LogoRegulatory Alerts
2025-12-18 | Resolução BCB 538

BCB Resolution No. 538 — Amends Resolution BCB No. 85 on Cybersecurity Policy and Cloud Services Requirements for Payment Institutions

The Central Bank of Brazil issued Resolution BCB No. 538 to amend Resolution No. 85, imposing stricter cybersecurity and cloud computing requirements on payment institutions, securities brokers, and foreign exchange firms. The regulation mandates enhanced technical controls, including multi-factor authentication for critical systems like Pix and STR, physical and logical isolation of these environments, and rigorous vulnerability management with annual independent intrusion testing. Institutions must align their operations with these new standards by March 1, 2026, ensuring comprehensive traceability, secure configuration profiles, and strict access controls for both internal and third-party services.

Banco Central do Brasil logo

Brazil

Banco Central do Brasil

Click to view thumbnail

Resolution No. 538

BCB RESOLUTION NO. 538, OF DECEMBER 18, 2025

Amends Resolution BCB No. 85, of April 8, 2021, which establishes the cybersecurity policy and the requirements for contracting data processing and storage services and cloud computing services to be observed by payment institutions, securities and derivatives brokerage firms, securities distribution firms, and foreign exchange brokerage firms authorized to operate by the Central Bank of Brazil.

The Collegiate Board of the Central Bank of Brazil, in a session held on December 3, 2025, based on art. 9º-A, full text , items I and II, of Law No. 4,728, of July 14, 1965, in arts. 9º, full text , items II and IX, and 10 and 15 of Law No. 12,865, of October 9, 2013,

R E S O L V E S:

Art. 1º Resolution BCB No. 85, of April 8, 2021, published in the Official Gazette of the Union on April 12, 2021, shall enter into force with the following amendments:

“Art. 3º  ................................................................................................................................... ................................................................................................................................................. § 2º  The procedures and controls referred to in item II of the full text must cover, at a minimum: I - authentication; II

