What BNR Regulation N°50/2022 requires
BNR Regulation N°50/2022 on cyber security sets the testing obligations for institutions supervised by the National Bank of Rwanda. Two requirements drive your testing calendar: a penetration test at least once a year and vulnerability assessments at least twice a year. The regulation also expects the tester to hold recognised offensive-security credentials, and it names OSCP among them. Re-testing after a major change to your infrastructure or applications is not a BNR mandate, but it is sound practice for the systems that carry your customer funds.
The obligation does not end at the test. An executive summary of the findings is filed with the BNR within 15 days of the test, and supervised institutions submit an annual self-attestation by 15 January. A report that is technically thin, or that a scanner produced, is what gets a programme flagged at examination time.
Who this is for
The testing and reporting obligations apply to institutions licensed or supervised by the National Bank of Rwanda:
- Commercial banks: internet and mobile banking, payment APIs, core banking infrastructure, and the supporting network
- Deposit-taking microfinance institutions: customer-facing channels and the systems that move and store funds
- Payment service providers: payment switches, wallet platforms, USSD and mobile-money rails, and the APIs partners integrate against
If the BNR licenses or supervises you, the annual penetration test and bi-annual vulnerability assessment obligations apply to your environment.
What we deliver
We run the engagement by hand, not as a repackaged scanner report, and we structure the output so it files cleanly with your regulator:
- Scoped annual penetration test: manual testing of the systems that matter, with findings chained to demonstrate real business impact
- Bi-annual vulnerability assessments: scheduled to keep you inside the regulation's six-month cadence between full tests
- File-ready report: executive summary, technical findings with proof-of-concept evidence and CVSS v3.1 ratings, and prioritised remediation guidance
- Free retest: verification testing after you remediate, with a clean retest report for your BNR filing and your auditor
- Live debrief: a walkthrough with your technical team and management, so the findings are understood, not just received
Why the OSCP credential matters here
Most regulations ask for "qualified" testers without saying what that means. BNR Regulation N°50/2022 is more specific: it names recognised offensive-security credentials, and OSCP is on that list. Our testing is led by an OSCP-credentialled practitioner with red-team and penetration-testing experience inside a Tier-1 Nordic bank and across pan-African banking, so the tester your examiner asks about meets the credential the regulation calls for. For the detail behind those obligations, see our guide to BNR cybersecurity requirements for banks in Rwanda and our BNR audit preparation guide.
How an engagement runs
Scoping
We map your in-scope systems against what the regulation expects and agree rules of engagement, timeline, and the filing deadline you are working to.
Testing
Manual penetration testing and vulnerability assessment by hand, with clear communication and immediate escalation of anything critical.
Reporting
An evidence-led report structured to file with the BNR: executive summary, technical findings, CVSS ratings, and prioritised remediation.
Retest & file
Free retest on remediated findings and a clean report for your 15-day filing and your 15 January self-attestation.
Frequently asked questions
Does BNR require penetration testing?
How often must a Rwandan bank run a penetration test?
What tester credential does BNR Regulation N°50/2022 require?
Who must comply with BNR Regulation N°50/2022?
Do you provide the report our BNR examiner needs?
How much does a BNR-compliant penetration test cost in Rwanda?
For the full scope of our manual testing across web, network, mobile, API, and cloud, see our penetration testing service, or read the cornerstone guide to penetration testing in Rwanda.
Working to other regulatory deadlines? See our SWIFT CSP independent assessment service for banks on the SWIFT network, and our NCSA & Law 058/2021 security testing service for data-protection compliance across government, healthcare, and telecom.
Working to a BNR deadline?
Tell us your in-scope systems and the date you are filing toward. We reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call.