PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
ment and of the Council on markets in crypto- assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Direc - tives 2013/36/EU and (EU) 2019/1937 (“the Regulation on markets in crypto-assets”) and issuers of asset-referenced tokens; • central securities depositories; • central counterparties; • trading venues; • trade repositories; • managers of alternative investment funds; • management companies; • data reporting service providers; • insurance and reinsurance undertakings; • insurance intermediaries, reinsurance inter - mediaries and ancillary insurance intermediar - ies; • institutions for occupational retirement provi - sion; • credit rating agencies; • administrators of critical benchmarks; • crowdfunding service providers; • securitisation repositories (the aforesaid are jointly referred to as “financial entities”); and • ICT third-party service providers. DORA applies to all the above-mentioned enti - ties that provide services in the EU and are located herein. Additionally, the territorial scope of DORA is broad and extends to organisations based out - side the EU, where, for example, they (in the case of financial entities) offer certain financial services in the EU market or (in the case of ICT providers) contract with financial entities that are in scope of DORA. At the national level, the implementation of all obligations arising from DORA remains ongo - ing. The competent authorities (Bank of Portu - gal (BdP), Portuguese Securities Market Com -
mission (CMVM) and Portuguese Insurance and Pension Funds Supervisory Authority (ASF)) are in the process of drafting the regulations that will implement the framework. At this stage, devel - opments have been observed in the following areas: Regarding risk management associated with information and communication technologies, a significant development is the revision of Bank of Portugal Instruction No 4/2021, which governs the management and reporting of operational and security risks by payment service providers. This revision will eliminate the annual reporting requirement for operational and security risks to prevent redundancy with EBA/GL/2019/04, which may itself be subject to amendment by the European Banking Authority (EBA). For incident reporting and cyber threats, a tran - sitional arrangement requires severe ICT inci - dents and voluntary cyber threat notifications to be sent to dorareport@bportugal.pt until a final reporting mechanism is established. The CMVM, in response to the implementa - tion of DORA in Portugal, has outlined its plans through the Annual Circular on Financial Inter - mediation and Crowdfunding Services, with the national regulation of DORA set as one of its key objectives for 2025. In the insurance sector, implementation has been carried out through Regulatory Stand - ard No 9/2024-R, which governs the reporting of severe incidents related to information and communication technologies to the ASF and Regulatory Standard No 7/2024-R, regarding the security and governance of information and communication technologies, and subcontract - ing to cloud computing service providers within the management of pension funds.
204 CHAMBERS.COM
Powered by FlippingBook