Portugal's Insurance Watchdog Trapped: €44M Budget Locked While Cyber Threats Mount

Portugal's insurance and pensions watchdog is sitting on €44M in surplus funds it cannot deploy, a budgetary paradox that underscores a growing clash between the regulator's operational needs and the state's fiscal control framework. The Autoridade de Supervisão de Seguros e Fundos de Pensões (ASF) now finds itself unable to hire cybersecurity teams or upgrade digital tools at a moment when insurers are adopting AI-driven sales platforms—all because the Finance Ministry must approve every contract renewal and spending increase.

Why This Matters

• Regulatory gap: ASF lacks dedicated staff to supervise digital resilience in insurers, even as cyber risk becomes the sector's top threat.

• Budget handcuffs: The watchdog must ask the Finance Ministry for permission to exceed prior-year spending or sign new contracts, delaying crucial hires.

• European scrutiny: The European Insurance and Occupational Pensions Authority (EIOPA) will soon audit whether Portugal's regulator meets EU independence standards.

• Consumers pay twice: Insurers funded the surplus through fees, yet the money flows to the state budget instead of improving supervision.

Budget Surplus Built on Red Tape, Not Efficiency

The €44M stockpile emerged from a Portugal Court of Audit (Tribunal de Contas) review published in January, which found the ASF collected surplus revenues that ended up subsidizing general government spending. But ASF president Gabriel Bernardino told lawmakers this week the surplus is not a sign of profligacy—it is the direct result of execution roadblocks embedded in Portugal's Lei de Enquadramento Orçamental (Budget Framework Law).

Under the current rules, the regulator cannot freely spend its approved annual budget. Each year, it must secure ministerial approval to renew contracts that lapsed in the prior fiscal year or to exceed the previous ceiling on service acquisitions. "In terms of financial and budgetary management, this is anything but independence," Bernardino said during an April 8, 2026 hearing before the Budget, Finance and Public Administration Committee (COFAP), convened at the request of the right-wing Chega party.

Part of the surplus also functions as a prudential reserve against revenue shortfalls or unexpected regulatory activity, the ASF chief explained. "We have a risk of insufficient revenue for which we must hold reserves; we have an activity risk for which we must hold reserves. It is more than natural—it is mandatory," he told deputies.

Cybersecurity Teams on Hold as Insurers Go Digital

The operational cost of these budget constraints is stark. Bernardino emphasized that digital operational resilience now ranks among the gravest risks facing the financial sector worldwide, yet the ASF has been unable to establish a dedicated supervisory unit to examine insurers' cyber defenses. "We still have not managed to create a specialized supervision team to analyze the digital resilience of insurance companies… because we lack the flexibility to use the budget," he said.

The timing is critical. Portugal transposed the EU's NIS2 Directive into national law via Decree-Law 125/2025, approved on December 4, 2025, and entered into force on April 3, 2026, imposing stricter cybersecurity obligations on a broader swath of "essential" and "important" entities—potentially including mid-sized insurers. Simultaneously, the Digital Operational Resilience Act (DORA), enacted through Law 73/2025, requires insurers and pension funds to implement robust IT risk-management frameworks, report serious digital incidents within tight deadlines, and conduct regular resilience testing, including advanced threat-based drills.

ASF, together with the Banco de Portugal and the Comissão do Mercado de Valores Mobiliários (CMVM), is responsible for enforcing these rules. Yet the regulator admits it lacks the technological tools to track developments such as large-language-model chatbots already being used to sell insurance policies online. "We do not need more fees at this moment," Bernardino stressed. "What we need is the ability to use the budget and the accumulated balances."

EU Independence Test Looms as Bernardino Seeks Exemption

Bernardino, who previously led EIOPA, warned that the European authority will soon begin evaluating the operational and financial independence of national regulators, including ASF. "The last thing I would want is a European report saying the Portuguese authority—which I am honored to preside over—does not meet the rules on financial and operational independence," he said.

His proposed solution: exclude ASF—along with the Work Accident Fund and the Motor Insurance Guarantee Fund—from the scope of the Budget Framework Law. "This does not mean we are asking for no scrutiny. Please, provide scrutiny based on the administration's ability to manage the approved budget, which is what we cannot do today," he added.

The exemption would not eliminate oversight but would grant the regulator discretion to allocate its own resources without ministerial sign-off on every procurement decision. Bernardino argued that the current regime forces the ASF to hoard cash rather than invest in supervisory capacity, leaving insurers—and their customers—exposed to emerging risks the regulator is equipped to identify but not resourced to police.

What This Means for Policyholders and Insurers

For consumers, the standoff translates to a regulatory blind spot at a vulnerable moment. Insurers are rapidly digitizing sales, underwriting, and claims, yet the entity tasked with ensuring those systems are secure and resilient cannot hire the specialists needed to perform that function. If a major cyber incident or data breach hits a large insurer, the ASF's inability to proactively supervise digital infrastructure may have contributed.

For the insurance industry, the picture is equally uncomfortable. Companies have been paying unchanged fees, yet those revenues sit idle or fund general government expenses rather than improving the quality of supervision. The sector effectively finances both the state budget and a regulator that cannot spend on the tools or talent required to keep pace with industry innovation.

Bernardino's testimony suggests the standoff may soon come to a head, either through legislative action to carve out regulatory independence or through an unfavorable European assessment that forces Lisbon's hand. Until then, the ASF remains a watchdog on a leash—funded but constrained, surplus-rich yet operationally starved.