Brazil Cybersecurity Regulation 2026: MFA & Passkeys

1. Introduction: Brazil raises the Cyber Bar#

Brazil runs one of the world's most sophisticated digital payment ecosystems. PIX (the instant payment system operated by the Central Bank of Brazil) processes more than 7 billion transactions per month and has become the default payment method for a nation of over 200 million people. This systemically critical infrastructure also makes Brazil a prime target: geopolitical tensions, state-sponsored threat actors and organized financial crime all converge on the same systems that move the country's money.

The scale of the threat is not hypothetical. The World Economic Forum's Global Cybersecurity Outlook 2025 reports that nearly 60% of organizations have adjusted their cybersecurity strategy in direct response to escalating geopolitical tensions, and that 72% of respondents report an overall increase in organizational cyber risks, with financial systems sitting at the center of every nation-state attack campaign.

Against this backdrop, two new cybersecurity resolutions adopted on December 18, 2025 represent what industry analysts are calling Brazil's regulatory "divisor de águas", a watershed moment. CMN Resolution 5,274/2025 and BCB Resolution 538/2025 do not merely tweak the existing mandatory framework; they significantly strengthen it by replacing its principles-based approach with explicit, auditable, board-accountable obligations for every financial institution operating in Brazil.

In this article, we cover the three most important questions for compliance teams:

• What exactly do the new resolutions require, and how do they differ from what came before?
• Who is affected, by which regulation, and by when?
• What does this mean for authentication, specifically for MFA, SMS-OTP, PIX and passkeys?

2. Two Resolutions, one Standard#

2.1 Why two Resolutions#

Brazil's financial regulatory architecture splits oversight between two bodies with overlapping but distinct jurisdictions. The National Monetary Council (CMN) governs financial institutions (traditional banks and credit cooperatives). The Central Bank of Brazil (BCB/BACEN) governs payment institutions, brokers and distributors. When the regulators decided to overhaul cybersecurity requirements in late 2025, they needed two separate legal instruments to reach every player in the ecosystem.

The result:

The technical requirements in both resolutions are identical. This is deliberate: regulators explicitly closed the gap between traditional banks and fintechs. A payment institution operating a digital wallet faces exactly the same cybersecurity obligations as a Tier-1 bank. The era of "fintech privilege" in Brazilian financial cybersecurity is over.

2.2 Compliance Deadline#

Both resolutions entered into force on the date of publication (December 18, 2025, with publication in the Official Gazette on December 22, 2025) and give institutions a single adaptation period until March 1, 2026 to reach full compliance. The deadline applies uniformly to every covered institution, with no sector-specific phase-ins or grandfathering clauses beyond this adaptation window.

As Baker McKenzie summarized in their January 2026 analysis, the new regulations were introduced "in response to the growing digitalization of the sector and the implementation of PIX, which has increased traffic on the National Financial System Network (RSFN)", and they detail 14 procedures and controls that must necessarily be adopted by institutions to reduce vulnerability to incidents.

3. Mandatory Controls#

The centerpiece of the new framework is Art. 3 §2, which establishes 14 minimum controls that must be present in every institution's cybersecurity policy and, crucially, must be demonstrable through auditable technical evidence, not just policy documentation.

Controls 4, 13 and 14 are new additions versus the 2021 framework. Their inclusion signals a regulatorily mature understanding: stolen credentials (control 14), leaky APIs (control 13) and exfiltrated data (control 4) are the three most common entry points for attacks on financial systems. Passkeys directly neutralize the credential risk vector.

3.1 PIX and STR-specific Requirements (Art. 3-A)#

Institutions that participate in the Rede do Sistema Financeiro Nacional (RSFN), the network that carries PIX and STR transactions, face an additional layer of obligations on top of the 14 controls. The official BCB Resolution 538/2025 text mandates explicitly in Art. 3-A:

The full Art. 3-A stacks six controls into a single isolated security perimeter around PIX/STR. The architecture diagram below shows how these controls relate to each other and to the rest of the institutional infrastructure:

The ban on third-party private key access is the most consequential architectural constraint: private keys used in PIX/STR must remain under the exclusive control of the regulated institution, even when the workloads run on a public cloud.

