{"id":2822,"date":"2026-02-24T16:45:58","date_gmt":"2026-02-24T16:45:58","guid":{"rendered":"https:\/\/icompliance.eu\/?p=2822"},"modified":"2026-02-25T08:15:03","modified_gmt":"2026-02-25T08:15:03","slug":"dora-implementation-in-portugal-a-practical-guide-to-compliance-without-compliance-theatre","status":"publish","type":"post","link":"https:\/\/icompliance.eu\/en\/dora-implementation-in-portugal-a-practical-guide-to-compliance-without-compliance-theatre\/","title":{"rendered":"DORA implementation in Portugal: a practical guide to compliance (without &#8220;compliance theatre&#8221;)"},"content":{"rendered":"<h2><b>DORA Implementation<\/b><\/h2>\n<p>Digital transformation in the financial sector has brought speed, efficiency and new business models \u2014 but also a structural dependence on technology, the cloud, third-party software, integrations and digital supply chains. The <b>DORA (Digital Operational Resilience Act)<\/b> was created precisely to respond to this systemic risk: to ensure that financial entities can <b>resist<\/b>, <b>respond<\/b> and <b>recover<\/b> from ICT\/cyber incidents (as well as operational failures) without compromising the continuity of critical services.<\/p>\n<p>DORA is a European regulation (i.e. directly applicable), with harmonised requirements for the financial sector in the European Union. It came into force on <b>17 January 2025<\/b>.<\/p>\n<p>In Portugal, <b>Law No. 73\/2025 of 23 December<\/b> ensured the national framework for implementation, supervision and sanctions associated with digital operational resilience in the financial sector.<\/p>\n<p>This article is an implementation guide: without unnecessary jargon, but with clear steps, priorities and deliverables.<\/p>\n<h2><b>What DORA requires, in simple terms<\/b><\/h2>\n<p>DORA organises obligations into five major blocks (pillars) that reinforce each other:<\/p>\n<ol>\n<li><b>ICT governance and risk management<\/b> (framework, policies, controls, roles and responsibilities)<\/li>\n<li><b>ICT incident management and reporting<\/b> (classification, notifications, communication)<\/li>\n<li><b>Digital operational resilience testing<\/b> (from basic testing to advanced exercises)<\/li>\n<li><b>ICT third-party risk management<\/b> (contracts, supplier registration, exit plans)<\/li>\n<li><b>Threat information sharing<\/b> (mechanisms and best practices, where applicable)<\/li>\n<\/ol>\n<p>European and national authorities have been summarising this logic of \u2018digital operational resilience\u2019 as an ongoing capability (not a one-off project).<\/p>\n<h2><b>Who is covered (and why it matters to your \u201cperimeter\u201d)<\/b><\/h2>\n<p>DORA applies to a wide range of financial entities (e.g. banking, insurance, investment and other regulated participants), and also introduces a European supervisory framework for critical ICT service providers supporting the financial sector.<\/p>\n<p>In practice, the first implementation task is not to \u2018write policies\u2019 \u2014 it is to <b>define the perimeter<\/b>:<\/p>\n<ul>\n<li>Which entities in the group are under financial supervision?<\/li>\n<li>What are the critical or important services\/products and functions (CIFs) supported by ICT?<\/li>\n<li>What are the dependencies (applications, infrastructure, suppliers, data, integrations)?<\/li>\n<li>Who \u2018owns\u2019 each risk and each control (actual operational ownership)?<\/li>\n<\/ul>\n<p>If you fail here, everything else (incidents, tests, contracts, evidence) becomes inconsistent.<\/p>\n<h2><b>What specifically changes in Portugal<\/b><\/h2>\n<p>With <b>Law No. 73\/2025<\/b>, the national framework is aligned with the European regime and strengthens enforcement\/supervision. The law <b>designates as competent authorities<\/b> the <b>Bank of Portugal<\/b>, the <b>CMVM<\/b> and the <b>ASF<\/b>, and provides for institutional cooperation within the financial supervision system.