New cybersecurity and outsourcing standards in the Brazilian financial system
The Central Bank of Brazil (BCB) published Resolution No. 538 on December 18, 2025, introducing a more demanding regulatory framework in terms of cybersecurity and the contracting of data processing and storage services.
The regulation represents a significant shift in the regulatory approach, moving towards a framework with specific, verifiable, and auditable technical requirements, aligned with international best practices.
Resolution No. 538 introduces a relevant change by establishing mandatory minimum criteria, reducing subjective interpretation and raising the level of regulatory requirements. This approach facilitates supervision by the regulator and promotes greater consistency in the system’s security standards.
One of the central aspects of the regulation is the definition of a minimum set of 14 mandatory controls that must be integrated into the cybersecurity policy of financial institutions.
These controls reinforce key aspects such as:
The requirement for these controls marks progress toward more structured models, comparable to frameworks such as NIST or ISO 27001, although with local regulatory specificity.
The resolution introduces the obligation to implement end-to-end traceability mechanisms in transactions and operations.
From a technical and operational perspective, this implies:
This requirement not only strengthens incident detection but also improves response capabilities.
Regarding the contracting of data processing and storage services —especially in cloud environments—, the resolution establishes stricter conditions for third-party management.
Among the most relevant aspects are:
The need for risk assessments prior to contracting
The requirement for contractual guarantees regarding security and availability
The obligation to maintain visibility, control, and oversight capability over outsourced services
This approach responds to the growing importance of technology providers in the financial system’s value chain.
The implementation of BCB Resolution No. 538 implies a direct impact on the operational and governance models of financial institutions, including:
For many organizations, especially those with complex or highly distributed architectures, the main challenge will be operationalizing technical requirements in a consistent and scalable way.
The technical and auditable nature of the resolution highlights that compliance can no longer be addressed solely from a documentary or governance perspective, but requires specific technological capabilities.
In this context, specialized solutions such as those developed by BOTECH enable organizations to:
These capabilities are key to transforming regulatory compliance into an operational, automated, and sustainable process over time.
The resolution is part of a broader strategy by the Central Bank of Brazil aimed at strengthening operational resilience and the stability of the financial system.
The increase in the attack surface, accelerated digitalization, and dependence on third parties make a more precise and demanding regulatory framework necessary. In this context, Resolution No. 538 helps raise the sector’s level of preparedness against cyber and operational risks. By introducing mandatory minimum controls, strengthening traceability, and tightening requirements on third parties, the regulator sets a new standard for financial institutions.
In this new scenario, the combination of governance, processes, and technology will be decisive in achieving effective and sustainable compliance.