PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
the requirements applicable to the insurance activity under Regulatory Standard No 6/2022- R. However, Regulatory Standard No 7/2024- R further supplements the implementation of provisions related to subcontracting to cloud computing service providers in relation to the pension fund management activities of these companies. 3.4 Operational Resilience Enforcement DORA mandates the identification and designa - tion of critical ICT third-party service providers (CTPPs) based on a set of qualitative and quan - titative criteria, including the number of financial institutions they serve, the potential systemic impact, continuity of quality of the provision of financial services in the event of a large-scale operational failure and the degree of substitut - ability of the ICTT (Article 31(2)). Once designated as a CTPP, an ICT provider falls under the direct oversight of a Lead Overseer (see Article 33). The Lead Overseer is vested with broad over - sight powers (Article 35 (1)), including: • requiring all relevant information and docu - mentation related to ICT risk management frameworks; • conducting general investigations and inspec - tions; • issuing recommendations to enhance opera - tional resilience measures; and • imposing corrective measures in cases of non-compliance, ensuring financial stability and service continuity. Regulatory enforcement under DORA incorpo - rates a graduated and proportionate approach, balancing oversight with proportionate interven - tions.
Nevertheless, the Lead Overseer, before issuing recommendations or imposing a periodic pen - alty payment, shall give the representatives of the ICTT the opportunity to be heard (Article 35 (3) (11)). Key enforcement actions include: • a periodic penalty payment to compel the ICT third-party service to comply with those measures; this penalty is imposed on a daily basis until compliance is achieved (and for no more than a period of six months), which amounts to 1% of the average daily world - wide turnover of the ICTT in the preceding business year; and • possible service restrictions, including poten - tial prohibitions on providing ICT services to financial entities if resilience obligations are not met. We are still awaiting the national implementing law for DORA, which may provide further details on sanctioning powers. At present, the authorities with sectoral compe - tence in supervising and enforcing digital opera - tional resilience requirements are as follows: • Bank of Portugal for credit institutions; • Portuguese Securities Market Commission (CMVM) for investment firms, market opera - tors, and crowdfunding service providers; and • Portuguese Insurance and Pension Funds Supervisory Authority (ASF) for insurance companies. 3.5 International Data Transfers DORA requires financial institutions to ensure that third-party ICT service providers meet spe - cific requirements in their contractual relation - ships. These include incorporating certain con -
207 CHAMBERS.COM
Powered by FlippingBook