The National Bank of Rwanda (BNR) requires every supervised financial institution to maintain a documented cybersecurity programme. The binding text today is Regulation N°50/2022 on cyber security in regulated institutions, published in June 2022, which repealed the 2018 cyber security regulation and gave institutions one year to comply. BNR's supervisory approach has continued to sharpen since then through examination practice, circulars, and direct engagement with institutions. This is a short, practical overview of what the regulator expects. For the full breakdown, see our detailed guide linked at the end.
Who does this apply to?
Regulation N°50/2022 applies to every financial institution licensed and supervised by the National Bank of Rwanda: commercial banks, microfinance institutions, insurance companies, pension funds, payment service providers, mobile money operators, and electronic money issuers. A SACCO or fintech is covered to the extent it holds a BNR licence. There are no exemptions based on size. A small payment provider runs a simpler environment than a tier-one bank, but the core obligations are the same. The depth of the programme scales with the institution's risk profile; the obligation to have one does not.
Core requirements at a glance
BNR expects regulated institutions to demonstrate, with evidence, that they have:
- A board-approved cybersecurity policy with regular board-level reporting on cyber risk. The board is expected to own this, not delegate it to IT and forget it.
- Regular risk assessments that identify the specific threats and vulnerabilities facing the institution's IT systems and data, updated at least annually and after material change.
- A penetration test at least once a year and vulnerability assessments at least twice a year, conducted by testers holding at least one recognised certification; Article 10 names OSCP among them. Coverage should reflect the institution's real attack surface: internet-facing systems, core banking, mobile and USSD channels, and APIs.
- A documented incident response plan that has actually been exercised through a tabletop, not a plan that lives unread in a shared drive.
- Security awareness training for all employees, refreshed regularly and tracked.
- Data protection controls including encryption in transit and at rest, aligned with Rwanda's Data Protection and Privacy Law (No. 058/2021).
- Third-party vendor risk management, including due diligence before onboarding and ongoing monitoring of critical vendors, whose platforms are frequently the weakest link in a regulated institution's security.
What Article 10 actually requires
Article 10 is the testing mandate, and it is more specific than most frameworks in the region. Four elements matter in practice:
- Frequency. A penetration test at least once a year and vulnerability assessments at least twice a year. These are floors, not targets: an institution that ships a new mobile channel or upgrades core banking mid-cycle should test again, because an examiner will ask why a material change went live untested even though the regulation does not enumerate change-triggered testing.
- A qualifying tester. The regulation requires the tester to hold at least one recognised certification and names the list: CISSP, CISM, CISA, CEH, OSCP, LPT, or a similar certification. Examiners can and do ask who performed the test and which credential they hold, so "qualified professionals" is not a box an unaccredited generalist can tick.
- A 15-day filing deadline. The institution shares an executive summary of the findings with BNR within fifteen days of the test. That deadline shapes the engagement itself: the report has to be written for a supervisory reader from the start, because there is no time to rework a raw technical dump after the test closes.
- The 15 January self-assessment. Separately from the testing articles, the regulation requires each institution to file an annual cybersecurity self-assessment with BNR by 15 January. In practice this means the prior year's penetration test, both vulnerability assessments, and the remediation evidence behind them need to be complete before the filing date, not scheduled for Q1.
Read together, these four obligations turn the calendar into the compliance plan. Institutions that book testing for the fourth quarter routinely discover that remediation and retesting cannot finish before the January filing.
What examiners actually look for
The gap between having a policy and passing an examination is evidence. BNR examiners want to see board minutes that record substantive cybersecurity discussion, a penetration test report from the last twelve months with tracked remediation, training completion records, and a vendor register with real due-diligence documentation behind it. An institution that can produce these is in a materially stronger position during supervision than one that can describe its intentions but cannot evidence the work.
The most common reason a regulated institution struggles at examination is not a missing control: it is a control that exists on paper but has never been tested. A penetration test scoped too narrowly to be meaningful, an incident response plan that has never been walked through, or a vendor list with no due diligence behind it all read the same way to an examiner, as a programme that was built for the audit rather than for the institution's actual risk.
How this fits the wider region
Regulation N°50/2022 is unusually specific for the region: it names the tester credentials it accepts and sets filing deadlines that neighbouring frameworks leave open. Institutions operating across borders also face the Central Bank of Kenya's cybersecurity guidance and equivalent expectations in Uganda and Tanzania. The practical advantage of building to BNR's expectations is that a programme strong enough for Rwanda covers most of what the neighbouring regulators ask for, so a single well-scoped engagement can serve several reporting obligations at once.
The 2026 filing calendar
For every filing date, the Article 10 testing cadence, and how to sequence remediation ahead of the January attestation, read our BNR 2026 filing calendar and compliance deadlines. If an examination is already on your calendar, our BNR audit preparation guide walks through the evidence file examiners ask for first.
How we can help
IMIZI Cyber is an offensive security firm based in Kigali. We work with BNR-supervised institutions and other regulated entities across Africa, banks, fintechs, telecoms, government, and healthcare, to deliver the penetration testing and vulnerability assessments these frameworks require. Our testing is led by an OSCP-credentialled practitioner, one of the certifications Article 10 names, and our BNR-compliant penetration testing service maps each finding to the regulation. Reports are structured for regulatory presentation, with findings, evidence, and remediation guidance an examiner can follow within the 15-day filing window. Book a Free Call to scope your next BNR-aligned VAPT engagement.