In late December 2025, the National Monetary Council (CMN) published CMN Resolution No. 5,274/2025, which establishes new cybersecurity requirements for all institutions authorized to operate by the Central Bank of Brazil that offer digital services.
This recent and significant update in the field of cybersecurity amended CMN Resolution No. 4,893/2021, reinforcing and expanding information security control requirements. The clear objective is to reduce institutions’ vulnerability to cyber incidents and further strengthen the protection of the entire financial ecosystem.
The procedures and controls adopted to reduce the institution’s vulnerability to incidents and meet other cybersecurity objectives must include, among other requirements, (i) intrusion prevention and detection mechanisms, (ii) definition and implementation of secure configuration profiles for technology assets, (iii) digital certificate management, and (iv) cybersecurity intelligence actions, including monitoring of information of interest to the institution on the internet, deep web, and dark web, as well as private communication groups (art. 3, §2, of CMN Resolution No. 4,893/2021).
The content of the annual report on the implementation of the action and incident response plan has been amended, now requiring the inclusion of “the results of intrusion tests and periodic vulnerability detection tests, scans, and analyses,” as well as the action plans established for their remediation (art. 8, §1, V, of CMN Resolution No. 4,893/2021).
The Resolution also applies to the Central Bank itself, stipulating that the agency must observe the general guideline that the content addressing security requirements should keep pace with technological innovations to maintain its suitability as one of the procedures and controls for implementing cybersecurity policy in future scenarios (art. 24, §2, II, of CMN Resolution No. 4,893/2021).
For each of the controls provided in the regulation, the CMN establishes specific requirements that must be analyzed in detail and individually, considering the institution’s size, risk profile, operational complexity, and business model.
These parameters are not limited to routine operations but must also be observed in the development of secure systems and the adoption of new technologies by institutions, requiring careful analysis to ensure the effectiveness of the adopted security measures.
Updates like this represent a significant advancement in strengthening the cybersecurity resilience of the financial system against cyberattacks, benefiting both institutions and end users.
The deadline for implementing the required adjustments is March 1, 2026.
Given the technical and regulatory complexity involved, Peck Advogados has a team of specialists with extensive experience in financial regulation and cyber incident management, ready to support your institution in strategic and regulatory alignment, as well as in implementing the necessary measures, always tailored to your business reality.
Prepared by: Dr. Leandro Bissoli, Partner; Dr. Lucas Arthuso, Lawyer Specialized in Cybersecurity and Data Protection; and Dr. Cezar Najjarian, Lawyer Specialized in Digital Litigation.
The Central Bank of Brazil (Bacen) has published Normative Instruction BCB No. 664, which regulates and sets deadlines for Information Technology Service Providers (PSTIs) to […]
The Third Panel of the Superior Court of Justice (STJ) has ruled that banks and payment institutions must compensate customers who fall victim to social […]
The Purple August campaign reminds us that the fight to end violence against women must take place in all spaces—including the digital environment. With the […]
Rua Henrique Schaumann, nº 270, 4º andar
Edifício Pinheiros Corporate,
São Paulo – SP | CEP: 05413-909
(11) 2189-0444