<\/p>\n<p>A very relevant practical point for operations and compliance: the national framework centralises the reporting of serious ICT incidents at the Bank of Portugal (with coordination between supervisors).<\/p>\n<p>In addition, Portugal has strengthened institutional communication on DORA, including the role of the National Council of Financial Supervisors in coordinating the resilience package.<\/p>\n<h2><b>ICT incidents: from \u2018we handle it internally\u2019 to a timed process<\/b><\/h2>\n<p>One of the areas with the greatest operational shock is <b>incident reporting<\/b>. DORA requires the ability to:<\/p>\n<ul>\n<li>quickly detect and <b>classify<\/b> ICT incidents;<\/li>\n<li>decide whether they are \u2018major ICT-related incidents\u2019 (according to applicable criteria\/thresholds);<\/li>\n<li>report with <b>standardised content<\/b> and <b>strict timings<\/b>, via defined templates and processes.<\/li>\n<\/ul>\n<p>The deadlines are particularly tight: there are technical standards that require <b>initial notification within 4 hours of classification<\/b> (and up to 24 hours after detection\/knowledge, depending on the context), followed by an interim and final report.<\/p>\n<p>In operational terms, this requires two changes:<\/p>\n<ol>\n<li><b>Process engineering<\/b> (workflow) \u2014 who detects, who classifies, who approves, who submits, on which channel, with what evidence.<\/li>\n<li><b>24\/7 decision-making capacity<\/b> \u2014 cannot depend on \u2018the team will be back tomorrow\u2019.<\/li>\n<\/ol>\n<p>\ud83d\udc49 Implementation tip: build a <b>DORA incident playbook<\/b> with:<\/p>\n<ul>\n<li>classification and escalation criteria;<\/li>\n<li>RACI (responsible\/decision makers);<\/li>\n<li>pre-filled report templates (where possible);<\/li>\n<li>simulation exercises to test response time.<\/li>\n<\/ul>\n<h2><b>How to implement DORA: 10-step roadmap (realistic)<\/b><\/h2>\n<h3><b>1) Create a \u2018DORA Scope Map\u2019 (2\u20133 weeks)<\/b><\/h3>\n<ul>\n<li>inventory of critical\/important services and functions;<\/li>\n<li>map of ICT assets (applications, infrastructure, data, integrations);<\/li>\n<li>list of ICT suppliers and dependencies.<\/li>\n<\/ul>\n<p><b>Deliverable<\/b>: perimeter map + list of CIFs + initial inventory.<\/p>\n<h3><b>2) Gap assessment (DORA vs reality)<\/b><\/h3>\n<p>Assess the \u2018as-is\u2019 against the 5 pillars: what exists, what is missing, what is only informal.<\/p>\n<p>Deliverable: gap matrix prioritised by risk and effort.<\/p>\n<h3><b>3) Governance and accountability (the \u2018tone from the top\u2019 with evidence)<\/b><\/h3>\n<p>DORA requires management involvement: decisions, approvals, monitoring and accountability.<\/p>\n<p>Without this, policies look good \u2014 but they don&#8217;t stand up to scrutiny.<\/p>\n<p>Deliverable: governance model (committees, reporting, KRIs\/KPIs).<\/p>\n<h3><b>4) ICT risk framework (policies + controls + evidence)<\/b><\/h3>\n<p>This includes policies and procedures such as:<\/p>\n<ul>\n<li>vulnerability management and patching,<\/li>\n<li>access management,<\/li>\n<li>logging and monitoring,<\/li>\n<li>change management,<\/li>\n<li>backup\/restore and continuity,<\/li>\n<li>configuration management,<\/li>\n<li>secure SDLC (if development is involved),<\/li>\n<li>data management (aligned with GDPR where applicable).<\/li>\n<\/ul>\n<p><b>Deliverable<\/b>: set of policies\/procedures + evidence (records, reports, tickets).<\/p>\n<h3><b>5) Incidents and reporting (process + training)<\/b><\/h3>\n<p>Design the flow and train: detect \u2192 classify \u2192 report \u2192 communicate \u2192 close with RCA (root cause analysis).