The Bank of Mozambique issued a circular setting the mandatory reporting templates that credit institutions and financial companies must use to notify the supervisor of technological and cyber incidents, implementing the reporting framework established under Notice No. 8/GBM/2025. Institutions must submit individual incident reports using the Annex I model and an aggregated incident report using the Annex II model. Annex I structures reporting into preliminary, intermediate and final reports, capturing information such as incident type, origin, affected systems and business areas, severity classification, reputational, financial and operational impacts, response actions and remediation, with timelines of within 24 hours of occurrence for the preliminary report, within 10 business days of submitting the preliminary report for the intermediate report, and within 30 business days after the preliminary report for the final report. Submissions are to be made via the Portal BSA (Banking Supervision Application) and other channels indicated by the Bank of Mozambique, with email reporting permitted exceptionally where those channels are temporarily unavailable. The circular enters into force on 9 March 2026.
Bank of Mozambique 2026-01-14
Bank of Mozambique mandates new templates for reporting technological and cyber incidents effective 9 March 2026
The Bank of Mozambique issued a circular mandating credit institutions and financial companies to use specified templates for reporting technological and cyber incidents, as per Notice No. 8/GBM/2025, with submissions required via the Portal BSA starting 9 March 2026.