The South African Reserve Bank (SARB) has issued a Cybersecurity and Cyber-Resilience Directive focused on strengthening cybersecurity and cyber-resilience within the National Payment System. Since the financial sector plays a vital role in our economy, SARB expects all payment institutions to comply with this directive and is likely to enforce it strictly.

Because of the overlap between this directive and other areas of the financial sector, we recommend that institutions also consider the Joint Standard 1 of 2023 and Joint Standard 2 of 2024, issued by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA). Note that this is a directive and not a standard. The full name of the directive is the Directive in respect of Cybersecurity and Cyber-resilience within the National Payment System (NPS) 1 of 2024.

Institutions were required to comply with this directive by 17 August 2024.

Purpose of the SARB Cybersecurity and Cyber-Resilience Directive

Staying secure isn’t just about compliance—it’s about building trust in the financial system.

As payment systems become more reliant on technology, they also become more vulnerable to cyber threats. This directive aims to ensure that payment institutions can prevent cyberattacks where possible and recover quickly and effectively if an attack happens. In today’s digital financial environment, this is not optional—it’s a business necessity.

Who must comply?

The SARB Cybersecurity and Cyber-Resilience Directive applies to:

  1. All parties authorised, registered, or regulated under the National Payment System.
  2. Operators of payment systems, clearing houses, settlement systems, and financial market infrastructures.

These are referred to as “institutions” in this post.

Key requirements of the Directive in respect of Cybersecurity and Cyber-resilience within the National Payment System

  1. Governance: Institutions must have clear, written cybersecurity plans and must show that their governing body is actively overseeing cyber risks and resilience.
  2. Identifying Critical Assets: Institutions must identify which operations and data are critical to their functioning, including:
    1. How these systems and data are interconnected across the NPS
    2. What access third-party service providers have
    3. This review must happen regularly.
  3. Cybersecurity Controls: Institutions must put in place security measures to address identified risks. These should align with best practice standards such as ISO 27001 and NIST Cybersecurity Framework (version 2).
  4. Detecting Threats: Institutions must be able to continuously monitor for unusual or suspicious activity that could indicate a cyberattack.
  5. Responding and Recovering:
    1. Institutions must be able to:
      1. Quickly detect a cyber incident.
      2. Begin recovery procedures immediately.
      3. Resume critical operations safely and swiftly.
    2. These processes must be tested every quarter, and tests must include third-party service providers, such as cloud vendors. If cloud services are used, SARB’s specific cloud regulations must also be followed.
  6. Testing Systems: Regular testing of systems is required, including:
    1. Penetration testing
    2. Vulnerability assessments
  7. Information Sharing and Awareness: Payment institutions must share information about cyber threats and risks with trusted partners, regulators, and relevant cybersecurity bodies. This must be done in line with the Protection of Personal Information Act (POPIA) and the Cybercrimes Act. Sharing this information helps the whole sector stay informed about new and emerging threats.
  8. Learning and Improving: Institutions should use what they learn from dealing with cyber incidents to adapt and strengthen their cybersecurity measures over time.

This is our plain language summary of the directive. For a full understanding we encourage you to read the actual directive.

Reporting obligations

If a material cyber incident occurs:

  • It must be reported to SARB within 24 hours.
  • A detailed report must follow within 48 hours, containing the required information.

SARB oversight

To ensure compliance, SARB has the authority to:

  • Conduct on-site and off-site inspections.
  • Take action to promote and enforce adherence to the SARB Cybersecurity and Cyber-Resilience Directive.

Actions you could take regards the SARB Cybersecurity and Cyber-Resilience Directive

  • If you need help interpreting or implementing the SARB Cybersecurity and Cyber-Resilience Directive, feel free to reach out to us for guidance by enquiring now.
  • Secure your information and cyberspace or environment in accordance with the law by asking for our help with cybersecurity law or joining our cybersecurity compliance programme.