Home/Blog/BNR Cybersecurity Compliance 2026
MARCH 2026 · 10 MIN READ

BNR cybersecurity compliance in 2026: what regulated institutions must do now

The National Bank of Rwanda has steadily strengthened cybersecurity expectations for supervised institutions over the past several years. The Regulation on Cyber Resilience for the Financial Sector established the foundation, and BNR’s supervisory approach has continued to evolve through examination practices, circulars, and direct engagement with institutions. For compliance officers and CISOs at Rwandan banks, microfinance institutions, insurance companies, and fintechs, the question in 2026 is no longer whether to invest in cybersecurity but how to meet the specific requirements efficiently and demonstrate readiness when examiners arrive.

This guide covers the current state of BNR cybersecurity expectations, what institutions need to have in place, and practical steps to close the gaps we most commonly see. For a broader overview of BNR requirements, see our foundational guide on BNR cybersecurity requirements for banks in Rwanda.

BNR ICT risk management framework

BNR expects every supervised institution to operate a formal ICT risk management framework. This is not a document that sits in a drawer. Examiners look for evidence that the framework is actively implemented, regularly reviewed, and meaningfully governs how the institution manages technology risk.

Board-level accountability is the starting point. BNR expects the board of directors to approve the institution’s cybersecurity policy and to receive regular reports on cyber risk. This means the CISO or IT risk officer must present to the board at least quarterly, covering the current threat landscape, the status of security controls, results of recent assessments, and any incidents that occurred. Board minutes should reflect that these discussions happened and that directors asked substantive questions. A board that rubber-stamps IT reports without engagement is a finding waiting to happen.

ICT governance structure must define clear roles and responsibilities. Who owns cybersecurity policy? Who is responsible for incident response? Who approves changes to critical systems? BNR expects a separation of duties between those who develop and operate systems and those who oversee security. In practice, this means your IT security function should not report directly to the head of IT operations. Independence matters.

Risk assessment must be ongoing, not a one-time exercise. BNR expects institutions to maintain a current register of ICT assets, identify threats and vulnerabilities to those assets, assess the likelihood and impact of compromise, and implement controls proportionate to the risk. This register should be reviewed at least annually and updated whenever significant changes occur: new systems, new services, organisational restructuring, or changes in the threat environment.

Proportionality principle: BNR applies expectations proportionate to the size, complexity, and risk profile of the institution. A Tier 1 commercial bank processing millions of transactions daily faces more rigorous expectations than a small microfinance institution. However, the core requirements, including penetration testing, incident response, and board governance, apply to all supervised entities.

Penetration testing and vulnerability assessment mandates

BNR requires all supervised institutions to conduct regular vulnerability assessments and penetration tests. This is one of the most concrete and verifiable requirements, and it is an area where examiners can quickly determine whether an institution is taking cybersecurity seriously.

Frequency: At minimum, BNR expects annual penetration testing. Institutions operating mobile banking platforms, payment processing systems, card services, or internet banking should test more frequently. After any significant change to systems or infrastructure, an additional test is expected. Significant changes include deploying a new application, migrating to new infrastructure, or making major architectural modifications.

Scope: Testing must cover all internet-facing systems. This includes web applications, APIs, mobile banking apps, USSD gateways, email infrastructure, VPN endpoints, and any other services accessible from the internet. Internal network testing is also expected for institutions with complex IT environments. BNR examiners look for evidence that the scope was comprehensive, not limited to a single application while ignoring the rest of the attack surface.

Provider qualifications: BNR expects testing to be performed by qualified professionals. This means testers with recognised offensive security certifications, particularly OSCP (Offensive Security Certified Professional). Internal IT staff running an automated scanner does not satisfy the requirement. The institution must be able to demonstrate that the testing was conducted by individuals with verifiable expertise. For guidance on selecting a provider, see our guide on choosing a penetration testing firm in Kigali.

Remediation evidence: Identifying vulnerabilities is only half the requirement. BNR expects institutions to demonstrate that findings were remediated and that remediation was verified through retesting. A pentest report from two years ago with critical findings still open is worse than having no report at all. It proves the institution knew about the risk and did nothing.

Preparing for a regulatory examination

BNR cybersecurity examinations evaluate both documentation and operational reality. Having policies on paper is necessary but insufficient. Examiners will ask for evidence that policies are implemented, that controls are functioning, and that the institution can respond to incidents effectively.

Documentation readiness is the foundation. Before an examination, ensure the following are current and accessible: cybersecurity policy (board-approved, reviewed within the past year), ICT risk register, incident response plan, business continuity and disaster recovery plan, penetration test reports with remediation tracking, vulnerability scan results, access control documentation, and third-party vendor risk assessments.

