Regulatory Alerts2025-12-09
Notice No. 8/GBM/2025, of December 9 – Guidelines for Reporting Technological and Cyber Incidents
The Bank of Mozambique issued Notice No. 8/GBM/2025 to establish mandatory guidelines for the classification, reporting, and mitigation of technological and cyber incidents affecting credit institutions and financial companies. The regulation mandates incremental reporting within strict deadlines—24 hours for preliminary, 10 business days for interim, and 30 business days for final reports—along with quarterly aggregated submissions and a 10-year evidence preservation requirement. Additionally, Notice No. 9/GBM/2025 imposes a unified annual limit of 6,000,000,000 meticais on all cross-border payments made by Mozambican bank cardholders across the national banking system.
Tuesday, December 9, 2025 | FIRST SERIES — Number 236
BOLETIM DA REPÚBLICA
OFFICIAL PUBLICATION OF THE REPUBLIC OF MOZAMBIQUE
NATIONAL PRESS OF MOZAMBIQUE, E. P.
NOTICE
The matter to be published in the «Boletim da República» must be submitted in a duly authenticated copy, one per subject, which must include, in addition to the necessary indications for this purpose, the following endorsement, signed and authenticated: For publication in the «Boletim da República».
INDEX
Bank of Mozambique: Notice No. 8/GBM/2025: Establishes guidelines for the reporting of technological and cyber incidents. Notice No. 9/GBM/2025: Establishes limits for payments abroad made through bank cards.
BANK OF MOZAMBIQUE
Notice No. 8/GBM/2025
of November 20
The relevance of technological and cyber resilience in the national financial sector has become increasingly significant, indicating the need to ensure the timely detection, communication, mitigation, and recovery of incidents that could affect consumer confidence, service integrity, and financial system stability.
In these terms, the Bank of Mozambique, in the exercise of the powers conferred upon it by paragraph d) of paragraph 2 of Article 37 of Law No. 1/92, of January 3, the Organic Law of the Bank of Mozambique, determines:
CHAPTER I
General Provisions
ARTICLE 1
Object The present Notice establishes the guidelines for the reporting of technological and cyber incidents.
ARTICLE 2
Scope The present Notice applies to credit institutions and financial companies, hereinafter referred to as “institutions”.
ARTICLE 3
Definitions The terms and expressions used in the present Notice are defined in the Glossary, Annex 1, which forms an integral part of it.
CHAPTER II
Classification and Reporting of Incidents
ARTICLE 4
Classification of incidents
- Technological and cyber incidents may be classified according to their nature or severity.
- Institutions must consider the taxonomy presented in Annex 2 of the present Notice for classifying the nature of incidents.
- Institutions must classify and report technological and cyber incidents, which encompass external and internal events, whether intentional or accidental, according to the severity levels described in Annex 3 of the present Notice.
ARTICLE 5
Reporting model
- Institutions must report incidents of critical, high, and medium levels by completing the incident reporting model, to be approved by Circular.
- Without prejudice to the preceding paragraph, low-level incidents must be properly documented and available for consultation.
ARTICLE 6
Reporting deadlines
- Institutions must report incidents incrementally within the following deadlines: a) Preliminary Report: twenty-four hours, counted from the moment of occurrence; b) Interim Report: ten business days, counted from the date of submission of the preliminary report; and c) Final Report: within thirty business days, counted from the date of submission of the interim report.
- If the incident is not resolved within the deadline established in paragraph c) of the preceding paragraph, institutions must submit to the Bank of Mozambique, within the same timeframe, the final report and an action plan containing the mitigation measures adopted or planned to resolve the incident and prevent its recurrence.
- If the institution resolves the incident in a period shorter than twenty-four hours, it must submit: a) The preliminary report as provided for in paragraph a) of paragraph 1 of this article; and b) The interim and final reports within five days.
ARTICLE 7
Content of reports Reports must contain: a) Preliminary Report: general information describing the essential characteristics of the incident and its probable impact, following the model approved by the Bank of Mozambique. b) Interim Report: detailed description of the incident and its impact, which must be updated whenever the institution has new relevant information or significant changes; and c) Final Report: information updating the interim report, supplemented with details on the root cause analysis of the incident, the results of the internal investigation, remediation actions taken or planned, and lessons learned.
ARTICLE 8
Aggregated reporting Institutions must submit quarterly, by the fifteenth day of the month following the relevant quarter, information containing the list of incidents that occurred, attaching for this purpose: a) The transmittal letter, duly signed by a member of the Board of Directors and the senior executive responsible for incident management; and b) Aggregated information of the reported incidents within the considered period, according to the Model approved by Circular.
