As Brazil’s financial landscape continues its rapid digital transformation, largely propelled by the unprecedented success and adoption of the Payment Instant eXchange (PIX) system, regulators have taken a decisive step to fortify the nation’s economic backbone against a rising tide of cyber threats. In a landmark move on December 18, 2025, the Central Bank of Brazil (BCB) and the National Monetary Council (CMN) jointly enacted CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025, introducing a sweeping overhaul of cybersecurity policies. These new regulations are not merely an update but a fundamental rethinking of security for the National Financial System (SFN) and the Brazilian Payment System (SPB). The rules directly address the vulnerabilities exposed by the massive increase in transaction volumes flowing through the National Financial System Network (RSFN), establishing a new, higher standard of resilience and accountability for every institution operating within this critical ecosystem, with a firm compliance deadline set for March 1, 2026.
A New Blueprint for Digital Defense
The Core Pillars of a Fortified Policy
At the heart of the new regulatory framework is a mandate for financial institutions to embed 14 specific procedures and controls directly into their cybersecurity policies, creating a robust, multi-layered defense system. This approach moves beyond generic guidelines to prescribe concrete actions. These controls encompass a wide spectrum of security disciplines, including the implementation of strong authentication protocols to verify user identities and robust encryption to protect data both in transit and at rest. Furthermore, the regulations demand the deployment of advanced mechanisms for preventing and detecting intrusions and information leakage, ensuring that suspicious activities are identified and neutralized in real time. A critical component is the requirement for comprehensive traceability of data and operations, which allows for detailed forensic analysis in the event of an incident. These measures, coupled with stringent network protection standards, are designed to work in concert to significantly reduce the attack surface and minimize vulnerabilities across an institution’s entire digital infrastructure.
A particularly forward-thinking requirement within the new regulations is the mandate for proactive cyber intelligence, compelling institutions to actively monitor for threats beyond their own network perimeters. This involves scanning the open internet, the Deep Web, and the Dark Web, as well as private communication groups, for any information that could indicate a potential threat or compromise. This shift from a reactive to a proactive security posture is a significant evolution, requiring banks to anticipate attacks rather than simply responding to them. Moreover, the regulations explicitly state that these stringent security standards must be extended to any third-party systems that operate using an institution’s computer resources. This crucial clause addresses the growing risk posed by supply chain attacks, making it clear that financial institutions are ultimately responsible for the security of their entire technology ecosystem, including services and platforms provided by external vendors. This holistic view ensures that security is not siloed but is a shared responsibility across all integrated systems.
Special Protections for Critical Infrastructure
Recognizing the systemic importance of the National Financial System Network (RSFN), which underpins critical services like PIX and the Reservation Transfer System (STR), the new resolutions impose an additional layer of exceptionally stringent security requirements for any electronic data communication on this network. Chief among these is the mandatory implementation of multi-factor authentication for all administrative access to the PIX and STR environments, a measure designed to prevent unauthorized changes or access by malicious actors who may have compromised standard credentials. The rules also mandate the complete physical and logical isolation of these critical environments from all other institutional systems. This “air-gap” approach is intended to create a digital fortress, ensuring that a security breach in a less sensitive part of the bank’s network cannot laterally spread to compromise the core payment and transfer systems, thereby protecting the integrity of the national financial infrastructure.
Further tightening the security around these vital systems, the regulations specify that when cloud computing services are utilized for PIX and STR, a dedicated and separate instance must be maintained. This prevents the risks associated with multi-tenancy, where the resources of one client could potentially be compromised by the activities of another on the same shared hardware. The mandates also call for vigilant and continuous monitoring of all credentials and digital certificates, with a special focus on those related to the Instant Payment System (SPI), to detect and revoke compromised assets before they can be exploited. Perhaps most critically, institutions are now required to deploy mechanisms that validate the end-to-end integrity of transactions before the corresponding messages are digitally signed. This ensures that the transaction data has not been altered at any point in its journey, providing a powerful safeguard against sophisticated tampering and fraud schemes that target data in transit.
Navigating the Compliance and Operational Landscape
Redefining Third Party Risk and Verification
The new regulations fundamentally alter how financial institutions must approach their relationships with technology vendors, particularly those providing cloud services. By officially classifying electronic data communication services on the RSFN as “relevant services,” the BCB and CMN have automatically triggered a set of stricter obligations. This designation means that when contracting for cloud processing, storage, and computing, banks must conduct more rigorous due to diligence and enforce higher security standards on their providers, effectively extending the regulatory perimeter to their key suppliers. Complementing this focus on external risk is a powerful internal verification mandate: the requirement for annual intrusion tests. Crucially, these tests cannot be performed in-house; they must be conducted by a specialized and independent company. This ensures an unbiased and expert assessment of an institution’s defenses. The results, including all identified vulnerabilities and the corresponding action plans for remediation, must be formally documented, creating a clear audit trail of risk management. The BCB also retains the authority to issue further technical regulations for system integrations and to set maximum deadlines for service restoration after an outage, signaling a move towards a more dynamic and adaptive regulatory oversight model.
Forging a Resilient Financial Future
With the compliance deadline of March 1, 2026, now passed, Brazil’s financial sector had officially entered a new era of heightened cybersecurity. The implementation of CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025 represented more than a regulatory hurdle; it was a foundational investment in the stability and trustworthiness of the country’s burgeoning digital economy. The comprehensive controls, proactive intelligence mandates, and stringent testing requirements established a robust framework designed to protect not only individual institutions but the integrity of the entire National Financial System. This decisive action by Brazilian regulators positioned the nation’s banks to better withstand the complex and persistent cyber threats of the modern world, ultimately setting a new and ambitious benchmark for financial resilience across Latin America.
