Circular RUNOR 1-1947 CREFI 2-143: Minimum Requirements for the Management and Control of Technology and Information Security Risks. Expansion to Financial Entities. Update.

"2026 - YEAR OF ARGENTINE GREATNESS" COMUNICACIÓN “A” 8401 13/02/2026 TO FINANCIAL ENTITIES, TO ELECTRONIC CLEARING HOUSES, TO ATM NETWORKS, TO PAYMENT SERVICE PROVIDERS, TO FINANCIAL MARKET INFRASTRUCTURES: Ref.: Circular RUNOR 1-1947, CREFI 2-143: Minimum Requirements for the Management and Control of Technology and Information Security Risks. Expansion to Financial Entities. Update.

---

We address you to deliver enclosed the pages that, replacing those previously provided, should be incorporated into the consolidated texts on Minimum Requirements for the Management and Control of Technology and Information Security Risks and on Expansion to Financial Entities, based on the provisions published in Communication A 8398. It is recalled that on this Institution's website www.bcra.gob.ar, by accessing “Sections - Financial System – LEGAL AND REGULATORY FRAMEWORK – Regulations and summaries – Consolidated texts of general regulations”, the modifications made with text highlighted in special characters (strikethrough and bold) will be found. We remain, yours sincerely. CENTRAL BANK OF THE ARGENTINE REPUBLIC Pablo D. Montero Darío C. Stefanelli Manager of Standards Issuance on behalf of Chief Manager of Issuance and Regulatory Applications ANNEX

-Index Section 7. Technological infrastructure and processing. 7.1. Technological infrastructure management. 7.2. Change management. 7.3. Technological infrastructure updates. 7.4. Communications management. 7.5. Data processing. 7.6. Data backup management. 7.7. Monitoring of technological infrastructure and processing. Section 8. Cyber incident management. 8.1. Cyber incident response preparedness. 8.2. Cyber incident response exercises and tests. 8.3. Management control and reports. Section 9. Software development, acquisition and maintenance. 9.1. Requirements for systems and applications. 9.2. Software lifecycle management. Section 10. Third-party relationship management. 10.1. Prior notification requirement. 10.2. Third-party relationship management framework. 10.3. Relationship formalization. 10.4. Control and monitoring. 10.5. Internal and external audit reports. 10.6. Additional considerations. Section 11. Glossary of terms. Section 12. Transitional provisions. Correlation table. B.C.R.A. CONSOLIDATED TEXT ON MINIMUM REQUIREMENTS FOR THE MANAGEMENT AND CONTROL OF TECHNOLOGY AND INFORMATION SECURITY RISKS Version: 3rd COMMUNICATION “A” 8401 Effective: 06/02/2026 Page 2

1.1. Obligated entities 1.1.1. Financial entities. 1.1.2. Financial Market Infrastructures known as Systemically Important Payment Systems: INTERBANKING, COELSA, LINK and NEWPAY. 1.1.3. Payment service providers (PSP) included in the PSP Registry of the Central Bank of the Argentine Republic (BCRA). 1.2. General aspects The obligated entities indicated in point 1.1., which for the purposes of this standard we will refer to as “entities”, must ensure the implementation of effective practices for internal control and risk management of their operational environment for technology and information security. To this end, they must demonstrate understanding of the risks and establish a framework for their management in line with the complexity of the financial services offered and the technology supporting them. The following sections establish a set of minimum requirements, applicable to processes, structures and information assets, which entities must implement with the purpose of: • Defining and implementing a technology and information security risk management framework as part of the entity's overall risk management. • Defining frameworks for the governance and management of technology and information security, aligned with risk management. • Aligning with operational resilience objectives. • Including continuous improvement processes in management frameworks. Additionally, entities must promote: • A technology and information security risk management culture that enables them to identify and implement controls beyond these minimum requirements. • The adoption of the “three lines model” in defining roles and responsibilities. • The adoption of reference frameworks and international standards that complement the minimum requirements related to risks, technology and information security. B.C.R.A. MINIMUM REQUIREMENTS FOR THE MANAGEMENT AND CONTROL OF TECHNOLOGY AND INFORMATION SECURITY RISKS Section 1. General provisions. Version: 3rd COMMUNICATION “A” 8401 Effective: 06/02/2026 Page 1

Entities may outsource processes, services and/or activities related to technology and information security processes, both domestically and abroad. The following are not covered by the requirements of this section: • Services that provide general information on financial markets. • Services of mandatory adoption by financial system regulation. • Services provided by government agencies. • Banking correspondent activities. • Credit card payment processing services. Processes, services and/or activities cannot be outsourced to third parties that perform internal and/or external audit functions. Entities that outsource processes, services and/or activities related to technology and information security will not be released from their current or future responsibilities corresponding to them in accordance with legal and regulatory provisions and standards issued by the BCRA. Based on their operations, processes and structure, entities must consider establishing a department or function responsible for managing the relationship with third parties. The contracting or outsourcing must contain provisions ensuring that outsourced processes, services and activities comply with the requirements set forth in these standards, according to their risk assessment. The risk evaluation of all service providers must be documented and approved by the highest local authorities of the entity.

