Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

3.2 ICT Service Provider Contractual Requirements ICT services are defined as digital and data services provided through ICT systems to one or more internal or external users on an ongo - ing basis, including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services (Article 3(20) of DORA). An ICT service provider is defined as an under - taking providing ICT services (Article 3(19) of DORA). The DORA Regulation also defines what is con - sidered a critical ICT third-party service provider, namely entities designated as such in line with Article 31 of the Regulation, which considers a series of criteria laid out in said article, such as the systemic impact on stability, continuity or quality of the service or the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider. DORA also requires a register of ICT service agreements, reinforcing oversight of third-par - ty dependencies. At the national level, while this overlaps with Bank of Portugal Notice No 8/2023, which governs outsourcing agree - ments, the annual submission of outsourcing records will continue. Adjustments may follow once the EBA Guidelines on Outsourcing (EBA/ GL/2019/02) are revised by late 2025. For the entities subject to CMVM supervision, the regulation of reporting obligations under DORA is currently underway, in alignment with the content and formats defined by European legislation. Until the required files can be sub - mitted via the Electronic One-Stop Shop (BUE),

as part of the ongoing regulatory development, an alternative submission method is via email to cmvm@cmvm.pt. 3.3 Key Operational Resilience Obligations The main objective of the DORA Regulation is to achieve a high common level of digital opera - tional resilience (Article 1(1)). For that purpose, the Regulation lays down uni - form requirements concerning the security of network and information systems supporting the business process of financial entities, which are as follows: • requirements applicable to financial entities in relation to: (a) information and communication technol - ogy (ICT) risk management; (b) reporting of major ICT-related incidents and notifying, on a voluntary basis, sig - nificant cyber threats to the competent authorities; (c) reporting of major operational or security payment-related incidents to the compe - tent authorities by financial entities; (d) digital operational resilience testing; (e) information and intelligence sharing in relation to cyber threats and vulnerabili - ties; and (f) measures for the sound management of ICT third-party risk; • requirements in relation to the contractual arrangements concluded between ICT third- party service providers and financial entities; • rules for the establishment and conduct of the oversight framework for critical ICT third-party service providers when providing services to financial entities; and • rules on co-operation among competent authorities, and rules on supervision and

205 CHAMBERS.COM

Powered by