---
url: 'https://www.corbado.com/blog/brazil-cybersecurity-regulation'
title: 'Brazil Cybersecurity Regulation 2026: MFA & Passkeys'
description: 'Brazil''s CMN 5,274/2025 & BCB 538/2025 require 14 auditable cybersecurity controls and explicit MFA for PIX. Learn who must comply by March 1, 2026.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-04-21T13:32:04.556Z'
lastModified: '2026-04-21T16:03:01.533Z'
keywords: 'brazil cybersecurity regulation, CMN 5274 2025, BCB 538 2025, pix cybersecurity, brazil MFA requirements, brazil financial cybersecurity, BACEN passkeys, resolução BCB 538'
category: 'Passkeys Strategy'
---

# Brazil Cybersecurity Regulation 2026: MFA & Passkeys

## Key Facts

- Brazil's **CMN Resolution 5,274/2025** and **BCB Resolution 538/2025**, adopted
  December 18, 2025 and published in the Official Gazette on December 22, 2025, add
  **14 prescriptive, auditable cybersecurity controls** to the existing mandatory
  framework, with a compliance deadline of **March 1, 2026**.
- **Multi-factor authentication is now explicitly mandatory** for all administrative
  access to PIX and STR environments, with physical/logical isolation required and
  dedicated cloud instances mandated.
- Banks and payment institutions (fintechs, IPs, brokers) are held to the **same
  cybersecurity standard** for the first time, closing the "fintech privilege" gap.
- **Annual independent penetration tests** with 5-year evidence retention are mandatory;
  institutions carry **formal institutional accountability** for cyber resilience, with
  board-level oversight expected as part of the broader governance framework.
- New controls include mandatory **Dark Web/Deep Web credential monitoring** (directly
  addressed by passkeys eliminating exfiltrable credentials) and **API security**
  requirements (a distinct control separate from authentication).

## 1. Introduction: Brazil raises the Cyber Bar

Brazil runs one of the world's most sophisticated digital payment ecosystems. PIX (the
instant payment system operated by the Central Bank of Brazil) processes more than
**7 billion transactions per month** and has become the default payment method for a nation
of over 200 million people. This systemically critical infrastructure also makes Brazil a
prime target: geopolitical tensions, state-sponsored threat actors and organized financial
crime all converge on the same systems that move the country's money.

The scale of the threat is not hypothetical. The [World Economic Forum's Global
Cybersecurity Outlook 2025](https://www.weforum.org/publications/global-cybersecurity-outlook-2025/)
reports that **nearly 60% of organizations** have adjusted their cybersecurity strategy in
direct response to escalating geopolitical tensions, and that **72% of respondents report
an overall increase in organizational cyber risks**, with financial systems sitting at the
center of every nation-state attack campaign.

Against this backdrop, two new cybersecurity resolutions adopted on December 18, 2025
represent what industry analysts are calling Brazil's regulatory "divisor de águas", a
watershed moment. **CMN Resolution 5,274/2025** and **BCB Resolution 538/2025** do not
merely tweak the existing mandatory framework; they significantly strengthen it by
replacing its principles-based approach with explicit, auditable, board-accountable
obligations for every financial institution operating in Brazil.

In this article, we cover the three most important questions for compliance teams:

- **What exactly do the new resolutions require**, and how do they differ from what came before?
- **Who is affected**, by which regulation, and by when?
- **What does this mean for authentication**, specifically for MFA, SMS-OTP, PIX and passkeys?

## 2. Two Resolutions, one Standard

### 2.1 Why two Resolutions

Brazil's financial regulatory architecture splits oversight between two bodies with
overlapping but distinct jurisdictions. The **National Monetary Council (CMN)** governs
financial institutions (traditional banks and credit cooperatives). The **Central Bank of
Brazil (BCB/BACEN)** governs payment institutions, brokers and distributors. When the
regulators decided to overhaul cybersecurity requirements in late 2025, they needed two
separate legal instruments to reach every player in the ecosystem.

The result:

| Resolution | Issuer | Amends | Scope |
|---|---|---|---|
| CMN 5,274/2025 | National Monetary Council | CMN 4,893/2021 | Banks, credit cooperatives, BCB-authorized financial institutions |
| BCB 538/2025 | Central Bank of Brazil | BCB 85/2021 | Payment institutions (IPs), securities brokers/distributors, foreign exchange brokers |

The technical requirements in both resolutions are **identical**. This is deliberate:
regulators explicitly closed the gap between traditional banks and fintechs. A payment
institution operating a digital wallet faces exactly the same cybersecurity obligations as
a Tier-1 bank. The era of "fintech privilege" in Brazilian financial cybersecurity is over.