  • encryption mechanisms; III
  • intrusion prevention and detection mechanisms; IV
  • information leakage prevention mechanisms; V
  • protection mechanisms against malicious software ; VI
  • traceability mechanisms; VII
  • management of data and information backups; VIII
  • assessment and correction of vulnerabilities in computing resources and information systems; IX
  • access controls; X - definition and implementation of secure configuration profiles for technology assets; XI
  • network protection mechanisms; XII
  • digital certificate management; XIII
  • security requirements for integrating information systems through electronic interfaces; and XIV
  • intelligence actions in the cyber environment, including monitoring information of interest to the institution on the internet, on the Deep Web and Dark Web , as well as private communication groups. § 3º  The procedures and controls cited in item II of the full text must be applied, including: I - in the development of secure information systems; and II
  • in the adoption of new technologies employed in the institution’s activities. ................................................................................................................................................. § 6º  The institution must verify the provisions in item I of § 3º, as applicable, in cases of information systems acquired by it or developed by third-party service providers, executed using the institution’s own computing resources. § 7º  The traceability mechanisms referred to in item VI of § 2º must cover the traceability of transactions and operations, including, at a minimum: I
  • audit trails for end-to-end data and information processing, including the definition and generation of logs that enable the identification of processing failures or atypical behaviors, as well as supporting analyses; II
  • definition of information retention time according to the type of processing performed; and III
  • secure retention of audit trails. § 8º  The assessment and correction of vulnerabilities referred to in item VIII of § 2º must cover, at a minimum: I
  • periodic tests and analyses to detect vulnerabilities in systems of information; II
  • periodic scans of technological resources with the aim of identifying improperly connected devices to the corporate network that may establish connection with technology assets external to the institution; III
  • periodic analyses of technological resources with the aim of identifying vulnerabilities that may compromise the security of the institution’s technology assets; IV
  • intrusion tests; and V
  • timely correction of identified vulnerabilities. § 9º  The access controls referred to in item IX of § 2º must include, at a minimum: I
  • mechanisms to limit access to the corporate network to credentialed users and authorized devices; II
  • periodic and timely review of access permissions, especially for third-party collaborators with access to the institution’s computing resources; III
  • implementation of multi-factor authentication for access to the corporate network from environments external to the institution. §
  1.  The definition and implementation of secure configuration profiles referred to in item X of § 2º must provide, at a minimum: I
  • management of the lifecycle of the institution’s computing resources; II
  • regular application of security patches; III
  • adequate configuration of services to be supported by computing resources; and IV
  • change of passwords and other standards that may be used for unauthorized access to computing resources. §
  1.  The network protection mechanisms referred to in item XI of § 2º must cover, at a minimum: I
  • computer network segmentation, safeguarding, in particular, the production environment and computing resources that support critical business processes; II
  • the establishment of firewall rules, as well as monitoring of connections, avoiding connection attempts to information systems originating from technology assets located outside the institution’s corporate network; III
  • the definition of criteria for establishing and monitoring connections with external environments, especially during nighttime and non-working days; IV
  • measures to identify and prevent improper connections with environments external to the institution originating from the institution’s technological resources; V
  • the implementation and maintenance of processes and tools for identification, analysis, treatment, and control of atypical events in the institution’s production environment, including, as examples, the establishment of virtual private networks – VPN and attempts at privileged access to computing resources, especially during nighttime and non-working days; and VI
  • the establishment of measures to restrict access to corporate networks only to duly authorized devices or technology assets. §
  1.  The digital certificate management referred to in item XII of § 2º must provide, at a minimum: I
  • monitoring of the use of certificates and digital signatures, including the implementation of the traceability mechanisms referred to in § 7º; II
  • procedures for the storage of information, including physical and logical access controls to private keys under the institution’s responsibility; III
  • procedures and tools to prevent the improper sharing of private keys associated with the institution’s digital certificates; and IV
  • timely validation of revoked certificates with the certification authorities.” (NR) “Art. 3º-A  The institutions referred to in art. 1º must establish the following additional security requirements, as an integral part of the procedures and controls provided for in their cybersecurity policy referred to in art. 3º: I
  • in the case of electronic data communication on the National Financial System Network – RSFN: a) multi-factor authentication for administrative access to the Pix environment and Reserve Transfer System – STR; b) physical and logical isolation of the Pix environment from the institution’s other systems, maintaining a dedicated and separate instance from other environments in cases of use of cloud computing services contracted ; c) physical and logical isolation of the STR environment from the institution’s other systems, maintaining a dedicated and separate instance from other environments in cases of use of cloud computing services contracted; d) monitoring of the use of credentials and digital certificates, as well as establishing controls for the storage of this information, especially those used within the scope of the Instant Payment System – SPI; e) implementation of mechanisms for validating end-to-end transaction integrity by the institution before the digital signature of the associated messages, ensuring that the data has not been corrupted or manipulated during the process of generating these messages; and f) prohibition of access by third-party service providers to private keys associated with digital certificates used by the institution for message signing; and II
  • in the case of connection as a participant in Financial Market Systems – SMF authorized to operate, the implementation of security controls for prevention, detection, and response to fraud to be observed by the institution. Sole Paragraph.  Institutions must observe this article in a manner compatible with the provisions: I
  • in this Resolution; II
  • in current regulation; and III
  • in all technical requirements of the RSFN provided for in the SFN Service Catalog, the SFN Network Manual, and the SFN Security Manual, published by the Central Bank of Brazil. ” (NR) “Art. 8º  ................................................................................................................................... § 1º  ......................................................................................................................................... ................................................................................................................................................. III - relevant incidents related to the cyber environment that occurred during the period; IV - the results of business continuity tests, considering scenarios of unavailability caused by incidents; and V - the results of intrusion tests and tests, scans, and periodic analyses for vulnerability detection referred to in art. 3º, § 8º, and the action plans established for their corrections, observing the provisions of art. 22-A, full text , item III. ...................................................................................................................................... ” (NR) “ Art. 22-A.  Institutions must ensure that the intrusion tests mentioned in art. 3º, § 8º, item IV, must: I
  • have a minimum annual periodicity; II
  • be performed with independence and impartiality by a natural person or specialized company contracted by the institution for this purpose, without prejudice to the performance of tests by the institution’s own teams; and III
  • have the results of their execution documented, especially any eventual vulnerabilities that are identified and the action plans established for their corrections.” (NR) “Art. 22-B.  The service provided for electronic data communication on the RSFN, referred to in art. 3º-A, full text, item I, is considered relevant for the purposes of the application of the provisions of this Resolution regarding the contracting of processing, data storage, and cloud computing services. § 1º  The provisions of the full text apply regardless of the form of connection with the RSFN. § 2º  The service referred to in the full text includes cases in which the service provider provides message processing services within the scope of the SFN and the Brazilian Payment System – SPB. ” (NR) “Art.
  1.  .................................................................................................................................. ................................................................................................................................................. VIII - the data, records, and information related to the monitoring and control mechanisms referred to in art. 21, counting the period from the implementation of the cited mechanisms;

IX - the documentation with the criteria that constitute a crisis situation referred to in art. 20, sole paragraph; and X - the documentation with the results of the execution of intrusion tests and the action plans established for the corrections of identified vulnerabilities referred to in art. 22-A, full text , item III, counting the period from the date of execution of the tests. ” (NR)

Art. 2º Institutions operating on the date of entry into force of this Resolution must make the necessary adaptations to comply with the provisions of this Resolution by March 1, 2026. Art. 3º This Resolution enters into force on the date of its publication.

GILNEU FRANCISCO ASTOLFI VIVAN

Director of Regulation

Share