MARCH 2026 · 10 MIN READ

BNR compliance deadlines and filing calendar 2026

BNR cybersecurity compliance now has a single binding reference point: the Regulation N°50/2022 on Cyber Security in Regulated Institutions, which repealed the 2018 cyber security regulation and applies to every institution the National Bank of Rwanda licenses and supervises. For compliance officers and CISOs at Rwandan banks, microfinance institutions, insurers, and fintechs, the question in 2026 is no longer whether the requirements apply but how to meet them efficiently and prove it when examiners arrive.

This guide is built around the dates that anchor the 2026 compliance year: the annual penetration test and bi-annual vulnerability assessments Article 10 mandates, the 15-day executive summary filing after each test, the 15 January self-attestation, and the ICT risk management groundwork behind them. For a short orientation on who is covered and what each obligation involves, start with our BNR cybersecurity requirements explained overview.

BNR ICT risk management framework

BNR expects every supervised institution to operate a formal ICT risk management framework. This is not a document that sits in a drawer. Examiners look for evidence that the framework is actively implemented, regularly reviewed, and meaningfully governs how the institution manages technology risk.

Board-level accountability is the starting point. Regulation N°50/2022 places cybersecurity governance with the board of directors and senior management. The board approves the cybersecurity policy and receives regular reports on cyber risk: the CISO or IT risk officer should present at least quarterly on current threats, the status of controls, results of recent assessments, and any incidents. Board minutes should reflect that these discussions happened and that directors asked substantive questions. A board that rubber-stamps IT reports without engagement is a finding waiting to happen.

ICT governance structure must define clear roles and responsibilities. Who owns cybersecurity policy? Who is responsible for incident response? Who approves changes to critical systems? BNR expects a separation of duties between those who develop and operate systems and those who oversee security. In practice, this means your IT security function should not report directly to the head of IT operations. Independence matters.

Risk assessment must be ongoing, not a one-time exercise. BNR expects institutions to maintain a current register of ICT assets, identify threats and vulnerabilities to those assets, assess the likelihood and impact of compromise, and implement controls proportionate to the risk. This register should be reviewed at least annually and updated whenever significant changes occur: new systems, new services, organisational restructuring, or changes in the threat environment.

Who is covered: Regulation N°50/2022 applies to every institution BNR licenses and supervises, from Tier 1 commercial banks to deposit-taking microfinance institutions. Article 24 allows the Supervisory Authority to tailor requirements by directive in proportion to an institution's nature, size, complexity, and maturity, but unless such a directive exists, the regulation as written is the obligation.

Penetration testing and vulnerability assessment mandates

Article 10 of Regulation N°50/2022 is the most concrete and verifiable requirement in the regulation, and it is where examiners can quickly determine whether an institution takes cybersecurity seriously.

Frequency: The regulation requires a penetration test at least once a year and vulnerability assessments at least twice a year. That is the floor, not the ceiling. Institutions operating mobile banking platforms, payment processing, card services, or internet banking are prudent to test more often, and retesting after a major system change (a new application, an infrastructure migration, a significant architectural modification) is standard practice even though the regulation does not spell it out.

Filing deadlines: Two dates anchor the compliance calendar. An executive summary of test findings must be shared with the National Bank of Rwanda within 15 days of the test, and an annual written self-attestation that the cybersecurity programme complies with the regulation is due by 15 January each year. An institution that tests on time but files late has still missed the requirement.

Scope: Testing must cover internet-facing systems: web applications, APIs, mobile banking apps, USSD gateways, email infrastructure, VPN endpoints, and any other services reachable from the internet. Internal network testing is also expected for institutions with complex IT environments. Examiners look for evidence that the scope covered the full attack surface, not a single application tested while the rest was ignored.

Tester qualifications: Article 10 requires that anyone entrusted to conduct a penetration test or vulnerability assessment holds at least one recognised qualification, and it names OSCP (Offensive Security Certified Professional) among them, alongside credentials such as CISSP and CEH. The regulation does not force you to hire an external firm, but whoever performs the work must hold a listed qualification, and an automated scanner export run by uncertified staff is not a penetration test. For how to evaluate providers against this bar, see our guide on choosing a penetration testing firm in Kigali.

