Banking Regulation 2025

PORTUGAL Law and Practice Contributed by: Pedro Cassiano Santos, Francisca César Machado, Chen Chen and Natalia Fedorova, VdA

on digital operational resilience for the financial sector) represents an important regulation for Portuguese credit institutions since it requires the adaptation of the security of their network and information systems supporting business processes. DORA entered into force in January 2023 and will be applicable from 17 January 2025. The requirements set forth under the six pillars of DORA are: (i) organisational governance; (ii) management of information and communica - tion technology (ICT) risks; (iii) handling of ICT incidents; (iv) resilience testing; (v) managing risks associated with third-party ICT providers; and (vi) sharing of information. Therefore, credit institutions are required to: • establish internal governance and control systems to effectively and prudently manage all ICT risks. This includes creating monitor - ing roles for arrangements with third-party ICT service providers. Additionally, they must redefine the responsibilities of their manage - ment bodies to ensure they are accountable for defining, approving, and overseeing ICT risk management frameworks; • develop a robust ICT risk management framework, including a digital resilience strategy, tailored to their specific needs, size, and complexity (which includes creating strategies, policies, procedures, protocols, and tools in line with DORA requirements, maintaining high standards of data security, confidentiality, and integrity). The disclosure of ICT incidents or vulnerabilities to rel - evant stakeholders is also required, as is the separation of ICT management, control, and internal audit functions, management of cyber threats, detection of abnormal activities, establishment of continuity and backup poli - cies, performance of post-incident reviews,

and guaranteeing adequate staffing and monitoring; • implement a process for handling ICT-related incidents, including the detection, manage - ment, monitoring, follow up, and reporting of these incidents, classifying them based on specific criteria. Under DORA, any major ICT incidents must be reported to the appropri - ate regulator within specified timeframes and conditions. Additionally, if these incidents affect or could affect the financial interests of service users and clients, they must be informed of the incident and the measures taken to mitigate any negative effects; • develop a digital operational resilience test - ing programme that follows a risk-based approach, including appropriate testing and vulnerability assessments; • integrate third-party ICT risk into their ICT risk management framework, which includes: (i) ensuring compliance with DORA for third-par - ty ICT services; (ii) developing and updating a third-party ICT risk strategy; (iii) formalising relationships through detailed contracts; (iv) maintaining a register of all ICT service con - tracts; (v) annually reporting new ICT arrange - ments to the authorities; and (vi) ensuring high security standards, auditing providers, and terminating contracts if necessary; and • collaborate with other entities, sharing cyber threat information and intelligence with each other to enhance digital operational resilience, provided this occurs within a trusted commu - nity and under arrangements that safeguard the sensitive nature of this information.

505 CHAMBERS.COM

Powered by