Central Bank Resolution No. 5,274 of December 18, 2025, Amending Resolution CMN No. 4,893 on Cybersecurity Policy and Cloud Services

Resolution No. 5,274

RESOLUTION CMN NO. 5,274, OF DECEMBER 18, 2025

Amends Resolution CMN No. 4,893, of February 26, 2021, which establishes the cybersecurity policy and the requirements for contracting data processing and storage services and cloud computing services to be observed by institutions authorized to operate by the Central Bank of Brazil.

The Central Bank of Brazil, in accordance with Article 9 of Law No. 4,595, of December 31, 1964, makes public that the National Monetary Council, in a session held on December 18, 2025, based on Articles 4, caput, item VIII, of the aforementioned Law, 7 and 23, caput, item “a”, of Law No. 6,099, of September 12, 1974, 1, caput, item II, of Law No. 10,194, of February 14, 2001, and 1, § 1, of Complementary Law No. 130, of April 17, 2009,

R E S O L V E S:

Art. 1. Resolution CMN No. 4,893, of February 26, 2021, published in the Official Gazette of the Union on March 1, 2021, shall enter into force with the following amendments:

“Art. 3. ................................................................................................................................... ................................................................................................................................................. § 2. The procedures and controls referred to in item II of the caput must cover, at a minimum: I - authentication; II - encryption mechanisms; III - intrusion prevention and detection mechanisms; IV - information leakage prevention mechanisms; V - protection mechanisms against malicious software; VI - traceability mechanisms; VII - management of data and information backups; VIII - assessment and correction of vulnerabilities in computing resources and information systems; IX - access controls; X - definition and implementation of secure configuration profiles for technology assets; XI - network protection mechanisms; XII - digital certificate management; XIII - security requirements for the integration of information systems through electronic interfaces; and XIV - cyber intelligence actions, including monitoring of information of interest to the institution on the internet, the Deep Web, and the Dark Web, as well as private communication groups.

§ 3. The procedures and controls cited in item II of the caput must be applied, including: I - in the development of secure information systems; and II - in the adoption of new technologies employed in the institution's activities. .................................................................................................................................................

§ 6. The institution must verify the provisions of item I of § 3, where applicable, in cases of information systems acquired by it or developed by third-party service providers, executed using the institution's own computing resources.

§ 7. The traceability mechanisms referred to in item VI of § 2 must cover the traceability of transactions and operations, including, at a minimum: I - audit trails of end-to-end data and information processing, including the definition and generation of logs that allow identifying processing failures or atypical behaviors, as well as supporting analyses; II - definition of information retention time according to the type of processing performed; and III - secure retention of audit trails.

§ 8. The assessment and correction of vulnerabilities referred to in item VIII of § 2 must cover, at a minimum: I - periodic tests and analyses to detect vulnerabilities in information systems; II - periodic scans of technological resources to identify devices improperly connected to the corporate network that may establish connections with technology assets external to the institution; III - periodic analyses of technological resources to identify vulnerabilities that may compromise the security of the institution's technology assets; IV - penetration tests; and V - timely correction of identified vulnerabilities.

§ 9. The access controls referred to in item IX of § 2 must include, at a minimum: I - mechanisms to limit access to the corporate network to credentialed users and authorized devices; II - periodic and timely review of access permissions, especially for third-party collaborators with access to the institution's computing resources; and III - implementation of multi-factor authentication for access to the corporate network from environments external to the institution.

§ 10. The definition and implementation of secure configuration profiles referred to in item X of § 2 must provide, at a minimum: I - the lifecycle management of the institution's computing resources; II - the regular application of security patches; III - the adequate configuration of services to be supported by computing resources; and IV - the change of passwords and other standards that may be used for unauthorized access to computing resources.

§ 11. The network protection mechanisms referred to in item XI of § 2 must cover, at a minimum: I - computer network segmentation, safeguarding, in particular, the production environment and computing resources that support critical business processes; II - the establishment of firewall rules, as well as the monitoring of connections, avoiding connection attempts to information systems originating from technology assets located outside the institution's corporate network; III - the definition of criteria for establishing and monitoring connections with external environments, especially during nighttime and non-working days; IV - measures to identify and prevent unauthorized connections with environments external to the institution originating from the institution's technological resources; V - the implementation and maintenance of processes and tools for identifying, analyzing, treating, and controlling atypical events in the institution's production environment, including, as examples, the establishment of virtual private networks – VPN and attempts at privileged access to computing resources, especially during nighttime and non-working days; and VI - the establishment of measures to restrict access to corporate networks only to duly authorized devices or technology assets.

