On Wednesday, May 21, Donald Trump canceled the signing of an executive order that would have established pre-launch federal review of AI models. Six days later, on May 27, the Brazilian Chamber of Deputies' plenary votes on the country's AI Legal Framework. The two largest regulatory economies in the Americas chose opposite paths in the same week — and Brazilian companies need to decide now where they stand.
The American executive order, titled "Promoting Advanced Artificial Intelligence Innovation and Security," would have required frontier AI developers to submit their models to a classified federal review up to 90 days before public release, with NSA involvement in security testing. The seven-page document was shelved hours before the official ceremony after direct calls to the president from Elon Musk, Mark Zuckerberg, and David Sacks, according to reporting by Axios, Semafor, and The Washington Post. Trump justified the move by saying the text "gets in the way" of American leadership over China.
Brazil moves in the opposite direction. Approved by the Senate in December 2024 and reported in the Chamber's Special Commission on May 19, 2026, PL 2338/2023 arrives at the plenary with a risk-tiered classification model inspired by the European AI Act, fines of up to R$ 50 million per violation, and possible suspension of activities, according to the text consolidated by rapporteur Aguinaldo Ribeiro.
The regulatory divergence that matters for Brazil
The American choice is to let self-regulation set the pace. The Brazilian — and European — choice is to establish obligations proportional to risk. For companies operating in both markets, which includes virtually the entire Brazilian tech sector, the result is a fragmented landscape where the same product can be unrestricted in the US and classified as "high risk" in Brazil.
Trump's argument that regulation slows the race against China resonates with parts of the private sector. But it hides an asymmetry: what is competitive friction for an American big tech is direct legal exposure for a Brazilian company adopting AI. Without international alignment, local compliance stops being optional and becomes the only parameter that matters.
What changes in practice if the Legal Framework passes on May 27
PL 2338 takes a tiered approach: regulatory intensity varies with the system's potential for harm. For applications classified as high-risk — including automated decisions in credit, healthcare, employment, public safety, and education — the text sets a specific set of obligations.
Among the main requirements documented in the bill and analyzed by law firms like Demarest and Barbieri Advogados are:
- Transparency about AI use in decisions affecting people
- Algorithmic impact assessment before deployment
- User's right to human review of automated decisions
- Reinforced data protection for training data
- Auditability, with logs that allow reconstructing how a decision was reached
For companies with mature privacy structures under LGPD, parts of these requirements are incremental. For the rest of the market, it is a step change.
Why the American signal does not remove Brazilian urgency
A quick read of the executive order's collapse is that the world has entered deregulation mode and Brazil can wait. The opposite is true: while Washington pulls back, ANPD keeps acting.
Recall the Meta case of 2024, when Brazil's National Data Protection Authority suspended the use of Brazilian data to train Llama, with daily fines of R$ 50,000 for noncompliance, as recorded in the preliminary decision published by ANPD itself. The episode showed that the Brazilian authority does not wait for its own regulatory framework to act — it uses LGPD as the basis.
In May 2026, Meta returned to the spotlight for another reason. Leaked audio from an internal meeting, reported by Common Dreams, eWeek, and The Week, revealed that the company collects employee activity on Gmail, GChat, the internal Metamate environment, and VSCode to train its models — while laying off about 8,000 people globally, with cuts confirmed in the Brazilian operation by Rio Times. More than 1,000 employees signed an internal petition demanding an end to the collection. Cases like this will keep reaching ANPD regardless of what Congress approves on May 27.
Risks of noncompliance
PL 2338 provides for graduated sanctions: warning, obligation to publish the violation, fines of up to R$ 50 million per infraction or 2% of revenue, and partial or full suspension of activities. The penalties stack with those already provided by LGPD, opening space for overlap in cases involving personal data. Add to that two risks that rarely enter the calculation: the reputational, with extended scrutiny from press and consumer protection bodies, and the contractual, since corporate clients have begun to require AI compliance clauses in B2B contracts.
Counterpoint: not everything is absolute urgency
The text of the Legal Framework may still change in the plenary. Points like the loosening of protected-content use for training, more precise definition of "high risk," and adaptation deadlines remain disputed, according to coverage by Portal Information Management and Mobile Time. Moving too early on assumptions can lead to reworked investments.
The recommendation, then, is not to build a complete compliance structure in four days. It is to start the mapping so the company arrives prepared when the text is consolidated.
Checklist for Brazilian leaders in the next 30 days
Based on the current PL text and ANPD practice, Entercast recommends five immediate moves:
- Inventory all AI systems in use or development, classifying them by the risk level in the PL (no risk, moderate risk, high risk)
- For potentially high-risk systems, start algorithmic impact assessment even before formal requirement, aligned with ANPD guidance in analogous cases
- Review contracts with foreign model providers to ensure transparency and auditability clauses compatible with the future framework
- Implement human review mechanisms in automated decisions affecting customers, employees, or candidates
- Designate a formal AI governance lead, even if combined with the DPO role, to concentrate interactions with ANPD and sectoral bodies
The takeaway
The collapse of the American executive order is not innovation winning over regulation. It is the confirmation that each regulatory bloc will tend its own ground, and that the era of converging global rules for AI ended before it began. For Brazilian companies, the only safe strategy is to treat the Legal Framework as base case and use the next 30 to 90 days to structure real, not just formal, governance.
If your company has not yet mapped where it stands exposed, this is the moment. Entercast can help structure that diagnosis and design the adaptation plan. Get in touch.
This article was published on May 23, 2026. Follow Entercast to stay ahead of the next developments.