10.1. Prior notification requirement. Entities must inform the External Systems Audit Department of the Superintendence of Financial and Exchange Entities (SEFYC) about the characteristics of critical services to be outsourced, no less than 60 calendar days prior to the start of outsourcing. The prior notification of critical services to be outsourced must contain:

• The nature of the services, according to the following taxonomy: • Data processing in traditional infrastructures. • Infrastructure and processing in Infrastructure as a Service (IaaS) model. • Solutions in Platform as a Service (PaaS) model. • Solutions in Software as a Service (SaaS) model. • Data administration and management. • Access control to infrastructure, systems and data. • Security operations (includes SOC). • Cyber incident management (at any stage). B.C.R.A. MINIMUM REQUIREMENTS FOR THE MANAGEMENT AND CONTROL OF TECHNOLOGY AND INFORMATION SECURITY RISKS Section 10. Third-party relationship management. Version: 2nd COMMUNICATION “A” 8401 Effective: 06/02/2026 Page 1

• Back-office activities with technological support. • Payment administration. • Communications and networks management. • Development, support and maintenance. • Backup management. • Other services considered critical.

• A description of the covered services and activities.
• The geographic locations (country, region, city) where each of the activities will be carried out.
• The geographic locations (country, region, city) where control tasks over the activities will be performed.
• The commissioning date of the activities.
• The contact details of the direct liaison at the service provider third party (name, role, phone and email).
• When the activity involves subcontracting (“nth parties”), each provider, the activity to be performed and the geographic locations must be identified.
• The instruments formalizing the outsourcing.
• An operational continuity plan complying with current regulatory requirements.
• Having alternative continuity solutions as provided in Sections 3 and 6.
• In the case of outsourcing intra-group services abroad, a written certification from the supervisory body of the country of origin must be obtained indicating that: • It is aware of and does not object to the outsourcing. • The outsourced services will be part of its normal supervision program. • It is subject to internationally accepted principles, standards or norms for the prevention of Money Laundering, Terrorism Financing and Proliferation Financing (ML/TF/PF), including those disseminated by the Financial Action Task Force (FATF) and the Basel Committee on Banking Supervision. • Additionally, regarding the form of supervision, it adheres to the “Basic Principles for Effective Banking Supervision” issued by the Basel Committee on Banking Supervision. It also applies consolidated supervision assuming oversight of liquidity and solvency, as well as the evaluation and control of risks and financial situations considered on a consolidated basis. B.C.R.A. MINIMUM REQUIREMENTS FOR THE MANAGEMENT AND CONTROL OF TECHNOLOGY AND INFORMATION SECURITY RISKS Section 10. Third-party relationship management. Version: 2nd COMMUNICATION “A” 8401 Effective: 06/02/2026 Page 2

10.2. Third-party relationship management framework. Entities must establish a policy and framework for managing outsourced processes, services and/or activities that considers: • The definition of roles and responsibilities for the different management activities. • Security measures according to the results of technology and security risk management; and risks inherent to outsourcing. • Procedures for the selection and contracting of third parties. • The identification and documentation of outsourced services and activities. • The identification of contact points for legal aspects and those related to technology, information security and cyber incident management. • The preparation and maintenance of a catalog with information on outsourced services and activities. • Service continuity according to the results of risk analyses. • Continuous evaluation of the risk exposure level throughout the outsourcing lifecycle. • Mechanisms for managing conflicts of interest. • Mechanisms for managing cyber incidents. • The preparation of procedures for monitoring compliance with formalized agreements. • The implementation of independent audits on services and activities managed by third parties that allow evaluating risk management and alignment with the entity's technology and information security processes. Furthermore, entities must evaluate possible scenarios for planned or forced termination of processes, services or activities provided by third parties, and establish termination plans that allow them to mitigate risks of interruption, non-compliance with legal and regulatory requirements, or quality degradation. Termination plans must consider obtaining data, source code, and documentation of systems and applications. Throughout the outsourcing lifecycle, any change related to the nature of the activity, the geographic location where activities or control tasks are performed, as well as the incorporation and/or modification of subcontracting (“nth parties”), must be interpreted as a new outsourcing process and must comply with all requirements set forth in point 10.1. Significant changes in the outsourcing abroad of intra-group critical services must be accompanied by a new written certification from the supervisor of the country of origin as provided in point 10.1. B.C.R.A. MINIMUM REQUIREMENTS FOR THE MANAGEMENT AND CONTROL OF TECHNOLOGY AND INFORMATION SECURITY RISKS Section 10. Third-party relationship management. Version: 2nd COMMUNICATION “A” 8401 Effective: 06/02/2026 Page 3

10.3. Relationship formalization. 10.3.1. Entities must formalize in all cases relationships with third parties that provide outsourced processes, services and/or activities according to established procedures. The following must be set at a minimum: • The nature, scope of processes, services and/or activities to be outsourced and the responsibilities of the parties. • The duration of the contract or outsourcing and specific clauses governing automatic renewal. • Minimum service levels and performance metrics. • The existence of continuity plans. • The right to conduct audits by the entity. • Communication mechanisms regarding changes that may affect service provision conditions. • Confidentiality agreements. • Dispute resolution mechanisms. • Coordinated procedures for cyber incident management. • Compliance with applicable legal and regulatory frameworks. • Provisions allowing the entity and SEFYC, at all contracting levels, to request accurate, complete and timely information related to outsourced services when deemed appropriate, and unrestricted access to audit and obtain relevant information at facilities, control areas and documentation regarding all service providers. • Notification mechanisms regarding changes in shareholding control and management level changes of third parties. • Responsibilities in the entity's customer/user claims circuits for financial services. • Communication procedures and protocols enabling effective compliance with controls over outsourced processes, services and activities. • The formal designation of a responsible person representing the third party to handle aspects related to outsourcing, according to service characteristics and risk analysis results. • Mechanisms for the deletion of entity data managed by third parties once the relationship is terminated. • Procedures for service termination according to risk evaluation. Financial messaging services will be evaluated taking into account their particular contracting conditions such as SWIFT. 10.3.2.