### 2.2 Compliance Deadline

Both resolutions entered into force on the date of publication (December 18, 2025, with
publication in the Official Gazette on December 22, 2025) and give institutions a single
adaptation period until **March 1, 2026** to reach full compliance. The deadline applies
uniformly to every covered institution, with no sector-specific phase-ins or grandfathering
clauses beyond this adaptation window.

As [Baker McKenzie summarized in their January 2026 analysis](https://connectontech.bakermckenzie.com/brazil-bcb-and-cmn-establish-additional-cyber-security-requirements/),
the new regulations were introduced "in response to the growing digitalization of the sector
and the implementation of PIX, which has increased traffic on the National Financial System
Network (RSFN)", and they detail 14 procedures and controls that must necessarily be adopted
by institutions to reduce vulnerability to incidents.

## 3. Mandatory Controls

The centerpiece of the new framework is Art. 3 §2, which establishes 14 minimum controls
that must be present in every institution's cybersecurity policy and, crucially, must be
demonstrable through auditable technical evidence, not just policy documentation.

| # | Control | Auth/Passkey relevance |
|---|---|---|
| 1 | **Authentication** (incl. MFA) | Direct: MFA now explicitly required |
| 2 | Cryptographic mechanisms | Public-key cryptography underlies passkeys |
| 3 | Intrusion prevention and detection | - |
| 4 | **Information Leakage Prevention (DLP)** (new) | Passkeys have no exfiltrable credential to steal |
| 5 | Anti-malware | - |
| 6 | Traceability / end-to-end logging | Audit evidence for authentication events |
| 7 | Backup management | - |
| 8 | Vulnerability management | - |
| 9 | Access controls | Passkeys enforce cryptographic access control |
| 10 | Hardening / secure configuration profiles | - |
| 11 | Network protection (segmentation, firewalls) | - |
| 12 | Digital certificate management (incl. revocation) | Aligns with passkey key management |
| 13 | **API / interface security** (new) | Distinct from authentication; passkeys secure the auth layer but do not replace API security controls |
| 14 | **Cyber Threat Intelligence** (Dark Web / Deep Web monitoring, new) | Passkeys eliminate the credentials that Dark Web monitoring hunts for |

Controls 4, 13 and 14 are new additions versus the 2021 framework. Their inclusion signals
a regulatorily mature understanding: stolen credentials (control 14), leaky APIs (control
13) and exfiltrated data (control 4) are the three most common entry points for attacks on
financial systems. Passkeys directly neutralize the credential risk vector.

### 3.1 PIX and STR-specific Requirements (Art. 3-A)

Institutions that participate in the *Rede do Sistema Financeiro Nacional* (RSFN), the
network that carries PIX and STR transactions, face an additional layer of obligations on
top of the 14 controls. The [official BCB Resolution 538/2025 text](https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?numero=538&tipo=Resolu%C3%A7%C3%A3o+BCB)
mandates explicitly in Art. 3-A:

> *"uso de múltiplos fatores de autenticação para o acesso administrativo aos ambientes
> Pix e STR"* - multi-factor authentication for administrative access to PIX and STR
> environments.

The full Art. 3-A stacks six controls into a single isolated security perimeter around
PIX/STR. The architecture diagram below shows how these controls relate to each other and
to the rest of the institutional infrastructure:

The ban on third-party private key access is the most consequential architectural
constraint: private keys used in PIX/STR must remain under the exclusive control of the
regulated institution, even when the workloads run on a public cloud.

## 4. Paradigm Shift: from Policy to Prescription

The most consequential change in the 2025 resolutions is not that they create a cybersecurity
obligation from scratch - CMN 4,893/2021 and BCB 85/2021 were already mandatory. The shift
is from a principles-based framework to an explicitly *prescriptive* one:

| Dimension | Old framework (2021) | New framework (2025) |
|---|---|---|
| Nature | Mandatory but principles-based | **Prescriptive with explicit controls** |
| Evidence standard | Policy documents | **Auditable technical evidence** |
| Penetration testing | Optional | **Annual independent pentest, 5-year retention** |
| Cloud status | Cloud as a general service | **RSFN data communication classified as a relevant service; dedicated cloud instances required for PIX/STR** |
| Board accountability | Implicitly expected | **Formally codified at institutional level** |
| Threat intelligence | Recommended | **Dark/Deep Web monitoring mandatory** |
| Third-party governance | Soft guidance | **"If it's in your chain, it's your responsibility"** |

As [Mattos Filho noted in their regulatory analysis](https://www.mattosfilho.com.br/en/unico/brazilian-central-new-rules/),
the 2025 rules move beyond the previous framework's principles-based approach by requiring
institutions to implement and document specific technical controls, with formal oversight
responsibilities anchored at the institutional governance level.

