Brazil's Central Bank and National Monetary Council have strengthened cybersecurity governance across the nation's financial system through two pivotal regulatory amendments published on December 18, 2025.
These resolutions represent a significant regulatory evolution driven by accelerating digitalization and the expanding operational demands of Pix, the country's instant payment system.
The two regulatory instruments—CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025—modify existing cybersecurity frameworks established in 2021. The regulatory changes address both foundational cybersecurity policies and specialized security protocols for payment infrastructure operations.
The Central Bank explicitly framed these amendments as responses to increasing transaction volumes on the National Financial System Network (RSFN) and the need to align Brazilian financial institutions with international best practices for data protection and system resilience.
Mandatory Cybersecurity Controls
The new regulations mandate fourteen distinct procedures and controls that all regulated institutions must implement within their operational environments.
These include robust authentication mechanisms, encryption protocols, intrusion detection and prevention systems, and data leakage safeguards. Network protection measures, digital certificate management, and operational traceability systems form additional foundational requirements.
Notably, the regulations extend governance obligations to cyber intelligence operations, requiring institutions to monitor information relevant to their operations across internet channels, the Deep Web, and the Dark Web, as well as private communication groups.
This represents an expansion beyond traditional perimeter security into threat intelligence and competitive awareness domains.
The scope of required controls now explicitly encompasses systems developed or acquired from third parties.
Regulated institutions must establish governance frameworks ensuring that all technology systems deployed across their infrastructure—whether internally developed or procured externally—meet established cybersecurity standards.
Payment System Hardening
For institutions managing electronic communication on the RSFN, the regulations establish heightened security protocols specifically for Pix and the Reserve Transfer System (STR) environments.
These critical payment channels require multifactor authentication for administrative access, preventing reliance on single-factor credential mechanisms.
Physical and logical isolation of payment system environments from other institutional systems represents another central requirement.
Institutions utilizing cloud computing infrastructure must maintain dedicated instances segregating Pix and STR operations from broader corporate computing resources. This architectural separation reduces attack surface exposure and limits the blast radius of potential security breaches.
Credentials and digital certificates undergo continuous monitoring, particularly those deployed within the Instant Payment System infrastructure.
Institutions must implement mechanisms validating end-to-end transaction integrity before digital signature application, ensuring transactions maintain cryptographic authenticity throughout processing.
Cloud Services and Third-Party Oversight
The regulations formally designate electronic data communication services in the RSFN as relevant services subject to enhanced contracting standards and oversight.
This classification triggers comprehensive vendor management obligations including stringent risk management requirements and Central Bank supervision authority.
Institutions contracting data processing, data storage, or cloud computing services must extend cybersecurity policy compliance obligations to service providers through contractual mechanisms.
The regulatory framework establishes that vendor relationships cannot diminish institutional security posture or transfer regulatory responsibility away from the contracting entity.
Penetration Testing and Documentation
Annual penetration testing by specialized independent professionals now represents a mandatory compliance requirement rather than a discretionary security practice.
Institutions must document all vulnerabilities identified during testing and maintain comprehensive action plans for remediation. These records require preservation for a five-year period with availability for Central Bank inspection and audit.
This documentation requirement creates an institutional memory of security assessments and remediation efforts, enabling trend analysis and monitoring of vulnerability remediation velocity across time.
Implementation Timeline and Enforcement
Both resolutions entered into force immediately upon publication. However, the Central Bank provided institutions a ninety-day compliance transition period, establishing March 1, 2026 as the deadline for full implementation.
The Central Bank retains authority to issue additional regulatory guidance addressing specific implementation dimensions.
The regulatory text explicitly empowers the BCB to publish supplementary rules specifying technical requirements for system integration via electronic interfaces and establishing maximum allowable timeframes for recovery from operational disruptions.
Regulatory Context and Implications
These amendments represent evolution rather than revolution in Brazilian financial regulation. The original cybersecurity framework, CMN Resolution No.
4,893/2021, established foundational requirements for regulated institutions more than four years ago. The 2025 amendments build upon this established foundation, incorporating lessons from market development and emerging threat landscapes.
The regulatory amendments reflect Brazil's positioning within a broader international movement toward enhanced financial system resilience.
Central Bank communications specifically reference alignment with international best practices, suggesting coordination with regulatory peer institutions across other jurisdictions. This international alignment facilitates consistency for multinational financial institutions operating across multiple regulatory domains.
The emphasis on independent penetration testing and documented vulnerability management aligns with similar regulatory trends in developed financial markets.
Brazil's approach creates verifiable security posture transparency rather than relying upon self-assessment or proprietary vendor claims regarding infrastructure robustness.
The focus on Pix security reflects the payment system's operational criticality within Brazil's financial ecosystem. Since its implementation, Pix has become the dominant payment mechanism for domestic transactions, creating concentration risk from a systemic stability perspective.
Tightened controls on PIX infrastructure security protect not merely individual institutions but the broader payment ecosystem supporting Brazil's real economy.
The extension of cybersecurity governance to third-party systems addresses a critical vulnerability vector. Cloud computing adoption and external technology vendor relationships have expanded dramatically across the financial services industry, creating dependencies on entities outside direct institutional control.
Regulatory extension of governance requirements to vendor environments ensures that outsourcing technology functions does not create regulatory arbitrage or weaken overall security posture.
Financial institutions face substantial operational adaptation requirements to achieve compliance within the ninety-day implementation window. Organizations must audit existing cybersecurity policies against the fourteen mandatory control categories, conduct system architecture reviews to identify isolation gaps in payment system environments, establish or strengthen third-party vendor assessment programs, and implement independent penetration testing procurement processes prior to the March deadline.
Institutions with deficient documentation of prior security assessments face particular urgency in establishing baseline testing and remediation tracking protocols before the compliance deadline.
The regulatory amendments reinforce Brazil's regulatory commitment to financial system modernization and technological integration while maintaining supervisory oversight and security standards during periods of rapid system evolution.
