In this digital era, we also face digital anxiety. When we go out, we often do not bring cash, yet your card may be ghosting you or your phone cannot scan KHQR for payment. The most terrifying situation is when you have already finished your food, but your payment transaction fails.
Maintenance is normal, either to fix issues or to update the system for better security. Yet what happens when maintenance turns into a whole week? That is why the Technology and Cyber Risk Management Guidelines (TCRMG), issued in January 2026 by the National Bank of Cambodia, guide how banks should behave during these moments.
The TCRMG 2026 serves as a vital safety standard for Cambodia’s digital economy, ensuring that banks maintain robust plans to manage system interruptions. A core element of this standard is the concept of critical functions. The TCRMG defines critical functions as business activities that cannot remain unavailable for several business days without significantly jeopardizing an institution’s operations. To manage such risks, the framework requires banks to establish a Maximum Tolerable Downtime (MTD). However, the National Bank of Cambodia does not prescribe a specific duration for the MTD. Instead, banks are expected to determine appropriate limits based on the criticality of their services. By requiring institutions to define these boundaries, the National Bank of Cambodia ensures that system maintenance remains a controlled process rather than an open-ended lockout of customers’ funds. Another important metric is the Recovery Time Objective (RTO), which measures how quickly a bank must restore a business function or IT resource after a disruption occurs. In essence, RTO reflects the speed and efficiency of a bank’s response when facing a technical failure, cyber incident, or operational disruption. While institutions have the flexibility to define these limits, the main goal remains protecting customers and maintaining the stability of the digital financial ecosystem. The exact number is not set because downtime tolerance depends on each bank’s systems and services, so the guideline uses a risk-based approach rather than a fixed rule.
To avoid long service blackouts, the TCRMG 2026 provides a clear roadmap for banks to handle major system updates safely. Instead of taking a “big risk” with a sudden switch, the framework recommends two essential technical safety nets. One is parallel run, which means running the old and new systems at the same time during a trial period. This allows the bank to check for errors and make sure no data is lost before the old system is completely turned off. The second is a rollback plan, which means banks should have an undo function so that if the new update causes a major problem, they can quickly switch back to the previous working version, preventing customers from being stuck offline for days. These technical guardrails do more than protect banks’ systems; they protect the public from extended outages. These rules ensure that even if an update fails, banks have alternative ways to recover and keep services running for the public.
Author: PanhaCHEZDA