ARTICLE 9
Preservation of information and duty of cooperation
- Institutions must preserve data and evidence related to the occurrence of reported incidents for a minimum period of 10 years.
- Institutions must also cooperate with regulatory and security authorities in the investigation of reported incidents.
- Without prejudice to the preceding paragraphs, institutions must ensure compliance with the legal duty of bank secrecy to which they are bound.
CHAPTER III
Final Provisions
ARTICLE 10
Sanctioning Regime Non-compliance with the provisions of the present Notice constitutes a regulatory offense punishable under Law No. 20/2020, of December 31, the Law on Credit Institutions and Financial Companies.
ARTICLE 11
Entry into force The present Notice enters into force ninety days from the date of its publication.
ARTICLE 12
Clarification of doubts Doubts regarding the interpretation and application of the present Notice must be submitted to the Prudential Supervision Department of the Bank of Mozambique.
Maputo, November 20, 2025. — The Governor, Rogério Lucas Zandamela.
Annex 1
Glossary
A Critical Assets – resources or systems essential for the continuity of an institution's operations, whose compromise or failure has a significant impact on provided services, data security, and institutional reputation.
C Malicious Code – intentionally included or inserted firmware or software in a system for harmful purposes.
D Dialler – a specific type of spyware, whose function is to generate calls to a specific phone number once installed on the user's computer or network.
E Event – observable occurrence in an information system or network.
I Cyber Incident – occurrence that places at risk the integrity, confidentiality, or availability of information, or constitutes a violation or imminent threat of violation of the law, information security policies, security procedures, or acceptable use policies. Technological Incident – occurrence that results in the failure, interruption, or malfunction of computer systems, equipment, or communications network infrastructure.
P Proxy – software that receives network packets from a client and forwards them on the client's behalf to the desired destination.
S Scanning – process of scanning systems, networks, or devices to find vulnerabilities to be exploited. Peripheral System – computer system that is not essential for the institution's main operations, being important for the business but not critical to its ability to function and serve clients, allowing institutions to perform functions such as marketing and sales, human resources management, budgeting, and collaboration, among others. Core System – any computer system that is essential for the institution's operations and whose failure or interruption has a significant impact on the business.
These are based on any technological components (software, hardware, databases, processes, applications, among others) for the execution of functions such as financial operations management, bank card management, digital channels, and transaction management in financial markets. Spyware – software that is secretly installed on an information system to collect information about individuals or organizations without their knowledge.
R Recovery Time Objectives (RTO) – acceptable time in which a system can be unavailable after a disaster.
Rootkit – malicious software that allows privileged access to areas of a computer, corrupting the operating system or other applications, hiding its presence. Ransomware – software that infects a computer so that the user cannot access stored data, with the restoration of access to blocked files conditioned upon payment of a ransom.
W Worm – program that has the property of creating replicas of itself in a computer's memory, as well as propagating from one computer to another through the network.
Annex 2
Incident Taxonomy by Nature
| Category | Classification | Incident Type | Incident Description |
|---|---|---|---|
| Technological Incident | System Issues | Configuration Error/Failure | Compatibility or configuration errors between systems or source codes. |
| System Unavailability | Incorrect system or equipment parametrization, equipment failures, cyber attacks, network interruptions, system maintenance, natural disasters, power supply and climate control issues. | ||
| System Slowness | Resource overload, increased transaction volume, slow network connection, poorly optimized applications, excessive concurrency, database fragmentation. | ||
| Version Update Errors/Failures | Patch incompatibility, inadequate test environments, human error, network issues, strict security policies, interruptions during updates, and lack of planning and scheduling. | ||
| Others | Any incident that does not fit into any of the previous categories. | ||
| Incorrect Configuration | Inadequate equipment parametrization. | ||
| Obsolescence | Obsolete equipment outside the support period. |
| Category | Classification | Incident Type | Incident Description |
|---|---|---|---|
| Technological Incident (cont.) | Equipment Failures | Physical Damage or Breakage of Equipment | Physical breakage of servers, terminals, mobile devices, and network equipment caused by manufacturing defects. |
| Overload | Equipment operating above its capacities for an extended period due to incorrect sizing. | ||
| Unupdated Firmware | Lack of update of the software embedded in hardware. | ||
| Others | Any incident that does not fit into any of the previous categories. | ||
