Briefly
On 18 December 2025, the Central Financial institution of Brazil (BCB) revealed Nationwide Financial Council (CMN) Decision No. 5,274/2025 and BCB Decision No. 538/2025, each amending earlier guidelines on cybersecurity and necessities for contracting cloud processing, storage and computing companies for establishments regulated by the BCB. CMN Decision No. 5,274/2025 amends CMN Decision No. 4,893/2021, whereas BCB Decision No. 538/2025 amends BCB Decision No. 85/2021.
Further cyber safety necessities (CMN 5,274/2025 and BCB 538/2025)
Based on the Central Financial institution of Brazil, the brand new laws search to strengthen the safety of the info communication infrastructures and cost techniques of the Nationwide Monetary System (SFN) and the Brazilian Cost System (SPB), in response to the rising digitalization of the sector and the implementation of Cost Immediate eXchange (PIX), which has elevated site visitors on the Nationwide Monetary System Community (RSFN).
Relating to the cyber safety coverage of regulated establishments, the brand new regulation particulars 14 procedures and controls that should essentially be adopted by establishments to scale back vulnerability to incidents and meet different cyber safety targets, together with authentication, encryption mechanisms, mechanisms for prevention and detection of intrusions and of knowledge leakage, traceability mechanisms, community safety mechanisms, digital certificates administration and intelligence actions within the cyber setting, together with monitoring info of curiosity to the establishment on the web, the Deep Internet and the Darkish Internet, in addition to non-public communication teams. Procedures and controls should even be carried out in relation to third-party techniques used on the establishment’s laptop sources.
Within the case of digital knowledge communication on the RSFN, the laws present for added safety necessities that should be adopted by establishments as a part of their cybersecurity procedures and controls, together with a number of authentication elements for administrative entry to the PIX and Reservation Switch System (STR) environments, bodily and logical isolation of the PIX setting and the STR setting from different techniques of the establishment, sustaining a devoted occasion separate from the opposite environments in case of cloud computing companies, monitoring credentials and digital certificates, particularly these used throughout the scope of the Immediate Cost System (SPI), implementing mechanisms to validate the end-to-end integrity of transactions earlier than digitally signing the related messages, amongst others. As well as, the digital knowledge communication companies within the RSFN had been expressly thought-about related companies for functions of triggering the applicability of the regulation and obligations relating to the contracting of cloud processing, storage and computing companies.
The brand new resolutions additionally require annual intrusion assessments to be carried out by a specialised impartial firm, with necessary documentation of vulnerabilities and motion plans. The BCB could publish further laws, together with specifying technical necessities for integrating techniques by way of digital interfaces and most deadlines for restarting interrupted actions.
Entry into pressure
Each resolutions entered into pressure on the date of publication (18 December 2025), with a deadline for full compliance by establishments till 1 March 2026.
* * * * *
Further authors
Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation settlement for consulting on overseas legislation.
Briefly
On 18 December 2025, the Central Financial institution of Brazil (BCB) revealed Nationwide Financial Council (CMN) Decision No. 5,274/2025 and BCB Decision No. 538/2025, each amending earlier guidelines on cybersecurity and necessities for contracting cloud processing, storage and computing companies for establishments regulated by the BCB. CMN Decision No. 5,274/2025 amends CMN Decision No. 4,893/2021, whereas BCB Decision No. 538/2025 amends BCB Decision No. 85/2021.
Further cyber safety necessities (CMN 5,274/2025 and BCB 538/2025)
Based on the Central Financial institution of Brazil, the brand new laws search to strengthen the safety of the info communication infrastructures and cost techniques of the Nationwide Monetary System (SFN) and the Brazilian Cost System (SPB), in response to the rising digitalization of the sector and the implementation of Cost Immediate eXchange (PIX), which has elevated site visitors on the Nationwide Monetary System Community (RSFN).
Relating to the cyber safety coverage of regulated establishments, the brand new regulation particulars 14 procedures and controls that should essentially be adopted by establishments to scale back vulnerability to incidents and meet different cyber safety targets, together with authentication, encryption mechanisms, mechanisms for prevention and detection of intrusions and of knowledge leakage, traceability mechanisms, community safety mechanisms, digital certificates administration and intelligence actions within the cyber setting, together with monitoring info of curiosity to the establishment on the web, the Deep Internet and the Darkish Internet, in addition to non-public communication teams. Procedures and controls should even be carried out in relation to third-party techniques used on the establishment’s laptop sources.
Within the case of digital knowledge communication on the RSFN, the laws present for added safety necessities that should be adopted by establishments as a part of their cybersecurity procedures and controls, together with a number of authentication elements for administrative entry to the PIX and Reservation Switch System (STR) environments, bodily and logical isolation of the PIX setting and the STR setting from different techniques of the establishment, sustaining a devoted occasion separate from the opposite environments in case of cloud computing companies, monitoring credentials and digital certificates, particularly these used throughout the scope of the Immediate Cost System (SPI), implementing mechanisms to validate the end-to-end integrity of transactions earlier than digitally signing the related messages, amongst others. As well as, the digital knowledge communication companies within the RSFN had been expressly thought-about related companies for functions of triggering the applicability of the regulation and obligations relating to the contracting of cloud processing, storage and computing companies.
The brand new resolutions additionally require annual intrusion assessments to be carried out by a specialised impartial firm, with necessary documentation of vulnerabilities and motion plans. The BCB could publish further laws, together with specifying technical necessities for integrating techniques by way of digital interfaces and most deadlines for restarting interrupted actions.
Entry into pressure
Each resolutions entered into pressure on the date of publication (18 December 2025), with a deadline for full compliance by establishments till 1 March 2026.
* * * * *
Further authors
Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation settlement for consulting on overseas legislation.