Brazilian institutions that have relied on policy-level compliance (maintaining a
cybersecurity policy document while deferring technical controls) will find that approach
no longer viable. The 2025 framework requires that each of the 14 controls be demonstrable
through logs, audit trails, test reports and technical configurations that can be reviewed
by an independent auditor.

## 5. Impact on Authentication

### 5.1 MFA is now an explicit Mandate

Under CMN 4,893/2021 and BCB 85/2021, cybersecurity controls were already mandatory at an
institutional level, but MFA was not enumerated as an explicit standalone control. CMN
5,274/2025 closes this gap directly: **authentication (including MFA) is Control #1** in
the 14 mandatory minimum controls. For PIX/STR environments, MFA for administrative
access is named explicitly in Art. 3-A.

This matters operationally: institutions that previously relied on password-only or
single-factor authentication for internal systems (particularly for PIX operations) now
face a clear legal gap that must be closed before March 1, 2026.

### 5.2 Why SMS-OTP is insufficient for privileged Access

SMS-based one-time passwords were already considered inadequate for high-assurance
environments before the 2025 resolutions. The new framework makes this tension acute for
several reasons:

- **Phishing and SIM-swapping**: SMS-OTP is vulnerable to real-time phishing proxies and
  SIM-swap fraud. The new rules require phishing-resistant controls for RSFN environments.
- **NIST SP 800-63-4 alignment**: Issued in July 2025, [NIST's updated digital identity
  guidelines](https://pages.nist.gov/800-63-4/) require **phishing-resistant
  authentication at AAL3** and explicitly allow syncable authenticators such as
  [FIDO2 passkeys](https://www.corbado.com/blog/passkeys-fido2-difference) at AAL2. SMS-OTP remains permissible
  at AAL2, but falls short of the phishing-resistance level that Brazil's RSFN
  administrative access requirements effectively demand.
- **Dark Web monitoring (Control 14)**: If SMS-based credentials are compromised and
  appear on Dark Web markets, the institution faces both a Control 14 violation and a
  remediation obligation. Passkeys eliminate this risk category entirely: there are no
  symmetric secrets to steal.

### 5.3 Passkeys as the phishing-resistant compliance Path

[Passkeys based on FIDO2/WebAuthn](https://www.corbado.com/blog/what-are-passkeys) are the most direct path to
satisfying the authentication controls introduced by the new framework. A passkey login
combines:

- A **device-bound cryptographic private key** (possession factor) that never leaves the
  user's device
- **Biometric or PIN verification** (inherence or knowledge factor) confirmed locally
  before the key is used

This satisfies the MFA requirement under Control #1 and Art. 3-A with a single,
frictionless user action. The compliance scorecard below contrasts passkeys against
password-only and SMS-OTP authentication across the key requirements of the new framework:

In addition to Control #1, passkeys use public-key cryptography and produce signatures
scoped to the specific origin and session, which means they also satisfy Control #2
(cryptographic mechanisms), Control #4 (DLP, since no shared secret is ever created or
transmitted), Control #9 (access controls cryptographically bound to device and user) and
Control #14 (Dark Web monitoring, by eliminating the credential category that monitoring
is designed to detect).

### 5.4 Passkeys for consumer PIX Authentication

The new framework addresses administrative access, but a parallel regulatory thread
applies to consumer-facing PIX transactions. **BCB Resolution 403 and Instruction 491**
establish a device registration framework for PIX with strict limits for unregistered
devices:

- Transactions above **BRL 200 per transaction** or **BRL 1,000 per day** require a
  registered, BCB-verified device
- Unregistered devices face these hard transaction caps
- Device registration involves a verification step that incentivizes strong, device-bound
  authentication methods

[Device-bound passkeys](https://www.corbado.com/blog/passkeys-device-bound) are a natural fit for PIX device
registration: the FIDO2 attestation model provides cryptographic proof of device binding,
the biometric unlock satisfies the second factor, and the user experience is a single tap
rather than an SMS code plus manual entry.