§ 12. The digital certificate management referred to in item XII of § 2 must provide, at a minimum: I - the monitoring of the use of certificates and digital signatures, including the implementation of the traceability mechanisms referred to in § 7; II - procedures for the storage of information, including physical and logical access controls to private keys under the institution's responsibility; III - procedures and tools to prevent the unauthorized sharing of private keys associated with the institution's digital certificates; and IV - the timely validation of revoked certificates with certification authorities.” (NR)

“Art. 3-A. The institutions referred to in Art. 1 must establish the following additional security requirements, as an integral part of the procedures and controls provided for in their cybersecurity policy referred to in Art. 3: I - in the case of electronic data communication on the National Financial System Network – RSFN: a) use of multi-factor authentication for administrative access to the Pix environment and the Reserve Transfer System – STR; b) physical and logical isolation of the Pix environment from the institution's other systems, maintaining a dedicated and separate instance from other environments in cases of contracted cloud computing services; c) physical and logical isolation of the STR environment from the institution's other systems, maintaining a dedicated and separate instance from other environments in cases of contracted cloud computing services; d) monitoring of the use of credentials and digital certificates, as well as establishing controls for the storage of this information, especially those used within the scope of the Instant Payment System – SPI; e) implementation of mechanisms to validate the end-to-end integrity of transactions by the institution before the digital signature of associated messages, ensuring that the data has not been corrupted or manipulated during the generation process of these messages; and f) prohibition of access by third-party service providers to private keys associated with digital certificates used by the institution for message signing; and II - in the case of connection as a participant in Financial Market Systems – SMF authorized to operate, the implementation of security controls for fraud prevention, detection, and response, to be observed by the institution.

Sole Paragraph. Institutions must observe this article in a manner compatible with the provisions of: I - this Resolution; II - current regulation; and III - all technical requirements of the RSFN provided for in the SFN Services Catalog, the SFN Network Manual, and the SFN Security Manual, published by the Central Bank of Brazil.” (NR)

“Art. 8. .................................................................................................................................. § 1. ........................................................................................................................................ ................................................................................................................................................ III - relevant incidents related to the cyber environment that occurred during the period; IV - the results of business continuity tests, considering scenarios of unavailability caused by incidents; and V - the results of penetration tests and the tests, scans, and periodic analyses for vulnerability detection referred to in Art. 3, § 8, and the action plans established for their corrections, observing the provisions of Art. 22-A, caput, item III. .......................................................................................................................................” (NR)

“Art. 22-A. Institutions must ensure that the penetration tests mentioned in Art. 3, § 8, item IV, must: I - have a minimum annual frequency; II - be carried out with independence and impartiality by a natural person or specialized company contracted by the institution for this purpose, without prejudice to the performance of tests by the institution's own teams; and III - have the results of their execution documented, especially any vulnerabilities that are identified and the action plans established for their corrections.” (NR)

“Art. 22-B. The service provided for electronic data communication on the RSFN, referred to in Art. 3-A, caput, item I, is considered relevant for the purposes of applying the provisions of this Resolution regarding the contracting of processing, data storage, and cloud computing services. § 1. The provisions of the caput apply regardless of the form of connection to the RSFN. § 2. The service referred to in the caput includes cases where the service provider offers message processing services within the scope of the SFN and the Brazilian Payment System – SPB.” (NR)

“Art. 23. .................................................................................................................................. ................................................................................................................................................. VIII - the data, records, and information related to the monitoring and control mechanisms referred to in Art. 21, counting the period referred to in the caput from the implementation of the cited mechanisms; IX - the documentation with the criteria that constitute a crisis situation referred to in Art. 20, sole paragraph; and X - the documentation with the results of the execution of penetration tests and the action plans established for the correction of identified vulnerabilities referred to in Art. 22-A, caput, item III, counting the period from the date of execution of the tests.” (NR)

“Art. 24. .................................................................................................................................. ................................................................................................................................................. III - the maximum periods referred to in Art. 20, caput, item II, for the resumption or normalization of activities or relevant services interrupted; IV - the specification of security requirements for the integration of information systems through electronic interfaces, referred to in Art. 3, § 2, item XIII; and V - the technical requirements and operational procedures to be observed by institutions to comply with this Resolution.

§ 1. In the regulation referred to in the caput, the Central Bank of Brazil must observe the principles and guidelines referred to in Art. 2, caput.

§ 2. In the regulation referred to in item IV of the caput, the Central Bank of Brazil must also observe the following general guidelines: I - the requirements to be specified will be those necessary and adequate to support the integration of systems referred to in Art. 3, § 2, item XIII; and II - the content providing for the requirements must keep pace with technological innovations, in order to maintain its aptitude as one of the procedures and controls for implementing the cybersecurity policy in future scenarios.” (NR)

Art. 2. Institutions operating on the date of entry into force of this Resolution must make the necessary adaptations to comply with the provisions of this Resolution by March 1, 2026.

Art. 3. This Resolution enters into force on the date of its publication.

GABRIEL MURICCA GALÍPOLO President of the Central Bank of Brazil