The National Bank of Rwanda (BNR) requires all supervised financial institutions to maintain comprehensive cybersecurity programmes. The BNR Regulation on Cyber Resilience for the Financial Sector established the regulatory foundation, and BNR’s supervisory approach has continued to evolve through examination practices, circulars, and direct engagement with institutions.
Who does this apply to?
BNR cybersecurity regulation applies to all institutions supervised by the National Bank of Rwanda: commercial banks, microfinance institutions, insurance companies, pension funds, payment service providers, mobile money operators, and electronic money issuers.
Core requirements at a glance
BNR expects regulated institutions to have:
- A board-approved cybersecurity policy with regular board reporting on cyber risk
- Regular risk assessments identifying threats and vulnerabilities to IT systems and data
- Annual penetration testing and vulnerability assessments conducted by qualified professionals with recognised certifications such as OSCP
- A documented incident response plan that has been tested through tabletop exercises
- Security awareness training for all employees
- Data protection measures including encryption in transit and at rest, aligned with Rwanda’s Data Protection and Privacy Law (No. 058/2021)
- Third-party vendor risk management including due diligence and ongoing monitoring
Comprehensive guide
For a detailed breakdown of each requirement, how to prepare for regulatory examinations, common compliance gaps, and practical implementation steps, see our comprehensive guide: BNR cybersecurity compliance in 2026: what regulated institutions must do now.
How we can help
We are an OSCP-certified penetration testing firm based in Kigali. We work with BNR-regulated institutions across Rwanda to deliver the security assessments that compliance requires. Our reports are structured to satisfy BNR examination requirements. Contact us to scope your next BNR-compliant VAPT engagement.