The National Monetary Council and the Central Bank of Brazil published on December 18, 2024, Resolutions CMN No. 5,274/2025 and BCB No. 538/2025, which substantially alter the cybersecurity regulatory framework applicable to supervised institutions. The rules revise Resolution CMN 4,893/2021 and BCB 85/2021, but this time with a clear message: formal policies alone are not enough — the regulator expects verifiable technical evidence that controls are implemented and functioning.

Why the regulator tightened the rules

The consolidation of Pix as critical infrastructure, the growth of real-time transaction volume, the reliance on API integrations with third parties, and the increase in sophisticated attacks have created a systemic risk scenario that demands a proportional response. The resolutions make it explicit that cybersecurity is now treated as an element of financial stability, not merely an operational concern.

Key changes introduced

1. New mandatory controls

Resolution CMN 5,274/2025 expands the minimum set of controls that must be implemented, operational, and documented. Among the most relevant additions:

Information leakage prevention (subsection IV): Institutions must implement specific mechanisms to prevent exfiltration of sensitive data, including controls over file transfers, use of removable devices, and electronic communications.

Cyber environment intelligence (subsection XIV): Active monitoring of information of interest to the institution on the internet, Deep Web, Dark Web, and private communication groups becomes mandatory. This means investment in Cyber Threat Intelligence (CTI) tools and technical capability to anticipate threats, not just react to incidents.

Transaction traceability (Section 7): Traceability mechanisms must cover end-to-end data processing audit trails, including definition and generation of logs that enable the identification of processing failures or atypical behaviors. The rule also establishes retention periods according to the type of processing.

2. Security in development and outsourcing

The resolution introduces Section 3, which mandates that encryption controls must be applied in the development of secure information systems and in the adoption of new technologies. Section 6 complements this requirement by mandating that the institution must also verify these requirements in systems acquired or developed by third-party service providers when executed with the institution's own computing resources.

This directly impacts the relationship with software vendors and requires procurement, legal, and security teams to work in an integrated manner when evaluating market solutions.

3. Protection of critical environments

For environments related to Pix, STR, and RSFN, BCB 538/2025 reinforces requirements such as multi-factor authentication, physical and logical isolation, rigorous protection of cryptographic keys, and an express prohibition against service providers having access to the private keys of digital certificates. These measures directly impact infrastructure architectures and outsourcing models.

4. Mandatory independent penetration testing

Penetration tests are now required annually, performed by independent teams. They must evaluate relevant environments, identify exploitable vulnerabilities, generate formal reports with action plans and evidence of remediation. Results must be presented to the board of directors and archived for the minimum period defined by regulation.

Who needs to comply and by when

The resolutions apply to financial institutions, payment institutions, securities brokerages and distributors, foreign exchange brokerages, and other entities authorized to operate in the National Financial System. The compliance deadline is March 1, 2026, a tight timeline that demands prioritization and agile execution.

Non-compliance may result in findings during supervision processes, formal adjustment demands, and impacts on institutional risk assessments.

The technical compliance challenge

Compliance requires a combination of deep technical assessment, specialized execution, and generation of auditable evidence. For institutions with complex environments, multiple integrations, and third-party dependencies, the challenge is amplified. It is necessary to map all critical points, prioritize investments, coordinate multidisciplinary teams, and ensure that each control is demonstrably functional.

Given the tight deadline and technical complexity, many institutions are seeking specialized support for initial diagnostics, mandatory testing, control auditing, and evidence structuring. Choosing partners with experience in regulated environments, recognized methodologies, and the capability to produce documentation adequate for regulatory scrutiny has become a critical success factor.

How BrownPipe can support your organization

BrownPipe supports financial and payment institutions on exactly the points required by the resolutions:

  • Independent penetration testing, as required by regulation;
  • Technical security auditing, focused on the controls specified in the rules;
  • Phishing campaigns, supporting operational risk reduction;
  • LGPD technical support, integrated with information security;
  • AI applied to security, for critical environments.

Count on BrownPipe's technical support to structure, evaluate, and evidence cybersecurity controls in line with the new Central Bank requirements.