<\/p>\n<p><b>Deliverable<\/b>: incident playbook + exercises (tabletop) + lessons learned.<\/p>\n<h3><b>6) Resilience testing (basic to advanced)<\/b><\/h3>\n<p>Not just annual pentesting. Includes:<\/p>\n<ul>\n<li>backup\/restore testing,<\/li>\n<li>continuity testing,<\/li>\n<li>incident simulations,<\/li>\n<li>escalation process testing,<\/li>\n<li>and, for relevant entities, more demanding exercises (e.g., TLPT-type approaches).<\/li>\n<\/ul>\n<p><b>Deliverable<\/b>: annual testing plan + evidence of execution and remediation.<\/p>\n<h3><b>7) ICT third-party risk management (contracts, registration, exit)<\/b><\/h3>\n<p>This is the typical \u2018Achilles heel\u2019: cloud, SaaS, MSSP, integrators, payments, KYC, etc.<\/p>\n<p>DORA introduces contractual and control obligations and creates European supervision over <b>critical third parties<\/b>.<\/p>\n<p><b>Deliverables<\/b>:<\/p>\n<ul>\n<li>registration of contracts and services,<\/li>\n<li>risk assessment by supplier,<\/li>\n<li>DORA contractual clauses (audit rights, SLAs, subcontracting, location, incidents, exit),<\/li>\n<li>exit strategy for critical services.<\/li>\n<\/ul>\n<h3><b>8) Metrics and continuous reporting (not a \u2018one-off project\u2019)<\/b><\/h3>\n<p>Create a resilience dashboard:<\/p>\n<ul>\n<li>incidents and response times,<\/li>\n<li>availability of critical services,<\/li>\n<li>test results,<\/li>\n<li>supplier risk,<\/li>\n<li>remediation backlog.<\/li>\n<\/ul>\n<h3><b>9) Preparation for supervision<\/b><\/h3>\n<p>Supervision will ask for evidence: it is not enough to say \u2018we have a policy\u2019.<\/p>\n<p>Organise the evidence repository by pillar.<\/p>\n<h3><b>10) Training and operational culture<\/b><\/h3>\n<p>Without training, rapid reporting fails.<\/p>\n<p>Train: IT, operations, risk, compliance, management, and critical suppliers.<\/p>\n<h2><b>DORA and NIS2: overlap, but not replacement<\/b><\/h2>\n<p>If your organisation (or part of it) also falls under NIS2, there are common areas (incidents, risk management, supply chain). But beware: in the financial sector, DORA functions as a specialised regime for digital resilience \u2014 and specific obligations must still be met in accordance with the applicable framework.<\/p>\n<p>The practical approach is to build <b>an integrated system<\/b>, with:<\/p>\n<ul>\n<li>a single incident taxonomy,<\/li>\n<li>base controls aligned with standards (e.g. ISO 27001\/22301),<\/li>\n<li>but workflows and reporting tailored to each obligation (DORA vs NIS2 vs GDPR).<\/li>\n<\/ul>\n<h2><b>Common mistakes that lead to non-compliance (and headaches)<\/b><\/h2>\n<ul>\n<li><b>Poorly defined perimeter<\/b> (vague CIFs, critical suppliers \u2018forgotten\u2019)<\/li>\n<li><b>Cloud\/SaaS contracts without DORA clauses<\/b> and without a real exit strategy<\/li>\n<li><b>Incidents without rapid classification<\/b> and without 24\/7 authority to report<\/li>\n<li><b>Tests that do not close remediations<\/b> (tested, found, but not corrected)<\/li>\n<li><b>Scattered evidence<\/b> (no one can prove, in two days, that they control the risk)<\/li>\n<\/ul>\n<h2><b>Final checklist: \u2018DORA in 30 days\u2019 (the minimum you should have)<\/b><\/h2>\n<ul>\n<li>Scope map (CIFs + assets + integrations)<\/li>\n<li>Inventory of ICT suppliers + criticality<\/li>\n<li>Gap assessment + approved roadmap<\/li>\n<li>Formal governance (committees, reporting, responsible parties)<\/li>\n<li>Incident process with classification and escalation<\/li>\n<li>Response time reporting and testing templates<\/li>\n<li>Resilience testing plan + calendar<\/li>\n<li>Contract register + contractual remediation plan<\/li>\n<li>Exit strategy