Brazil VASP/CASP Cybersecurity Regulations: 2026 Compliance Checklist

Brazil’s VASP framework applies to legal entities providing virtual asset services in Brazil, including exchange, transfer, custody, administration, and services related to the offer or sale of virtual assets. In Brazilian regulatory language, these providers are commonly referred to as VASPs or SPSAVs, meaning Sociedades Prestadoras de Serviços de Ativos Virtuais.

This checklist helps VASPs active in Brazil translate the 2026 framework into practical compliance actions across authorization, governance, operational risk, AML/CFT, custody, transaction monitoring, third-party risk, and technology infrastructure.

From a cybersecurity perspective, the key finding is clear: Brazil’s rules include detailed cybersecurity requirements, but they are embedded across the broader regulatory framework rather than packaged as a standalone cybersecurity regulation.

What Is Brazil’s 2026 VASP Framework?

Brazil has a functioning crypto regulatory framework built around three main regulatory layers:

• Law No. 14,478/2022: Establishes the legal basis for regulation of virtual asset service providers. Enacted in December 2022 and effective from June 2023.
• Decree No. 11,563/2023: Designates the Central Bank of Brazil as the competent authority for VASP regulation and supervision.
• BCB Resolutions 519, 520, and 521: Define the practical requirements for licensing, governance, compliance, operational obligations, cybersecurity, and FX treatment.

What Does Resolution 520 Explicitly Require?

Resolution 520, Section 2.11, is the clearest cybersecurity section in the Brazil VASP framework. It requires controls covering access, monitoring, incident response, business continuity, security culture, system testing, vulnerability analysis, independent review, and smart contract testing.

The Demarest detailed summary of the rules confirms VASPs must implement and maintain measures and procedures covering at least:

• Identity management and logical and physical access control to prevent unauthorized access to resources and sensitive data.
• Continuous security monitoring and incident response mechanisms to detect and respond to potential threats.
• Preventive measures to mitigate cyber incidents, particularly in operations involving decentralized finance operators.
• Procedures for granting authorizations, password creation, and access controls based on authorization levels, with preventive deactivation in suspicious situations.
• Fostering a security culture among employees, service providers, and related parties.
• Business continuity plans addressing security breaches or disaster scenarios.
• Adoption of security best practices including training, technical certifications, and external qualification processes.
• Testing of systems and software used, including smart contracts, comprising vulnerability analyses, performance reviews by independent analysts, and robustness/security tests.

These requirements go beyond high-level governance. The regulation explicitly names identity management, access controls, incident response, vulnerability analysis, independent review, and smart contract testing.

What Other Cybersecurity-Relevant Obligations Apply?

Brazil’s VASP framework also includes cybersecurity-relevant obligations outside Section 2.11. These requirements connect cybersecurity to governance, data confidentiality, third-party risk, asset segregation, custody security, smart contract testing, and AML/CFT controls.

• Cybersecurity policy: VASPs must appoint a director/officer responsible for the cybersecurity policy and execution of the incident response plan. This policy must be documented, reviewed every two years, and available to the BCB.
• Data confidentiality: VASPs are explicitly responsible for the confidentiality, integrity, availability, security, and secrecy of data and information regarding virtual asset transactions.
• Vendor/third-party risk: VASPs remain responsible for the integrity, reliability, security, and secrecy of transactions conducted through engaged service providers. Technology services specifically related to VASP operations are classified as “relevant services” requiring oversight.
• Governance documentation: Providers must maintain documented, BCB-accessible policies covering cybersecurity, institutional security, data processing/cloud computing, personal data protection, private key safekeeping, and risk management.
• Asset segregation: Full segregation between firm and client virtual assets, including on-chain wallet separation. Omnibus accounts are prohibited.
• Smart contract testing: Resolution 520 explicitly requires vulnerability analysis, independent performance review, and robustness/security testing of smart contracts used by the VASP.

What Pre-Existing Cybersecurity Frameworks May Also Apply?

VASPs must also comply with financial-sector cybersecurity regulations that already apply to regulated institutions. These frameworks add requirements around cybersecurity policy, cloud computing, due diligence, audit rights, data residency, intrusion detection, monitoring, and independent testing.

• CMN Resolution 4,893/2021, amended by 5,274/2025: Cybersecurity policy for financial institutions. Requires policies based on confidentiality, integrity, and availability principles. Covers cloud computing due diligence, audit rights, and data residency controls.
• BCB Resolution 85/2021, amended by 538/2025: Equivalent requirements for payment institutions. December 2025 amendments added 14 specific security controls including encryption, intrusion detection, deep/dark web monitoring, and mandatory annual independent penetration tests.

Brazil VASP Cybersecurity Requirement Matrix

The following matrix summarizes the main cybersecurity-relevant requirement areas identified in the current source material and where they appear in the Brazil VASP framework.

How Hacken Helps VASPs Prepare for Brazil’s 2026 Framework

For crypto exchanges, custodians, brokers, stablecoin operators, and other VASPs active in Brazil, the key 2026 task is to translate the new framework into practical compliance across authorization, governance, operational risk, AML/CFT, custody, transaction monitoring, third-party risk, and technology infrastructure.

Hacken helps turn these regulatory requirements into audit-ready evidence through readiness assessment, gap analysis, technical security testing, remediation, policy implementation, transaction monitoring, Proof of Reserves, and licensing documentation.