| Failures/Interruption of communications network infrastructure | Network Equipment Errors/Failures | Failure in switches, routers, firewalls, and Network Security equipment, IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems). | |
| Problems with cables and physical connections | Disconnection or damage of cables and problems at connection points. | ||
| Failures in internet connections or service provider | Internet service interruption and problems in Backup connections. | ||
| Network congestion and overload | High bandwidth utilization and DDoS (Distributed Denial of Service) attacks. | ||
| Network configuration problems | Incorrect configuration of routers and switches and DNS and DHCP configurations. | ||
| Failures/Interruption of communications network infrastructure (cont.) | Failures in wireless communication equipment | Problems with Wi-Fi Access Points and Signal Interference. | |
| Failures in power and energy systems | Power outages and voltage spikes. |
| Category | Classification | Incident Type | Incident Description |
|---|---|---|---|
| Cyber Incident | Latency and packet loss problems | High latency and packet loss. | |
| Others | Any incident that does not fit into any of the previous categories. | ||
| Abusive Content | Spam | Unsolicited bulk email. The content recipient did not give valid authorization to receive a bulk message. | |
| Abusive Content (cont) | Hate crimes, crimes against freedom or honor | Defamatory or discriminatory content (cyberbullying, racism, threats to a person or directed at groups, among others). | |
| Child pornography, violent sexual content | Material that visually presents content related to child pornography, advocacy of violence, among others. | ||
| Malicious Code | Worm | Software that is intentionally included or inserted into a system for harmful purposes. Normally, user interaction is required to activate the code. | |
| Trojan | |||
| Spyware | |||
| Dialler | |||
| Rootkit | |||
| Information Gathering | Scanning | Attacks that send requests to a system to discover weak points. This also includes some type of testing processes to gather information about hosts, services, and accounts. | |
| Sniffing | Observation and recording of network traffic (phone tapping). |
| Category | Classification | Incident Type | Incident Description |
|---|---|---|---|
| Social Engineering | Techniques used to obtain confidential information through actions that deceive or exploit people's trust. | ||
| Intrusion Attempt | Exploitation of known vulnerabilities | An attempt to compromise a system or disrupt any service by exploiting vulnerabilities. | |
| Exploitation of unknown vulnerabilities (Zero-Day Attack) | Attempts to exploit an unknown vulnerability in hardware or firmware, for which no patch has been issued yet, compromising security before any possible mitigation. | ||
| Credential Violation Access Attempt | Multiple attempts to breach credentials. For example, password cracking attempts, brute force attacks. | ||
| Unknown Attack | Attempt to use an unknown exploit. | ||
| Intrusion | Compromise of privileged account | Compromise of a system where the attacker acquired high privileges. | |
| Compromise of an unprivileged account | Compromise of a system using unprivileged accounts. | ||
| Compromise of applications | Compromise of an application by exploiting software vulnerabilities (e.g., SQL injection). | ||
| DoS (Denial-of-Service) | Denial of service attack. For example: sending excessive requests to a Web application that causes service interruption or slowdown. | ||
| DDoS (Distributed Denial-of-Service) | Distributed denial of service attack. |
| Category | Classification | Incident Type | Incident Description |
|---|---|---|---|
| Unavailability | Misconfiguration | Incorrect software configuration causing service availability problems. | |
| Sabotage | Physical sabotage (e.g., cutting equipment cabling or arson) | ||
| Interruptions | Interruptions due to external causes (e.g., natural disaster). | ||
| Information Compromise | Unauthorized access to information | Unauthorized access to information. For example: theft of access credentials through traffic interception or access to physical documents. | |
| Unauthorized alteration of information | Unauthorized alteration of information. | ||
| For example: modification by an attacker using stolen credentials from a system or application or data encryption by ransomware. | |||
| Data Loss | Loss of information, for example, due to a hard drive failure or physical theft. | ||
| Fraud | Unauthorized use of resources | Use of resources for improper purposes, including profit-making. | |
| Copyright | Unauthorized access to copying or illegal distribution, through software piracy or violation of rights in source code, protected by copyright through digital means. | ||
| Identity Fraud | A type of attack where an entity pretends to be another to obtain illegitimate gains. | ||
| Phishing | Pretending to be another institution with the aim of convincing the user to reveal private credentials. |
| Category | Classification | Incident Type | Incident Description |
|---|---|---|---|
| Vulnerability | Weak Cryptography | Publicly accessible services that may have weak cryptography. | |
| DDoS Amplifier | Publicly accessible services that can be used for DDoS attack reflection or amplification. | ||
| Information Disclosure | Public access to services where potentially sensitive information may be disclosed. | ||
