Central Bank of Brazil Issues New Cybersecurity Compliance Rules
To close out 2025, the Central Bank of Brazil (BCB) and the National Monetary Council (CMN) issued Resolution No. 5,274/2025 and BCB Resolution No. 538/2025, significantly strengthening cybersecurity and cloud service requirements for BCB-regulated financial institutions. These updates amend earlier frameworks (CMN 4,893/2021 and BCB 85/2021) and are designed to protect the SFN and the SPB amid rising increases in traffic across the RSFN financial network. The regulations formally recognize data communications on RSFN as critical services, elevating expectations for resilience, monitoring, and secure usage.
The new rules mandate the adoption of 14 core cybersecurity procedures and controls, including strong authentication, encryption, intrusion prevention and detection, information leakage protection, traceability, and cyber intelligence monitoring. Institutions must also extend these controls to third-party and cloud-based services, reflecting increased regulatory focus on supply-chain risk. For PIX and STR environments, additional safeguards are required, such as continuous monitoring of credentials and certificates. Annual independent penetration and intrusion testing is now mandatory, with formal vulnerability documentation and remediation plans.
From a security operations standpoint, these requirements strongly align with best practices found in U.S. frameworks such as NIST SP 800-53, NIST CSF 2.0, and CMMC, emphasizing continuous risk management, defense-in-depth, and verifiable controls. Compliance at this level demands the integration of vulnerability scanning and CVE detection, firewall and perimeter monitoring, IDS, network traffic analysis, full packet capture and network forensics, certificate and key monitoring, cloud security posture management (CSPM), and third-party risk monitoring in a centralized platform like NIKSUN. Read more about this story on our LinkedIn page
The new rules mandate the adoption of 14 core cybersecurity procedures and controls, including strong authentication, encryption, intrusion prevention and detection, information leakage protection, traceability, and cyber intelligence monitoring. Institutions must also extend these controls to third-party and cloud-based services, reflecting increased regulatory focus on supply-chain risk. For PIX and STR environments, additional safeguards are required, such as continuous monitoring of credentials and certificates. Annual independent penetration and intrusion testing is now mandatory, with formal vulnerability documentation and remediation plans.
From a security operations standpoint, these requirements strongly align with best practices found in U.S. frameworks such as NIST SP 800-53, NIST CSF 2.0, and CMMC, emphasizing continuous risk management, defense-in-depth, and verifiable controls. Compliance at this level demands the integration of vulnerability scanning and CVE detection, firewall and perimeter monitoring, IDS, network traffic analysis, full packet capture and network forensics, certificate and key monitoring, cloud security posture management (CSPM), and third-party risk monitoring in a centralized platform like NIKSUN. Read more about this story on our LinkedIn page