Evidence of ongoing monitoring separates compliant institutions from merely documented ones. BNR examiners look for logs showing that security monitoring is active: SIEM dashboards, alerting rules, log retention policies, and evidence that alerts are investigated. If your security operations centre, whether internal or outsourced, cannot demonstrate that it actively monitors for threats, that is a gap.

Incident response drills are increasingly expected. Having an incident response plan is necessary, but BNR wants to see evidence that the plan has been tested. Tabletop exercises where the incident response team walks through a scenario (ransomware attack, data breach, insider threat) demonstrate preparedness. Document these exercises: date, participants, scenario, decisions made, lessons learned. An institution that has never tested its incident response plan cannot credibly claim it works.

Practical preparation sequence: Start with a gap assessment against BNR requirements. Identify the gaps. Prioritise remediation based on risk and examiner focus areas. Conduct independent penetration testing. Remediate findings. Retest critical issues. Compile documentation. Run an incident response tabletop. This sequence typically takes three to six months for an institution starting from scratch.

Third-party risk management is an area where many institutions fall short. If you use cloud hosting, payment processing partners, core banking software vendors, or managed IT services, BNR expects you to assess and manage the security risks those third parties introduce. This means conducting due diligence before contracting (security questionnaires, certifications review, pentest reports from the vendor), maintaining a register of third-party relationships with risk ratings, and monitoring those relationships over time.

Common compliance gaps we see

From our work with BNR-regulated institutions across Rwanda, the most frequent gaps include:

  • Outdated cybersecurity policies. Policies approved three or four years ago that have not been reviewed or updated to reflect current systems and threats. BNR expects annual review at minimum.
  • No annual penetration test. Some institutions have never had a professional penetration test. Others had one years ago and have not repeated it. This is one of the easiest gaps for examiners to identify and one of the most straightforward to close.
  • No incident response testing. The incident response plan exists in a document but has never been exercised. When asked “What would you do if ransomware hit your core banking system right now?”, the team cannot answer confidently.
  • No vendor risk assessment programme. Third-party service providers are used extensively but no formal risk assessment has been conducted on any of them. No security questionnaires, no review of vendor certifications, no monitoring of vendor security posture.
  • No board reporting on cyber risk. The board receives IT updates but not specific cybersecurity risk reports. There is no evidence in board minutes that cyber risk is discussed as a distinct agenda item.
  • Access control gaps. Shared administrator accounts, no multi-factor authentication on critical systems, users with excessive permissions that have never been reviewed. Access reviews should happen at least quarterly.

Common technical vulnerabilities we find during BNR assessments

Beyond compliance documentation gaps, our penetration testing of BNR-regulated institutions consistently reveals these technical vulnerabilities:

  • Insecure Direct Object References (IDOR) in banking APIs allowing access to other customers’ data by changing a parameter
  • Weak or missing authentication on internal APIs that backend systems rely on
  • USSD session handling vulnerabilities enabling session hijacking or transaction replay
  • Default credentials on network equipment such as routers, switches, and firewalls
  • Missing security headers and TLS misconfigurations on internet-facing applications
  • Insufficient input validation leading to injection attacks on web and API endpoints

These are the types of findings that BNR examiners expect a professional penetration test to uncover. An institution that has never had a thorough VAPT engagement should expect a significant number of findings in the first assessment.

How we can help

We work with BNR-regulated institutions across Rwanda to close cybersecurity compliance gaps efficiently. Our approach starts with a gap assessment against current BNR requirements, followed by targeted penetration testing and vulnerability assessment to identify technical risks. Our reports are structured specifically for regulatory examination readiness, with findings, remediation guidance, and retest evidence documented in the format examiners expect.

For a full overview of our compliance-oriented assessment methodology, see our security assessments service page. For penetration testing scope and deliverables, see our penetration testing service page. For context on what penetration testing involves and what to expect, see our complete guide to penetration testing in Rwanda.

Contact us to discuss your compliance timeline. We scope engagements to fit your examination schedule and can typically begin within two weeks of agreement.

Related articles

MARCH 2026 · 11 MIN READ

How to prepare for a BNR cybersecurity audit: the practical guide

Read more →FEBRUARY 2026 · 3 MIN READ

What is BNR cybersecurity regulation?

Read more →MARCH 2026 · 9 MIN READ

CBK cybersecurity requirements for Kenyan banks (2026)

Read more →

Ready to secure your organisation?

We are an OSCP-certified penetration testing firm based in Kigali. We work with banks, fintechs, and enterprises across Rwanda and East Africa. Get a scoped quote within 24 hours.

Request a consultation WhatsApp us
Chat on WhatsApp Chat with us