The Central Bank of the Argentine Republic (“BCRA”, for its acronym in Spanish) issued Communiqué “A” No. 8280/2025, updating the Guidelines for Response and Recovery from Cyber Incidents, applicable to financial institutions, payment service providers, and systemically important payment systems.
Among the key changes, the regulation introduces a mandatory obligation to report cyber incidents that impact the normal delivery of services to customers or jeopardize the integrity, confidentiality, or availability of information. This obligation also covers incidents originating from third parties related to the regulated entities.
Reports must be submitted to the IT External Audit Management Office of the Superintendency of Financial and Exchange Institutions via the email address audext.incidente@bcra.gob.ar, following the timeframes established by regulation: initial notification within the first hour, regular updates, and a final report within five days after resolution.
Additionally, the new regulation sets a sixty-day deadline for payment service providers which do not offer payment accounts to implement the guidelines.
Link to Communiqué “A” No. 8280/2025:
https://www.boletinoficial.gob.ar/detalleAviso/primera/328815/20250724?busqueda=1.
Link to the consolidated text of the Guidelines for Response and Recovery from Cyber Incidents:
