New Cybersecurity Standards for the Crypto Sector

Within the framework of Law 27739, the Argentine Securities Commission (CNV) has the power to regulate the activity of Virtual Asset Service Providers (VASP), especially regarding user protection, information security, and personal data protection, principles which also support the implementation of cybersecurity measures to guarantee stability, solvency, and transparency in the market.
 

In this context, the CNV published General Resolution 1058/2025, which establishes new cybersecurity requirements for VASPs. The cybersecurity standards established in the Resolution include:

• Computer systems (article 12): VASPs must allow the CNV to access information regarding their computer systems. These systems must guarantee the principles of protection, transparency, and risk reduction. VASPs must also file a technical report on the security of the system, the procedures for back-ups and contingencies, and the inalterability of the information. The Resolution expressly provides that this information will not be public.
• Cybersecurity (article 13): VASPs must implement procedures for cybersecurity risk management, including but not limited to: protection and prevention of potential risks (for example, cyberattacks), risk identification through monitoring, and the implementation of procedures for system response and recovery if such risks occur.
• Information security policies (article 14): VASPs must have information security policies approved by their management bodies. These policies must reflect the controls implemented.
• Annual systems audit (article 20): The computer systems VASPs use for their activities must be audited annually. These audits will include the evaluation of different cybersecurity capabilities (both prevention and recovery) and must be carried out by a qualified IT expert, either local or foreign. The results of the audit must be included in the minutes of the management body or in the body’s corresponding especial book.
• Person responsible for regulatory compliance and internal control (article 21): VASPs must appoint a person responsible for regulatory compliance and internal control. This person will be in charge of controlling and evaluating compliance with the obligations established in the Resolution. VASPs’ management body or legal representatives must evaluate the personal and professional backgrounds of the person appointed as responsible.
• Alignment of risk management mechanisms with international standards (article 28): VASPs must adopt and update their policies and mechanisms for risk management, aligning them with international best practices and with the parameters and requirements defined by the competent authorities.