Portugal just passed some new rules to make sure banks are better defended against cyberattacks. These rules, which are part of Law No. 73/2025, are now official. It's like Portugal's version of the European DORA rulebook, which got put in place after some nagging from Europe because they were taking too long to get it done.
DORA is an already active EU thing from 2023. It's all about making sure that banks, insurance companies, and other financial companies can handle bad computer problems and online threats. The rules in Portugal apply to regular insurance companies and retirement fund managers.
The Bank of Portugal, the Insurance and Pension Funds Supervisory Authority (ASF), and the Securities Market Commission (CMVM) will keep an eye on things, working with the National Cybersecurity Center. Financial companies will need to report big problems, handle computer risks, test their security, keep tabs on their tech suppliers, and also teach their staff how to keep things running and what to do if there's a cyberattack.
If companies don't follow the rules, they can get fined, even if it was just an accident. Companies could pay fines between €10,000 and €5 million for big mistakes. People can be fined up to €2.5 million.
Related News