Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

3.6 Threat-Led Penetration Testing Financial entities (with some exceptions) under the DORA Regulation shall carry out, at least every three years, advanced testing by means of threat-led penetration testing (TLPT). This TLPT shall cover several or all critical or impor - tant functions of a financial entity, and shall be performed on live production systems support - ing such functions. At the end of the testing, after reports and reme - diation plans have been agreed, the financial entity and, where applicable, the external test - ers, shall provide to the competent authority a summary of the relevant findings, the remedia - tion plans and the documentation demonstrating that the TLPT has been conducted in accord - ance with the requirements. Financial entities must contract testers for the purposes of undertaking TLPT in line with the DORA Regulation. Whenever financial entities use internal testers for the purpose of undertak - ing the TLPT, they shall contract external testers every three tests. Financial entities shall only use testers for the carrying out of the TLPT that: • are of the highest suitability and reputability; • possess technical and organisational capa - bilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing; • are certified by an accreditation body in a member state or adhere to formal codes of conduct or ethical frameworks; • provide an independent assurance, or an audit report, in relation to the sound manage - ment of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and

redress for the business risks of the financial entity; and • are duly and fully covered by relevant profes - sional indemnity insurances, including against risks of misconduct and negligence. When using internal testers, financial entities shall ensure that, in addition to the above- mentioned requirements, (i) such use has been approved by the relevant competent authority designated in line with applicable law; (ii) the rel - evant competent authority has verified that the financial entity has sufficient dedicated resourc - es and ensured conflicts of interest are avoided throughout the design and execution phases of the test; and (iii) the threat intelligence provider is external to the financial entity. At the national level, the TIBER-PT framework for resilience testing will be updated in line with TIBER-EU, expected by mid-2025. The Bank of Portugal will continue to use this framework to certify digital resilience testing under DORA. In October 2024, the EU introduced the Cyber Resilience Act, a regulation that harmonises security requirements for products with digital elements, ensuring a consistently high level of cybersecurity. This Regulation is directly applicable in Portugal and requires the adoption of national implement - ing legislation only for specific provisions that empower the national legislature (eg, provisions on penalties). Due to its limited material scope, other legis - lations, such as Regulation (EU) 2023/988 on 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation

209 CHAMBERS.COM

Powered by