## 6. Who must comply and by when

| Institution type | Governing resolution | Deadline |
|---|---|---|
| Banks (deposit, investment, development) | CMN 5,274/2025 | March 1, 2026 |
| Credit cooperatives | CMN 5,274/2025 | March 1, 2026 |
| Payment institutions (IPs) | BCB 538/2025 | March 1, 2026 |
| Securities brokers and distributors | BCB 538/2025 | March 1, 2026 |
| Foreign exchange brokers | BCB 538/2025 | March 1, 2026 |
| Digital-only fintechs with BCB authorization | BCB 538/2025 | March 1, 2026 |

Service providers (cloud vendors, core banking software suppliers, SMS gateway operators)
are not directly regulated, but (as with [Turkey's BDDK framework](https://www.corbado.com/blog/turkey-financial-regulations-authentication)) their clients must ensure
contractual compliance through due diligence, audit rights and security obligations.

## 7. Recommendations for Brazilian Financial Institutions

### 7.1 Immediate Gap Assessment

Conduct a gap analysis against the 14 controls in Art. 3 §2 with an emphasis on producing
**auditable evidence** for each, not just policy attestation. Pay particular attention to
controls 1, 4, 13 and 14 which are either new or newly prescriptive.

### 7.2 Prioritize phishing-resistant MFA for privileged Users

For any role with administrative access to PIX/STR environments, SMS-OTP and password-only
authentication must be replaced before March 1, 2026. FIDO2 hardware security keys or
platform passkeys are the two practical options that satisfy the phishing-resistance
requirement implied by the RSFN isolation rules.

### 7.3 Passkey Rollout for consumer Banking

Deploy passkeys for consumer-facing PIX authentication as a compliance accelerator and
competitive differentiator. Post-purchase or post-login passkey enrollment prompts
(aligned with the device registration framework of BCB 403/IN 491) enable frictionless
onboarding and meet the device verification requirements that unlock higher PIX transaction
limits.

### 7.4 Authentication Observability for Audit Evidence

Control #6 (traceability / end-to-end logging) and the 5-year evidence retention mandate
for penetration tests signal a broader shift toward evidence-based compliance. Authentication
analytics platforms that capture login events, passkey adoption rates and drop-off patterns
provide the audit trail required to demonstrate ongoing compliance to BCB supervisors.

### 7.5 Cloud and third-party Governance

If PIX or STR workloads run on shared cloud infrastructure, migrate to dedicated instances
before the March 2026 deadline. Review contracts with all third-party service providers to
ensure audit rights and the prohibition on third-party private key access are reflected.

## 8. Global Context: Brazil joins the phishing-resistance Movement

Brazil's 2025 resolutions are not an isolated development. The timeline below plots the
major financial-sector authentication regulations between 2020 and 2026 and shows how
Brazil's March 2026 deadline fits into a synchronized global shift toward phishing-resistant
authentication:

The details behind each milestone:

- **[UAE (March 2026)](https://www.corbado.com/blog/uae-banking-otp-phase-out)**: CBUAE mandates phishing-resistant
  authentication for digital banking, effectively ending SMS-OTP for high-value access
- **[Turkey (2020/2025)](https://www.corbado.com/blog/turkey-financial-regulations-authentication)**: BDDK bans
  SMS-OTP for active mobile banking users and mandates universal 2FA
- **[Vietnam (2025)](https://www.corbado.com/blog/vietnam-banking-biometrics)**: NAPAS / SBV mandate biometric
  authentication for all banking transactions above thresholds
- **[Nigeria](https://www.corbado.com/blog/nigeria-banking-biometrics-passkeys)**: CBN mandates biometric-based
  MFA for financial services
- **Australia (2024)**: [Cyber Security Bill](https://www.corbado.com/blog/cyber-security-bill-australia) combined
  with Essential Eight Level 3 makes phishing-resistant MFA effectively mandatory for
  critical infrastructure
- **NIST SP 800-63-4 (July 2025)**: Updated US federal guidance requires phishing-resistant
  authentication at AAL3 and explicitly allows passkeys as AAL2-compliant authenticators

The common thread: regulators worldwide have concluded that password-plus-SMS authentication
is not a defensible baseline for financial services.

