulated activities has been expanded. Event security in spaces of public use, security on collective transport by road, river, or sea, electronic monitoring and CCTV operations, and access control at ports and airports are now formally included within the regulatory perimeter, in several cases for the first time.
Authorization is not granted on a permanent basis. It must be renewed periodically — every two years for most providers, and every five years for electronic monitoring companies — meaning a provider’s regularity at the time of contracting offers no assurance for the duration of the relationship.
Decree 13.012/2026 adds operational substance to these requirements: minimum staffing and vehicle levels by service category, mandatory insurance, standardized professional training with electronically issued certificates of national validity, more rigorous background-check criteria, and specific security-planning obligations for events expecting more than 1,000 attendees. The decree also grants the Federal Police clearer authority to suspend unlicensed operations and seize equipment used irregularly.
A Side Note: Standardization, or a Narrower Market?
The case made above assumes that tighter regulation translates into a more reliable market for buyers, and on its face, that is the stated purpose of the reform: fewer clandestine operators, clearer authorization, more predictable service quality. Whether that is also its net effect is a separate, and less settled, question.
The new framework brings a wide range of activities — from traditional armed guarding to electronic monitoring and risk-management consulting — under a single regulatory structure, with compliance demands that were largely shaped around the operating profile of large, established providers. It is reasonable to ask whether those same demands sit comfortably on smaller, specialized firms, including boutique risk consultancies and technology-driven security providers, whose cost structure looks nothing like that of a traditional guarding company. One plausible consequence, independent of whether it was an intended one, is a reduction in the number of independent or niche providers able to remain active in the market — which would function, in practice, as a limit on new entrants even without being framed that way.
This is not an obvious conclusion, and the data to confirm or dismiss it is still thin this early into implementation. But as the Federal Police authorization process consolidates around fewer, larger players over the coming renewal cycles, it is worth tracking whether the market is becoming safer, narrower, or both — and whether those two outcomes are as separable as the law assumes.
The Client’s Statutory Obligations
A central provision of the law, set out in its Article 3, establishes that contracting parties — companies, condominiums, shopping centers, and event organizers among them — may not adopt procurement models or competitive criteria that dispense with a prior assessment of the provider’s formal regularity. This is not a recommended practice. It is a statutory obligation placed on the buyer.
In practical terms, this provision ends the assumption that regulatory compliance is exclusively the provider’s responsibility. Where a contracting party engages a clandestine company, or a security professional operating without proper authorization, the resulting exposure is not confined to the provider. It extends to the party that signed the contract. Decree 13.012/2026 makes this explicit, establishing administrative penalties for both unauthorized providers and the parties that contract them.
This is the underlying logic of the reform: regulators cannot feasibly monitor every procurement decision made by every condominium board or corporate security department, so the statute shifts part of the verification burden to the point of contracting, where enforcement is more practicable.
The Operational & Legal Risks of Breach
The exposure created by this framework is neither theoretical nor limited to a single category of risk.
Contracting parties may face civil and administrative liability arising directly from the statutory duty to verify a provider’s regularity prior to engagement. Where a provider is later found to be unauthorized, the absence of prior verification weakens any defense the contracting party might raise.
In more serious cases, particularly those involving armed security services, exposure may extend to the criminal sphere, where an irregular provider’s conduct — for example, the use of firearms without proper registration or authorization to that company — creates a chain of responsibility reaching the contracting party.
Reputational risk should also be considered. Public association with a clandestine security provider, particularly following an incident, represents the kind of exposure that can affect an organization’s standing for an extended period, whether the contracting party is a shopping center, an event organizer, or a corporate security function.
Operational risk is equally relevant. A provider may have its authorization suspended or revoked during the term of a contract, whether through Federal Police enforcement, a failed renewal, or a capital shortfall, leaving the contracting party without coverage and requiring an urgent search for a replacement provider.

Compliance Framework & Due Diligence
Addressing this exposure does not require a complete redesign of procurement processes. It requires treating provider regularity as a recurring control rather than a single verification performed at the time of signing.
- Documentary due diligence. Prior to contracting, confirm that the provider’s Federal Police authorization is active and corresponds to the specific service being procured, that its registered capital meets the applicable threshold, and that no suspension or cancellation is pending.
- Contractual guarantees of continuous regularity. Include obligations requiring the provider to maintain its authorization throughout the contract term, with notice requirements in the event of any change in status and a corresponding termination right for the contracting party.
- Crisis protocols and periodic reporting as contractual deliverables. Given that providers handling large events are now required to maintain documented risk analysis and access-control planning, this documentation should be made available to the contracting party as part of the service, rather than treated as supplementary.
- Periodic reassessment. Re-verify provider regularity on a cycle aligned with the statutory renewal periods — two years for most providers, five years for electronic monitoring companies — rather than assuming continued compliance for the duration of the contract.
Conclusion
Law 14,967/2024, now given operational effect by Decree 13.012/2026, does more than modernize a framework dating from 1983 or raise standards for security providers. It redistributes part of the legal risk associated with provider irregularity to the contracting party. The Federal Police now has clearer tools, and an explicit mandate, to act against both unlicensed providers and the clients who engage them. Under the current framework, the party contracting private security services in Brazil is no longer a passive observer of the provider’s regulatory standing. Verifying that standing, and maintaining that verification over time, is now part of the contracting party’s own compliance obligations. Crucially, this regulatory net extends far beyond third-party procurement; it similarly transforms internal security operations (segurança orgânica), meaning corporations and residential condominiums that bypass vendors to run their own proprietary, in-house guarding teams are now subject to the exact same stringent Federal Police authorizations, oversight, and strict compliance liabilities.



