Cybersecurity Regulatory Compliance Hub

Technical guides and compliance programs for each information-security regulation that affects Brazilian companies — from the Central Bank of Brazil to the ANPD, and on to ISO 27001, PCI DSS, GDPR, DORA and NIS2.

Regulations and standards covered

Each regulation has specific technical requirements. The guides below translate the legal text into concrete controls, deadlines and deliverables that Decripte implements with an SLA.

Fintechs · Banks · PIs · Cooperatives

BACEN Resolution 4.893 and 5.274

Cybersecurity Policy (PSC), Incident Response Plan (PRIC), periodic pentest and third-party management required for every financial institution authorized by the Central Bank of Brazil. Deadline: 2026-03-01 for S4-S5.

Mandatory PSCDocumented PRICAnnual pentest (S1-S2)3-business-day notice
Read guide
Payments · Cards · E-commerce

PCI DSS 4.0

The cardholder data security standard for anyone who stores, processes or transmits payment data. 12 requirements, merchant levels, SAQ vs QSA audit and what is new in version 4.0.

12 requirementsSAQ vs QSALevels 1–4Pentest and segmentation
Read guide
Crypto · Web3 · VASPs

Brazil’s crypto legal framework

Law 14.478/2022 defines virtual assets and service providers (VASPs), supervised by the Central Bank of Brazil. AML/CFT obligations, custody and asset segregation, key management and exchange security.

Law 14.478/2022VASPAML/CFTCustody and keys
Read guide
Legislation · Incident response

Cybercrime in Brazil

The laws that define digital crimes (Carolina Dieckmann Law 12.737/2012, Law 14.155/2021, Marco Civil) — what constitutes each crime, penalties, how to preserve evidence and where to report.

Law 12.737/2012Law 14.155/2021Evidence preservationDigital forensics
Read guide
Fintechs · Crypto · European Union

DORA — Digital Operational Resilience

The EU digital operational resilience regulation reaches Brazilian companies that serve EU financial entities. 5 pillars, testing (TLPT), third-party risk and incident reporting.

EU Regulation 2022/25545 pillarsTLPTICT third-party risk
Read guide
Exports · EU supply chain

NIS2 — EU cybersecurity directive

The NIS2 directive expands cybersecurity obligations across the European Union and reaches suppliers outside the bloc. Minimum measures under art. 21, 24h/72h reporting and management accountability.

EU Directive 2022/2555Essential sectors24h/72h reportingManagement accountability
Read guide
Privacy · Data of people in the EU

GDPR for Brazilian companies

When the GDPR reaches a Brazilian company (art. 3) and what it requires beyond the LGPD: international transfers (SCCs), EU representative (art. 27), DPO and fines up to €20M or 4% of global turnover.

EU Regulation 2016/679Extraterritorial reachSCCsFine up to 4% global
Read guide
Capital markets · Crypto · Tokenization

CVM Resolution 175 and virtual assets

When a token is a security (CVM jurisdiction) vs a virtual asset (BACEN), how Resolution 175 treats funds and tokenization, and the expected custody, segregation and security controls.

CVM Resolution 175Token = security?Custody and segregationTokenization
Read guide

Coming soon

LGPD — Law 13.709/2018ISO 27001 / 27701PCI DSS v4.0NIS2 (exporting to Europe)NIST CSF 2.0

Not sure which regulation applies to your company?

Decripte's free assessment maps the regulations that apply to your sector, size and business model — and shows what is already exposed before any investment.