PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
enforcement by competent authorities in rela - tion to all matters covered by this Regulation. Some of the main obligations under the DORA Regulation for financial entities are as follows: • implementing an ICT risk management frame - work, which shall include at least strategies, policies, procedures, ICT protocols and tools necessary to duly and adequately protect all information and ICT assets; • using and maintaining updated ICT systems, protocols and tools that are appropriate to the magnitude of operations; • continuously monitoring and controlling the security and functioning of ICT systems and tools; • having mechanisms in place to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and identifying potential material single points of failure; • establishing a comprehensive ICT business continuity policy; and • developing and maintaining back-up policies and procedures and restoration and recovery procedures and methods, for the purpose of ensuring the restoration of ICT systems and data with minimum downtime and limited disruption and loss. Given that Portugal is still in the implementa - tion phase, there are currently few specific rules governing the obligations related to operational resilience. The ASF Regulatory Standard No 9/2024-R establishes the information elements, format and deadlines for reporting severe incidents related to ICT, under the information reporting obligation incumbent upon entities supervised
by the ASF, in accordance with their supervisory responsibilities. The ASF Regulatory Standard No 7/2024-R sets the following requirements and general princi - ples concerning the security and governance of ICT, as well as specific requirements regarding subcontracting to cloud computing service pro - viders within the management of pension funds: • the definition of general governance require - ments for ICT, including the responsibilities of the management body in this area, the obliga - tion for pension fund management companies to have an ICT strategy, the integration of ICT and security-related risks into the company’s overall risk management system, and the conduct of periodic audits; • the establishment of requirements related to information security, notably that pension fund management companies must have an information security policy and an information security function; • the regulation of duties that pension fund management companies must comply with concerning the operational management of ICT; • the provision of requirements applicable to business continuity management within the scope of ICT; • the definition of general governance require - ments for the subcontracting of cloud com - puting services; and • the establishment of requirements prior to entering into a cloud computing service sub - contracting agreement, and the regulation of the rights and obligations that must be clearly identified and specified in the written agree - ment. It should be noted that insurance companies managing pension funds are already subject to
206 CHAMBERS.COM
Powered by FlippingBook