| Services with potential for unwanted access | Features in systems, networks, or devices that can be exploited to allow unauthorized access. | ||
| Vulnerable System | Security flaws or weaknesses, resulting from programming errors, inadequate configurations, lack of security updates, or poor design, that can be exploited to compromise organizational systems. | ||
| Others | APT (Advanced Persistent Threat) | A type of cyber attack characterized by its sophistication, persistence, and specific focus on selected targets, such as organizations or government entities. This threat typically employs social engineering techniques to achieve its objectives, along with the use of known or legitimate attack procedures. | |
| Others | Any incident that does not fit into any of the previous categories. |
Annex 3
Incident Classification by Severity Levels
| IMPACT CATEGORY | ||
|---|---|---|
| OPERATIONAL | REPUTATIONAL/IMAGE | |
| Critical | • Interruption of critical services in the medium or long term (failure => 200% of RTO/SLA) | • When the incident generates negative exposure in international media and on social networks. |
| • High number of affected clients – clients >= 25%. | • Recurrent complaints, i.e., repeated more than once for the same service or product, indicating persistence of the problem. | |
| • Resolution/mitigation of the incident implies activation of the Business Continuity Plan (BCP). | ||
| High | • Unavailability of critical assets in the medium term (100% of RTO/SLA <= failure < 200% of RTO/SLA. | • When the incident generates broad negative exposure in national media and on social networks, or causes complaints of significant relevance to the institutional mission. |
| • Number of affected clients – 10% <= clients < 25%. | • Significant level complaints, i.e., considerable number of complaints concentrated on the same service/product, revealing widespread client dissatisfaction. | |
| • Resolution/mitigation of the incident requires the application of external resources. |
| IMPACT CATEGORY | ||
|---|---|---|
| OPERATIONAL | REPUTATIONAL/IMAGE | |
| Medium | • Unavailability of critical assets in the short term (50% of RTO <= failure < 100% of RTO). | • When the incident causes limited negative exposure in national media and on social networks, or generates complaints of moderate relevance related to the institutional mission. |
| • Number of affected clients – 5% <= clients < 10%. | • Complaints that occur sporadically, without high concentration and without broadly affecting the client base. | |
| • Resolution/mitigation of the incident through internal resources. | ||
| Low | • Unavailability of critical assets in the short term (failure < 50% of RTO). | • When the incident has no repercussion in national media or on social networks, or generates low-relevance complaints that do not affect the institutional mission. |
| • Number of affected clients – clients < 5%. | • Sporadic and isolated complaints, resolved quickly and without material impact on the institution's image. | |
| • Resolution/mitigation of the incident through minimal allocation of internal resources. |
Annex 4
List of Acronyms
APT – Advanced Persistent Threat DDoS – Distributed Denial of Service DoS – Denial of Service IDS – Intrusion Detection System IPS – Intrusion Prevention System RTO – Recovery Time Objective SLA – Service Level Agreement SPAM – Sending and Posting Advertisement in Mass IT – Information Technologies
Notice No. 9/GBM/2025
of December 2
Given the need to establish limits for payments abroad using bank cards, the Bank of Mozambique, under the combined provisions of paragraph a) of Article 9 of Law No. 28/2022, of December 29, the Exchange Law, and paragraph 4 of Article 17 of Law No. 2/2008, of February 27, the National Payment System Law, determines:
ARTICLE 1
Object The present Notice establishes limits for payments abroad made through bank cards.
ARTICLE 2
Scope The present Notice applies to credit institutions subject to the supervision of the Bank of Mozambique and to natural and legal persons, holders of bank cards issued in Mozambique, regardless of whether they are foreign exchange residents or non-residents.
ARTICLE 3
Definitions For the purposes of the present Notice, the following are understood: a) bank card: a payment instrument, generally in the form of a plastic card, made available by a credit institution to the holder so that, through access to a telecommunications network and based on the bank account associated with the card or the balance loaded onto it, they can perform banking operations. The bank card, according to its function, can be credit, debit, or prepaid; b) payment abroad: any payment operation carried out abroad with a bank card issued by a credit institution authorized by the Bank of Mozambique; c) holder: natural or legal person, foreign exchange resident or non-resident, who enters into a contract with a credit institution for the issuance of a bank card and is permitted to use it.
ARTICLE 4
Limits for payments abroad
- Natural and legal persons may only carry out payments abroad using a bank card up to an annual limit equivalent to 6,000,000,000 MT (six million meticais).
- The annual limit corresponds to the aggregated value across the entire national banking system, fixed for each holder, regardless of the number of contracts entered into with credit institutions, the number of bank cards, and the payment channels through which transactions are made, including cash withdrawals.
- The annual limit does not prejudice the daily limits defined for each card by the credit institution