Portugal's Insurance and Pension Funds Supervisory Authority sets DORA reporting rules for insurers pension managers and certain insurance intermediaries

Portugal's Insurance and Pension Funds Supervisory Authority has published amendments to its reporting framework to implement the EU Digital Operational Resilience Act across supervised insurance and pension entities. The changes add ASF reporting and information obligations for insurers and reinsurers, including branches of third-country undertakings, pension fund management companies, and insurance, reinsurance and ancillary insurance intermediaries in Portugal that are within DORA. Covered firms must submit registers of third-party ICT service contracts, notify planned ICT arrangements supporting critical or important functions, report severe ICT-related incidents and, on a voluntary basis, significant cyber threats, and notify participation in cyber threat information-sharing arrangements. The framework also requires firms to keep available for ASF review, and provide on request, their ICT risk management framework review report and estimates of annual aggregate costs and losses caused by severe ICT incidents, incorporating the Joint Committee of the European Supervisory Authorities guidelines on those estimates. The annual register of ICT third-party arrangements is due by 28 February with reference to 31 December of the previous year. Insurers and reinsurers may file that register at the highest level of consolidation in the European Union where the parent is supervised by ASF, otherwise on an individual basis, while pension managers and intermediaries report at entity level. ASF may also grant proportionality-based exemptions or different reporting formats or frequencies for that register. For intermediaries, the scope is limited to firms that are not micro, small or medium-sized enterprises, defined here as employing at least 250 people or having annual turnover above EUR 50 million and annual balance sheet total above EUR 43 million. Where credit institutions carry on insurance distribution, severe ICT incident notifications and the register of information go to the banking supervisor rather than ASF. The amendments also repeal earlier ASF rules on ICT security, cloud outsourcing and ICT incident reporting to remove overlapping requirements, and the text provides for entry into force on the day after publication.