Remediation evidence: Identifying vulnerabilities is only half the requirement. BNR expects institutions to demonstrate that findings were remediated and that remediation was verified through retesting. A pentest report from two years ago with critical findings still open is worse than having no report at all. It proves the institution knew about the risk and did nothing.

Preparing for a BNR examination

BNR examinations evaluate both documentation and operational reality. Policies on paper are necessary but insufficient: examiners ask for evidence that controls function, that monitoring is active, and that the institution has actually exercised its incident response plan rather than just written one.

We have published a dedicated BNR cybersecurity audit preparation guide that covers examination preparation in full. Use it for:

  • The 90-day preparation timeline: what to do at 90, 60, and 30 days out, from gap assessment through remediation to documentation assembly.
  • The evidence checklist: every document an examiner can reasonably request, from board-approved policy to retest reports and vendor risk assessments.
  • The six most common deficiencies: the findings that recur in examinations (no current pentest report, unremediated criticals, untested incident response plans, thin board minutes, shared administrator credentials, no vendor risk programme) and how to close each one before the examiner does it for you.

If your examination date is already set, start there. The rest of this post stays focused on what the regulation requires; the preparation guide covers how to prove it.

Technical vulnerabilities an Article 10 test should surface

A penetration test that meets the Article 10 bar should go well beyond scanner output. Our team's financial-sector testing background, which includes red team work for a Tier-1 Nordic bank and engagements for a pan-African banking group, repeatedly surfaces the same classes of vulnerability in banking environments:

  • Insecure Direct Object References (IDOR) in banking APIs, allowing access to other customers' data by changing a parameter
  • Weak or missing authentication on internal APIs that backend systems rely on
  • USSD session handling vulnerabilities enabling session hijacking or transaction replay
  • Default credentials on network equipment such as routers, switches, and firewalls
  • Missing security headers and TLS misconfigurations on internet-facing applications
  • Insufficient input validation leading to injection attacks on web and API endpoints

These are the findings a qualified manual test exists to uncover. An institution commissioning its first thorough VAPT engagement should expect a meaningful number of findings; that is the assessment doing its job, not a failure.

How we can help

IMIZI Cyber is a Kigali-based offensive security firm serving regulated institutions across Africa. We help BNR-supervised institutions meet the Article 10 mandate with manual penetration testing and vulnerability assessments led by an OSCP-credentialled practitioner, the qualification the regulation itself names. Reports are structured for regulatory examination: findings, remediation guidance, and retest evidence documented in the form an examiner expects to read, with the executive summary ready for the 15-day filing.

For scope and deliverables aligned to the regulation, see our BNR-compliant penetration testing service page. For the broader assessment methodology, see security assessments. For context on what penetration testing involves in this market, our complete guide to penetration testing in Rwanda covers providers, costs, and credentials.

Book a Free Call to discuss your compliance timeline. We scope engagements to fit your examination schedule.

Frequently asked questions

What are BNR cybersecurity requirements for banks in Rwanda?
BNR Regulation N°50/2022 on Cyber Security in Regulated Institutions requires supervised institutions to operate a board-governed cybersecurity programme covering ICT risk management, annual penetration testing, bi-annual vulnerability assessments, incident response planning, and regular reporting to the National Bank of Rwanda. The regulation applies to every institution BNR licenses and supervises, including commercial banks, microfinance institutions, insurers, and payment service providers.
How often does BNR require penetration testing?
Article 10 of BNR Regulation N°50/2022 requires a penetration test at least once a year and vulnerability assessments at least twice a year. An executive summary of the findings must be filed with the National Bank of Rwanda within 15 days of the test, and the regulation lists recognised certifications such as OSCP for the professionals who perform the work.

Ready to secure your organisation?

We are a Kigali-based penetration testing firm, and our testing is led by an OSCP-credentialled practitioner. We work with banks, fintechs, and regulated institutions across Africa. Get a scoped quote within 48 hours.

Chat on WhatsApp Chat with us