FEBRUARY 2026 · 8 MIN READ

BNR cybersecurity requirements: what banks in Rwanda need to know

The National Bank of Rwanda (BNR) has steadily increased its cybersecurity requirements for all regulated financial institutions. If you are a bank, microfinance institution, insurance company, or payment service provider operating in Rwanda, cybersecurity compliance is no longer optional.

This guide covers what BNR expects, what your institution needs to implement, and how penetration testing fits into your compliance programme. For pricing guidance, see our penetration testing cost guide.

Who does this apply to?

BNR cybersecurity regulation applies to all institutions supervised by the National Bank of Rwanda, including commercial banks, microfinance institutions (MFIs), insurance companies, pension funds, payment service providers, mobile money operators, and electronic money issuers.

Core requirements

BNR expects regulated institutions to have a documented and operational cybersecurity programme. The key areas include:

1. Cybersecurity governance

Your institution must have a board-approved cybersecurity policy and a designated officer responsible for information security. The board must receive regular reports on cybersecurity risks and the status of the security programme.

2. Risk assessment

BNR requires regular risk assessments to identify threats and vulnerabilities to your IT systems and data. This means understanding what assets you have, what could go wrong, and how likely it is.

3. Vulnerability assessment and penetration testing

This is where our work comes in. BNR expects institutions to conduct regular vulnerability assessments and penetration tests on their systems. This includes web applications, mobile banking platforms, APIs, network infrastructure, and any internet-facing services.

What does "regular" mean? BNR recommends at minimum annual penetration testing, and after any significant changes to systems or infrastructure. For critical systems like mobile banking and payment processing, quarterly testing is the standard we see among well-prepared institutions.

4. Incident response

You need a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. BNR expects institutions to report significant cyber incidents promptly.

5. Security awareness training

All employees must receive cybersecurity awareness training. This is not just for IT staff. BNR recognises that human error is behind most security breaches, so training must cover all levels of the organisation.

6. Data protection

Sensitive customer data must be encrypted in transit and at rest. Access controls must be implemented to ensure only authorised personnel can access sensitive information. This aligns with Rwanda's broader data protection framework under the National Cyber Security Authority (NCSA).

7. Third-party risk management

If you use third-party service providers (cloud hosting, payment processors, software vendors), BNR expects you to assess and manage the security risks they introduce. This includes due diligence before contracting and ongoing monitoring.

What does a BNR-compliant pentest look like?

A penetration test for BNR compliance should cover:

External testing: assessing all internet-facing systems including websites, APIs, mobile banking endpoints, and USSD gateways
Internal testing: simulating an attacker who has gained access to the internal network
Web application testing: deep-dive into your core banking web interface and customer-facing applications
Mobile application testing: security assessment of your mobile banking apps on Android and iOS
Social engineering: testing employee resilience to phishing and other social engineering attacks

The deliverable is a detailed report that includes findings ranked by severity, proof of exploitation, and clear remediation guidance that your IT team can act on.

Common gaps we find

From our experience testing financial institutions across Africa, the most common issues include:

Insecure Direct Object References (IDOR) in banking APIs allowing access to other customers' data
Weak or missing authentication on internal APIs
USSD session handling vulnerabilities
Default credentials on network equipment
Missing security headers and TLS misconfigurations
Insufficient input validation leading to injection attacks

How to get started

If your institution needs to meet BNR cybersecurity requirements and you do not have an in-house security testing capability, the most practical approach is to engage an external penetration testing firm.

When selecting a provider, look for recognised certifications (OSCP is the industry gold standard for penetration testers), experience with financial institutions, and physical presence in Rwanda for on-site testing when needed.

For a detailed comparison of scanning versus manual testing, see penetration testing vs vulnerability scanning. If your institution uses USSD services, our USSD security testing guide covers the specific risks.

Need help with BNR compliance?

We deliver OSCP-certified penetration testing and help regulated institutions meet BNR cybersecurity requirements. Based in Kigali.

Request a consultation