4. Paradigm Shift: from Policy to Prescription#

The most consequential change in the 2025 resolutions is not that they create a cybersecurity obligation from scratch - CMN 4,893/2021 and BCB 85/2021 were already mandatory. The shift is from a principles-based framework to an explicitly prescriptive one:

As Mattos Filho noted in their regulatory analysis, the 2025 rules move beyond the previous framework's principles-based approach by requiring institutions to implement and document specific technical controls, with formal oversight responsibilities anchored at the institutional governance level.

Brazilian institutions that have relied on policy-level compliance (maintaining a cybersecurity policy document while deferring technical controls) will find that approach no longer viable. The 2025 framework requires that each of the 14 controls be demonstrable through logs, audit trails, test reports and technical configurations that can be reviewed by an independent auditor.

5. Impact on Authentication#

5.1 MFA is now an explicit Mandate#

Under CMN 4,893/2021 and BCB 85/2021, cybersecurity controls were already mandatory at an institutional level, but MFA was not enumerated as an explicit standalone control. CMN 5,274/2025 closes this gap directly: authentication (including MFA) is Control #1 in the 14 mandatory minimum controls. For PIX/STR environments, MFA for administrative access is named explicitly in Art. 3-A.

This matters operationally: institutions that previously relied on password-only or single-factor authentication for internal systems (particularly for PIX operations) now face a clear legal gap that must be closed before March 1, 2026.

5.2 Why SMS-OTP is insufficient for privileged Access#

SMS-based one-time passwords were already considered inadequate for high-assurance environments before the 2025 resolutions. The new framework makes this tension acute for several reasons:

• Phishing and SIM-swapping: SMS-OTP is vulnerable to real-time phishing proxies and SIM-swap fraud. The new rules require phishing-resistant controls for RSFN environments.
• NIST SP 800-63-4 alignment: Issued in July 2025, NIST's updated digital identity guidelines require phishing-resistant authentication at AAL3 and explicitly allow syncable authenticators such as FIDO2 passkeys at AAL2. SMS-OTP remains permissible at AAL2, but falls short of the phishing-resistance level that Brazil's RSFN administrative access requirements effectively demand.
• Dark Web monitoring (Control 14): If SMS-based credentials are compromised and appear on Dark Web markets, the institution faces both a Control 14 violation and a remediation obligation. Passkeys eliminate this risk category entirely: there are no symmetric secrets to steal.

5.3 Passkeys as the phishing-resistant compliance Path#

Passkeys based on FIDO2/WebAuthn are the most direct path to satisfying the authentication controls introduced by the new framework. A passkey login combines:

• A device-bound cryptographic private key (possession factor) that never leaves the user's device
• Biometric or PIN verification (inherence or knowledge factor) confirmed locally before the key is used

This satisfies the MFA requirement under Control #1 and Art. 3-A with a single, frictionless user action. The compliance scorecard below contrasts passkeys against password-only and SMS-OTP authentication across the key requirements of the new framework:

In addition to Control #1, passkeys use public-key cryptography and produce signatures scoped to the specific origin and session, which means they also satisfy Control #2 (cryptographic mechanisms), Control #4 (DLP, since no shared secret is ever created or transmitted), Control #9 (access controls cryptographically bound to device and user) and Control #14 (Dark Web monitoring, by eliminating the credential category that monitoring is designed to detect).

