FINANCIAL SECTOR – The DORA Regulation in Portugal: what changes with Law No. 73/2025 of 23 December

The DORA Regulation (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022) entered into force on 17 January 2025, imposing new and stringent obligations on financial entities and on providers of Information and Communication Technology (“ICT”) services, such as cloud computing, software and ICT infrastructure providers.

As a European regulation, DORA is directly applicable in the Member States and does not require transposition to produce legal effects.

Nevertheless, the enactment of Law No. 73/2025 of 23 December has further specified its application within the Portuguese legal framework, notably through the designation of the competent national authorities, its articulation with relevant domestic legal regimes and the establishment of an autonomous national sanctions regime.

In light of this new regulatory framework, a detailed and immediate review of existing contracts is required, with a view to their revision and update.

This is because, in addition to introducing structural obligations regarding the security and resilience of financial entities’ systems, DORA establishes a detailed regulatory framework governing contractual relationships with so-called “Third-Party ICT Service Providers”, addressing the growing dependence of financial entities on external suppliers supporting their ICT-related functions and processes.

One of the core pillars of DORA is the management of risks associated with such third-party providers, imposing a minimum set of contractual obligations to be complied with by both financial entities and service providers, primarily aimed at ensuring (i) the continuous monitoring of services in order to guarantee the operational continuity of financial entities, and (ii) effective supervision by competent authorities over ICT service providers, particularly those supporting critical or important functions.

Accordingly, in order to ensure effective monitoring, operational continuity and regulatory supervision, Article 30 of the DORA Regulation requires that contracts entered between financial entities and ICT service providers include, at a minimum, the following provisions:

• A detailed description of the ICT services to be provided, including the possibility and conditions for subcontracting;
• Identification of the locations where services are provided and data are processed, with an obligation of prior notification in the event of changes;
• The establishment of strict data processing policies ensuring availability, integrity, authenticity and confidentiality, as well as compliance with the General Data Protection Regulation (“GDPR”);
• Procedures for data access and recovery applicable in cases of business termination or insolvency or contractual resolution scenarios;
• The establishment of service levels (SLAs), including obligations for periodic review and updating, ensuring adequacy and a continuous improvement approach throughout the contractual relationship;
• The implementation of mandatory assistance procedures in relation to ICT incidents;
• The inclusion of a duty of full cooperation with competent authorities, including the provision of relevant information when required;
• The stipulation of termination clauses with minimum notice periods aligned with regulatory requirements;
• The definition of conditions for participation in training programs on ICT security and digital operational resilience, which financial entities are now required to promote.

Where ICT service providers support critical or important functions – namely functions whose disruption would significantly impair performance, service continuity or compliance with legal obligations – contracts must further include:

• Comprehensive service level descriptions with stringent quantitative and qualitative performance targets, update and review mechanisms, and immediate corrective measures in case of non-compliance;
• Obligations to provide prior notification of any relevant development that may materially affect the provider’s ability to effectively deliver ICT services supporting critical or important functions;
• Robust contingency plans and security measures, regularly tested and adjusted, ensuring regulatory compliance;
• Mandatory participation in penetration testing (Threat-Led Penetration Testing or “TLPT”);
• Continuous monitoring rights, including access, inspections and audits by the financial entity, designated third parties and competent authorities;
• The definition of exit strategies and mandatory transition periods, ensuring continuity or efficient migration of services and minimizing disruption risks.

In view of these regulatory requirements, financial entities should adopt a proactive approach by swiftly and effectively implementing:

(a) A rigorous mapping process of internal processes relying on third-party ICT services, prioritizing those supporting critical or important functions;

(b) A prioritization and governance program with clear criteria for contractual review;

(c) A demanding timeline to ensure compliance with the applicable regulatory standards.

It should be noted that, in order to ensure efficient supervision in line with DORA, financial entities are required to maintain an up-to-date and detailed register of all contracts entered into with ICT service providers, with particular emphasis on contracts supporting critical or important functions.

This register must include relevant information such as key contractual clauses, duration, significant amendments and the criticality level of the services provided and must be readily accessible and immediately made available to supervisory authorities upon request.

Following the entry into force of Law No. 73/2025 of 23 December, non-compliance with DORA obligations is now subject to an autonomous national sanction’s regime, providing for the imposition of significant fines on financial entities, which may reach €5,000,000 or, in certain cases, 10% of annual turnover, as well as personal liability of individuals.

In addition, critical third-party ICT service providers may be subject to periodic penalty payments of up to 1% of their average daily worldwide turnover in the preceding financial year, significantly increasing the economic risk associated with non-compliance.

Furthermore, the national legislation expressly provides for the public disclosure of final or binding decisions imposing sanctions for serious or very serious administrative offences related to breaches of the DORA Regulation.

Such disclosure is carried out on the website of the competent supervisory authority and remains accessible for a period of five years, without being indexed by search engines.

This mechanism introduces a distinct and particularly relevant reputational dimension to the sanction’s regime, reinforcing the impact of non-compliance beyond the purely financial sphere.

In this context, compliance with the DORA Regulation (now framed by a clear national supervisory and sanctions regime) requires an integrated approach involving legal, compliance, technological (IT) and contractual areas, with particular emphasis on the urgent review of ICT contracts.

Specific impact of the DORA Regulation on the insurance sector:

In the insurance sector, Law No. 73/2025 of 23 December is of particular relevance, as it expressly integrates the DORA Regulation into the Legal Framework for Access to and Exercise of Insurance and Reinsurance Activities, strengthening compliance requirements on digital operational resilience for insurance and reinsurance undertakings headquartered in Portugal.

The amendment to Article 64 of that framework expressly establishes the obligation for insurers to create and manage network and information systems in compliance with DORA, embedding digital resilience within the core obligations of insurance activity.

In practice, deficiencies in ICT risk governance, operational continuity, incident management or relationships with third-party ICT service providers cease to be merely operational matters and may constitute regulatory and prudential breaches subject to sanctions by the competent supervisory authority.

Belzuz Abogados, S.L.P. has lawyers with extensive experience in Contracts, Compliance and Digital Law and can provide specialized legal advice in this area, effectively supporting contractual review processes.