## 9. Conclusion

CMN Resolution 5,274/2025 and BCB 538/2025 transform Brazilian financial cybersecurity
from a framework of intentions to one of obligations. For the first time, banks and payment
institutions face the same prescriptive controls, the same evidence standards and the same
board-level accountability structure.

For authentication teams, the implications are clear:

- **MFA is now law**, not guidance, for PIX/STR administrative access
- **Auditable evidence** of authentication controls must be producible on demand
- **SMS-OTP is inadequate** for privileged and RSFN environments under the phishing-resistance
  requirements implied by the new framework
- **Passkeys/FIDO2** are the most direct compliance path for both administrative and
  consumer-facing authentication, addressing Controls 1, 2, 4, 9 and 14 simultaneously
- **March 1, 2026 is non-negotiable**: the deadline applies equally to a Tier-1 bank and a
  fintech IP

Brazilian institutions that have been deferring authentication modernization now have a
hard regulatory forcing function. Those that move earliest will not only achieve compliance
fastest but will also gain a competitive advantage as consumer trust in phishing-resistant
digital banking grows.

## Frequently Asked Questions

### What are CMN Resolution 5,274/2025 and BCB Resolution 538/2025?

These are two Brazilian cybersecurity resolutions adopted on December 18, 2025 and
published in the Official Gazette on December 22, 2025, by the National Monetary Council
(CMN) and the Central Bank of Brazil (BCB). They amend the existing mandatory cybersecurity
frameworks (CMN 4,893/2021 and BCB 85/2021) by adding 14 explicitly prescriptive, auditable
controls and a hard compliance deadline of March 1, 2026.

### Does the new Brazilian cybersecurity regulation mandate multi-factor authentication?

Yes. For institutions participating in PIX and STR payment environments (RSFN), multi-factor
authentication is now explicitly mandatory for all administrative access. This is a direct
prescriptive requirement, not a best-practice recommendation, and extends to cloud
deployments.

### Which institutions are affected by CMN 5,274/2025 and BCB 538/2025?

CMN 5,274/2025 covers all BCB-authorized financial institutions (banks, credit cooperatives
and similar entities). BCB 538/2025 covers payment institutions, securities brokers and
distributors and foreign exchange brokers. Together the two resolutions close the
regulatory gap between traditional banks and fintechs, holding both to the same standard.

### Are passkeys compliant with the new Brazilian cybersecurity rules?

Yes. Passkeys based on FIDO2/WebAuthn are the strongest available option for meeting
Brazil's new MFA mandate. They combine a device-bound cryptographic key (possession factor)
with biometric or PIN verification (inherence/knowledge factor), resist phishing attacks
and eliminate exfiltrable credentials, directly addressing several of the 14 mandatory
controls including authentication, DLP and credential monitoring.

### Is SMS-OTP still sufficient under the new Brazilian banking cybersecurity rules?

SMS-OTP is a weak choice for PIX/STR administrative access under the new rules. The
regulations require phishing-resistant controls for RSFN environments, and SMS-OTP is
vulnerable to SIM-swapping and phishing. For customer-facing PIX transactions, BCB
Resolution 403 and IN 491 establish device registration requirements with strict limits
for unregistered devices, providing a strong incentive to deploy device-bound
authentication methods like passkeys.

### What happens if a Brazilian financial institution misses the March 1, 2026 deadline?

Non-compliant institutions face BCB supervisory action including fines, mandatory
remediation plans and potential restrictions on digital service operations. The new rules
formalize institutional accountability for cyber resilience, with board-level oversight
expected as part of the broader governance context. The rules impose organizational duties
rather than explicit personal liability for individual directors.

### How are PIX and STR environments specifically protected under the new rules?

Art. 3-A of the resolutions requires MFA for all administrative PIX and STR access,
physical and logical isolation of PIX/STR systems from other infrastructure, dedicated cloud
instances for these environments, credential and certificate monitoring in the SPI, end-to-end
integrity validation before message signing and an explicit ban on third-party (including
cloud provider) access to private keys.

### What is the difference between CMN 5,274/2025 and BCB 538/2025?

The two resolutions are technically identical in their requirements but address different
regulatory perimeters. CMN 5,274/2025 is issued by the National Monetary Council and
applies to financial institutions supervised by the CMN (banks, credit cooperatives). BCB
538/2025 is issued by the Central Bank and applies to payment institutions, brokers and
distributors it supervises. The uniform technical requirements mean fintechs and banks now
face the same cybersecurity bar.