for critical services<\/li>\n<li>Evidence repository prepared for supervision<\/li>\n<\/ul>\n<h2><b>How iCompliance.eu can help<\/b><\/h2>\n<p>At iCompliance.eu, we typically implement DORA as an <b>operational resilience programme<\/b> (not as \u2018documentation for show\u2019), with a focus on evidence and actual response capability:<\/p>\n<ul>\n<li><b>DORA Readiness &amp; Gap Assessment<\/b> (scope, CIFs, risks, maturity)<\/li>\n<li><b>90\/180-day roadmap<\/b> with quick wins and priorities by risk<\/li>\n<li><b>Governance, policies and procedures package<\/b> (aligned with audit\/supervision)<\/li>\n<li><b>Incident reporting pack<\/b> (workflow, RACI, templates, exercises)<\/li>\n<li><b>Third-party ICT pack<\/b> (registration, due diligence, contractual clauses, exit plans)<\/li>\n<li><b>Test plan<\/b> and support in exercises and preparation for inspections<\/li>\n<\/ul>\n<h2 data-start=\"8191\" data-end=\"8508\">Next steps:<\/h2>\n<div style=\"text-align: center; margin: 32px 0 16px 0;\"><a style=\"display: inline-block; background-color: #1e828c; color: #ffffff; text-decoration: none; font-size: 16px; font-weight: bold; line-height: 1.2; padding: 14px 28px; border-radius: 10px; border: 2px solid #1E828C; box-shadow: 0 6px 18px rgba(0,0,0,0.12); transition: all 0.2s ease-in-out;\" href=\"https:\/\/icompliance.eu\/en\/dora-diagnosis\/?utm_source=blog&#038;utm_medium=article&#038;utm_campaign=dora_pt&#038;utm_content=request_dora_diagnosis\" target=\"_blank\" rel=\"noopener noreferrer\" aria-label=\"Request DORA implementation diagnosis\">Request DORA Diagnosis<br \/>\n<\/a><\/div>\n<ul>\n<li data-start=\"8191\" data-end=\"8508\"><a title=\"Request a free DORA diagnosis, with no obligation\" href=\"https:\/\/icompliance.eu\/en\/dora-diagnosis\/\" target=\"_blank\" rel=\"noopener\">DORA Diagnosis:<\/a> If you want to know, objectively, what your organisation needs to do to comply, iCompliance.eu can carry out a quick DORA assessment and deliver a compliance roadmap with evidence ready for supervision and auditing.<\/li>\n<li data-start=\"8191\" data-end=\"8508\">To help you get started, download a <strong>DORA Portugal checklist<\/strong> in PDF format by requesting it below in the comments section of this article.<\/li>\n<li data-start=\"8191\" data-end=\"8508\">Contact us: <a title=\"Contact us\" href=\"https:\/\/icompliance.eu\/eu\/contacts\/\">Contacts | iCompliance<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>DORA Implementation Digital transformation in the financial sector has brought speed, efficiency and new business models \u2014 but also a structural dependence on technology, the cloud, third-party software, integrations and digital supply chains. The DORA (Digital Operational Resilience Act) was created precisely to respond to this systemic risk: to ensure that financial entities can resist, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2813,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2822","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sem-categoria"],"_links":{"self":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/2822","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/comments?post=2822"}],"version-history":[{"count":6,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/2822\/revisions"}],"predecessor-version":[{"id":2878,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/2822\/revisions\/2878"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/media\/2813"}],"wp:attachment":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/media?parent=2822"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/categories?post=2822"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/tags?post=2822"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}