Law No. 73/2025, published on 23 December 2025, implements the DORA Regulation and transposes Directive (EU) 2022/2556 into Portuguese law, aligning the national legal framework with the European regime on digital operational resilience and amending several financial sector statutes; it designates the Bank of Portugal, the Insurance and Pension Funds Supervisory Authority (ASF) and the Portuguese Securities Market Commission (CMVM) as the competent authorities, centralises the reporting of major ICT-related incidents with the Bank of Portugal, strengthens institutional cooperation and establishes a robust sanctions regime, including significant administrative fines and public disclosure of convictions, thereby reinforcing enforcement and regulatory risk and requiring in-scope entities to enhance governance arrangements, ICT risk management, incident reporting mechanisms, contractual compliance with ICT service providers, preparedness for supervisory scrutiny and digital operational resilience testing, as well as targeted internal training.
I. Context
On 23 December 2025, Law No. 73/2025 was published, which implements the Regulation (EU) 2022/2554 (DORA Regulation) into the national legal order, ensures the transposition of Directive (EU) 2022/2556, and introduces corresponding amendments to several national legal regimes. These include, in particular, the General Framework for Credit Institutions and Financial Companies, the Portuguese Securities Code, the Legal Framework for Access to and Pursuit of the Business of Insurance and Reinsurance, the Legal Framework for Payment Services and Electronic Money, the Legal Framework for the Incorporation and Operation of Pension Funds and their Management Entities, and the Asset Management Regime, among other sector-specific legislation.
The law aims to ensure, at a national level, the effective application of the new European legislative framework on digital operational resilience. It aligns the Portuguese legal system with the uniform requirements and rules applicable to the security of network and information systems that support the business processes of financial entities, especially in the field of information and communication technology (ICT).
II. Key takeaways
a) Competent authorities and supervision
- Designation of competent authorities: the new Law identifies Bank of Portugal (the Portuguese Central Bank), the Insurance and Pension Funds Supervisory Authority (ASF), and the Portuguese Securities Market Commission (CMVM) as the national competent authorities for the application, supervision, and enforcement of the DORA Regulation, according to the scope of the entities subject to their respective supervision. Where a financial entity is simultaneously subject to the supervision of more than one national competent authority, the competence for reporting, monitoring, and coordinating on major ICT-related incidents is assigned to the authority responsible for prudential supervision, without prejudice to the information duties owed to the other competent authorities;
- Centralized incident reporting: Bank of Portugal is designated as the national focal point for receiving notifications of major ICT-related incidents and voluntary reports of significant cyber threats, particularly in cross-cutting scenarios or those involving multiple entities or sectors of the financial system;
- Mandatory institutional cooperation: the law establishes formal duties of institutional cooperation and information sharing between Bank of Portugal, ASF, and CMVM to ensure coordinated action in the supervision of digital operational resilience;
- Regulatory empowerment: the national authorities are expressly empowered to regulate and detail critical operational aspects of the DORA Regulation’s implementation. This includes reporting channels and formats, registers of ICT service subcontracting, communication of contracts supporting critical or important functions, and the performance of advanced threat-led penetration testing (TLPT).
b) Sanctions regime
- Broad classification of infringements: the sanctions regime covers a wide range of infringements, including failures in governance mechanisms, ICT risk management, incident reporting and communication, performance of TLPT, and subcontracting of ICT services. It also covers non-compliance with duties of cooperation, transparency, and provision of information to competent authorities, as well as the violation of any other duties or obligations imposed by the DORA Regulation and its implementing legislation;
- Fines: infringements may be sanctioned with substantial fines, which can reach up to five million euros, 10% of the total annual turnover, or three times the economic benefit derived from the infringement, whichever is higher. The regime is applicable to both legal entities and natural persons;
- Public disclosure: final decisions convicting for infringements classified as serious or very serious are publicly disclosed on the competent authority’s website, with potentially significant reputational impact for the targeted entities.
III. Developments and precautions
By completing the European framework for digital operational resilience, Law No. 73/2025 ensures its effective application in the Portuguese legal order, reinforcing the supervision and enforcement of the DORA Regulation. Although it does not introduce new material obligations, the law elaborates on the institutional and sanctioning mechanisms that make the regime fully enforceable, with a direct impact on governance, technological risk management, and the accountability of entities and their management bodies.
From a practical standpoint, Law No. 73/2025 significantly increases the regulatory risk associated with non-compliance with DORA by introducing a clear sanctions regime, high fines, and mechanisms for the public disclosure of convictions.
In this context, covered entities should:
- Review governance and decision-making models, ensuring that digital operational resilience and DORA compliance are treated as strategic matters at the board and senior management levels;
- Assess and strengthen ICT risk management frameworks, ensuring the proper identification, monitoring, and mitigation of critical technological risks and their integration into overall risk management systems;
- Implement and test effective procedures for the detection, classification, reporting, and response to ICT incidents, ensuring compliance with the deadlines, formats, and channels defined by the competent authorities;
- Review and align contracts with ICT service providers, particularly those related to critical or important functions, ensuring they include DORA-compliant clauses on auditing, access, subcontracting, TLPT, termination, and cooperation with authorities;
- Map and fully document ICT outsourcing and the subcontracting chain, maintaining up-to-date records prepared for supervision and reporting purposes;
- Prepare for audits, information requests, and supervisory actions by ensuring that documentation, evidence, and internal processes are in place to demonstrate compliance with regulatory requirements;
- Plan and integrate digital operational resilience testing, including advanced tests such as TLPT where applicable, in coordination with relevant service providers;
- Raise awareness and train relevant internal teams, including IT, risk, compliance, legal, and procurement departments, on the requirements and practical impacts of DORA.
The Technology team is available to clarify any questions related to the implementation of this law. For more information, please contact us.
