BCB and CMN Establish Additional Cyber Security Requirements

In brief

On December 18, 2025, the Central Bank of Brazil (BCB) published CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025, both amending previous rules on cybersecurity and requirements for contracting cloud processing, storage and computing services for institutions regulated by the BCB. CMN Resolution No. 5,274/2025 amends CMN Resolution No. 4,893/2021, while BCB Resolution No. 538/2025 amends BCB Resolution No. 85/2021.

Additional cyber security requirements (CMN 5.274/2025 and BCB 538/2025)

According to the Central Bank of Brazil, the new regulations seek to strengthen the security of the data communication infrastructures and payment systems of the National Financial System (SFN) and the Brazilian Payment System (SPB), in response to the growing digitalization of the sector and the implementation of Pix, which has increased traffic on the National Financial System Network (RSFN).

Regarding the cyber security policy of regulated institutions, the new regulation details 14 procedures and controls that must necessarily be adopted by institutions to reduce vulnerability to incidents and meet other cyber security objectives, including authentication, encryption mechanisms, mechanisms for prevention and detection of intrusions and of information leakage, traceability mechanisms, network protection mechanisms, digital certificate management and intelligence actions in the cyber environment, including monitoring information of interest to the institution on the Internet, the Deep Web and the Dark Web, as well as private communication groups. Procedures and controls must also be implemented in relation to third-party systems used on the institution’s computer resources.

In the case of electronic data communication on the RSFN, the regulations provide for additional security requirements that must be adopted by institutions as part of their cybersecurity procedures and controls, including multiple authentication factors for administrative access to the PIX and Reservation Transfer System (STR) environments, physical and logical isolation of the Pix environment and the STR environment from other systems of the institution, maintaining a dedicated instance separate from the other environments in case of cloud computing services, monitoring credentials and digital certificates, especially those used within the scope of the Instant Payment System (SPI), implementing mechanisms to validate the end-to-end integrity of transactions before digitally signing the associated messages, among others. In addition, the electronic data communication services in the RSFN were expressly considered relevant services for purposes of triggering the applicability of the regulation and obligations regarding the contracting of cloud processing, storage and computing services.

The new resolutions also require annual intrusion tests to be carried out by a specialized independent company, with mandatory documentation of vulnerabilities and action plans. The BCB may publish additional regulations, including specifying technical requirements for integrating systems via electronic interfaces and maximum deadlines for restarting interrupted activities.

Entry into force

Both resolutions entered into force on the date of publication (12/18/2025), with a deadline for full compliance by institutions until March 1^st, 2026.