5.4 Passkeys for consumer PIX Authentication#

The new framework addresses administrative access, but a parallel regulatory thread applies to consumer-facing PIX transactions. BCB Resolution 403 and Instruction 491 establish a device registration framework for PIX with strict limits for unregistered devices:

• Transactions above BRL 200 per transaction or BRL 1,000 per day require a registered, BCB-verified device
• Unregistered devices face these hard transaction caps
• Device registration involves a verification step that incentivizes strong, device-bound authentication methods

Device-bound passkeys are a natural fit for PIX device registration: the FIDO2 attestation model provides cryptographic proof of device binding, the biometric unlock satisfies the second factor, and the user experience is a single tap rather than an SMS code plus manual entry.

6. Who must comply and by when#

Service providers (cloud vendors, core banking software suppliers, SMS gateway operators) are not directly regulated, but (as with Turkey's BDDK framework) their clients must ensure contractual compliance through due diligence, audit rights and security obligations.

7. Recommendations for Brazilian Financial Institutions#

7.1 Immediate Gap Assessment#

Conduct a gap analysis against the 14 controls in Art. 3 §2 with an emphasis on producing auditable evidence for each, not just policy attestation. Pay particular attention to controls 1, 4, 13 and 14 which are either new or newly prescriptive.

7.2 Prioritize phishing-resistant MFA for privileged Users#

For any role with administrative access to PIX/STR environments, SMS-OTP and password-only authentication must be replaced before March 1, 2026. FIDO2 hardware security keys or platform passkeys are the two practical options that satisfy the phishing-resistance requirement implied by the RSFN isolation rules.

7.3 Passkey Rollout for consumer Banking#

Deploy passkeys for consumer-facing PIX authentication as a compliance accelerator and competitive differentiator. Post-purchase or post-login passkey enrollment prompts (aligned with the device registration framework of BCB 403/IN 491) enable frictionless onboarding and meet the device verification requirements that unlock higher PIX transaction limits.

7.4 Authentication Observability for Audit Evidence#

Control #6 (traceability / end-to-end logging) and the 5-year evidence retention mandate for penetration tests signal a broader shift toward evidence-based compliance. Authentication analytics platforms that capture login events, passkey adoption rates and drop-off patterns provide the audit trail required to demonstrate ongoing compliance to BCB supervisors.

7.5 Cloud and third-party Governance#

If PIX or STR workloads run on shared cloud infrastructure, migrate to dedicated instances before the March 2026 deadline. Review contracts with all third-party service providers to ensure audit rights and the prohibition on third-party private key access are reflected.

8. Global Context: Brazil joins the phishing-resistance Movement#

Brazil's 2025 resolutions are not an isolated development. The timeline below plots the major financial-sector authentication regulations between 2020 and 2026 and shows how Brazil's March 2026 deadline fits into a synchronized global shift toward phishing-resistant authentication:

The details behind each milestone:

• UAE (March 2026): CBUAE mandates phishing-resistant authentication for digital banking, effectively ending SMS-OTP for high-value access
• Turkey (2020/2025): BDDK bans SMS-OTP for active mobile banking users and mandates universal 2FA
• Vietnam (2025): NAPAS / SBV mandate biometric authentication for all banking transactions above thresholds
• Nigeria: CBN mandates biometric-based MFA for financial services
• Australia (2024): Cyber Security Bill combined with Essential Eight Level 3 makes phishing-resistant MFA effectively mandatory for critical infrastructure
• NIST SP 800-63-4 (July 2025): Updated US federal guidance requires phishing-resistant authentication at AAL3 and explicitly allows passkeys as AAL2-compliant authenticators

The common thread: regulators worldwide have concluded that password-plus-SMS authentication is not a defensible baseline for financial services.

9. Conclusion#

CMN Resolution 5,274/2025 and BCB 538/2025 transform Brazilian financial cybersecurity from a framework of intentions to one of obligations. For the first time, banks and payment institutions face the same prescriptive controls, the same evidence standards and the same board-level accountability structure.

