Cybersecurity Regulatory Compliance Hub
Technical guides and compliance programs for each information-security regulation that affects Brazilian companies — from the Central Bank of Brazil to the ANPD, and on to ISO 27001, PCI DSS, GDPR, DORA and NIS2.
Regulations and standards covered
Each regulation has specific technical requirements. The guides below translate the legal text into concrete controls, deadlines and deliverables that Decripte implements with an SLA.
BACEN Resolution 4.893 and 5.274
Cybersecurity Policy (PSC), Incident Response Plan (PRIC), periodic pentest and third-party management required for every financial institution authorized by the Central Bank of Brazil. Deadline: 2026-03-01 for S4-S5.
PCI DSS 4.0
The cardholder data security standard for anyone who stores, processes or transmits payment data. 12 requirements, merchant levels, SAQ vs QSA audit and what is new in version 4.0.
Brazil’s crypto legal framework
Law 14.478/2022 defines virtual assets and service providers (VASPs), supervised by the Central Bank of Brazil. AML/CFT obligations, custody and asset segregation, key management and exchange security.
Cybercrime in Brazil
The laws that define digital crimes (Carolina Dieckmann Law 12.737/2012, Law 14.155/2021, Marco Civil) — what constitutes each crime, penalties, how to preserve evidence and where to report.
DORA — Digital Operational Resilience
The EU digital operational resilience regulation reaches Brazilian companies that serve EU financial entities. 5 pillars, testing (TLPT), third-party risk and incident reporting.
NIS2 — EU cybersecurity directive
The NIS2 directive expands cybersecurity obligations across the European Union and reaches suppliers outside the bloc. Minimum measures under art. 21, 24h/72h reporting and management accountability.
GDPR for Brazilian companies
When the GDPR reaches a Brazilian company (art. 3) and what it requires beyond the LGPD: international transfers (SCCs), EU representative (art. 27), DPO and fines up to €20M or 4% of global turnover.
CVM Resolution 175 and virtual assets
When a token is a security (CVM jurisdiction) vs a virtual asset (BACEN), how Resolution 175 treats funds and tokenization, and the expected custody, segregation and security controls.
Coming soon
Not sure which regulation applies to your company?
Decripte's free assessment maps the regulations that apply to your sector, size and business model — and shows what is already exposed before any investment.
