Portugal’s Insurance Regulator sets DORA-based process for reporting severe ICT incidents and significant cyber threats

Portugal’s Insurance Regulator (ASF) issued Circular 3/2025 clarifying how DORA in-scope insurers, reinsurers, pension fund management companies and insurance intermediaries should report severe information and communication technologies (ICT) incidents to ASF and, on a voluntary basis, notify significant cyber threats. The circular is intended to avoid overlapping requirements while Portugal’s national implementing measure for the Digital Operational Resilience Act (DORA) is still pending. The circular confirms that incident and cyber threat classification must follow DORA Article 18 and Commission Delegated Regulation (EU) 2024/1772, including the materiality thresholds. It also aligns ASF reporting with the DORA reporting package that has applied since 17 January 2025, including Commission Delegated Regulation (EU) 2025/301 on notification content and timelines and Commission Implementing Regulation (EU) 2025/302 on standardised forms, templates and procedures (in force since 12 March 2025). Reports to ASF must be submitted using ASF’s dedicated forms for initial notification, intermediate reporting and final reporting, with a separate form for voluntary notification of significant cyber threats, and firms must designate a person responsible for these communications. For entities covered by DORA, application of DORA and the related delegated and implementing acts causes the domestic regime in Regulatory Standard 9/2024-R to lapse, except for specified provisions referenced in the circular. Entities not covered by DORA remain subject to Regulatory Standard 9/2024-R, and ASF will publish the reporting forms and any updates on its website following approval by its board.