For authentication teams, the implications are clear:

• MFA is now law, not guidance, for PIX/STR administrative access
• Auditable evidence of authentication controls must be producible on demand
• SMS-OTP is inadequate for privileged and RSFN environments under the phishing-resistance requirements implied by the new framework
• Passkeys/FIDO2 are the most direct compliance path for both administrative and consumer-facing authentication, addressing Controls 1, 2, 4, 9 and 14 simultaneously
• March 1, 2026 is non-negotiable: the deadline applies equally to a Tier-1 bank and a fintech IP

Brazilian institutions that have been deferring authentication modernization now have a hard regulatory forcing function. Those that move earliest will not only achieve compliance fastest but will also gain a competitive advantage as consumer trust in phishing-resistant digital banking grows.

Frequently Asked Questions#

What are CMN Resolution 5,274/2025 and BCB Resolution 538/2025?#

These are two Brazilian cybersecurity resolutions adopted on December 18, 2025 and published in the Official Gazette on December 22, 2025, by the National Monetary Council (CMN) and the Central Bank of Brazil (BCB). They amend the existing mandatory cybersecurity frameworks (CMN 4,893/2021 and BCB 85/2021) by adding 14 explicitly prescriptive, auditable controls and a hard compliance deadline of March 1, 2026.

Does the new Brazilian cybersecurity regulation mandate multi-factor authentication?#

Yes. For institutions participating in PIX and STR payment environments (RSFN), multi-factor authentication is now explicitly mandatory for all administrative access. This is a direct prescriptive requirement, not a best-practice recommendation, and extends to cloud deployments.

Which institutions are affected by CMN 5,274/2025 and BCB 538/2025?#

CMN 5,274/2025 covers all BCB-authorized financial institutions (banks, credit cooperatives and similar entities). BCB 538/2025 covers payment institutions, securities brokers and distributors and foreign exchange brokers. Together the two resolutions close the regulatory gap between traditional banks and fintechs, holding both to the same standard.

Are passkeys compliant with the new Brazilian cybersecurity rules?#

Yes. Passkeys based on FIDO2/WebAuthn are the strongest available option for meeting Brazil's new MFA mandate. They combine a device-bound cryptographic key (possession factor) with biometric or PIN verification (inherence/knowledge factor), resist phishing attacks and eliminate exfiltrable credentials, directly addressing several of the 14 mandatory controls including authentication, DLP and credential monitoring.

Is SMS-OTP still sufficient under the new Brazilian banking cybersecurity rules?#

SMS-OTP is a weak choice for PIX/STR administrative access under the new rules. The regulations require phishing-resistant controls for RSFN environments, and SMS-OTP is vulnerable to SIM-swapping and phishing. For customer-facing PIX transactions, BCB Resolution 403 and IN 491 establish device registration requirements with strict limits for unregistered devices, providing a strong incentive to deploy device-bound authentication methods like passkeys.

What happens if a Brazilian financial institution misses the March 1, 2026 deadline?#

Non-compliant institutions face BCB supervisory action including fines, mandatory remediation plans and potential restrictions on digital service operations. The new rules formalize institutional accountability for cyber resilience, with board-level oversight expected as part of the broader governance context. The rules impose organizational duties rather than explicit personal liability for individual directors.

How are PIX and STR environments specifically protected under the new rules?#

Art. 3-A of the resolutions requires MFA for all administrative PIX and STR access, physical and logical isolation of PIX/STR systems from other infrastructure, dedicated cloud instances for these environments, credential and certificate monitoring in the SPI, end-to-end integrity validation before message signing and an explicit ban on third-party (including cloud provider) access to private keys.

What is the difference between CMN 5,274/2025 and BCB 538/2025?#

The two resolutions are technically identical in their requirements but address different regulatory perimeters. CMN 5,274/2025 is issued by the National Monetary Council and applies to financial institutions supervised by the CMN (banks, credit cooperatives). BCB 538/2025 is issued by the Central Bank and applies to payment institutions, brokers and distributors it supervises. The uniform technical requirements mean fintechs and banks now face the same cybersecurity bar.