Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Portugal: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

Portuguese legal system distinguishes cybersecurity and data protection, and the issues are addressed separately in the existing legislative provisions and rules.

The 2019 Government resolution on the Portuguese National Cybersecurity Strategy 2019-2023 ('the Resolution of the Council of Ministers no. 92/2019') (only available in Portuguese here) defines cybersecurity a set of preventive, monitoring, detection, reaction, analysis, and correction measures and actions aimed at maintaining the desired security level and guaranteeing the confidentiality, integrity, availability, and non-repudiation of the information, networks, and information systems in cyberspace, and the people that interact in it.

Although not legally defined as such, data protection is portraited in documents issued by the local authority for cybersecurity as the implementation of measures to protect personal (and sensitive) data from unauthorised public access, and to control the flow of such data, which is a definition that is in line with the subject matter and objectives explicitly laid-out in Article 1 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

The following two key pieces of legislation adopted by the EU in 2016 are the reference for the existing legislation in Portugal:

The NIS Directive was transposed into Portuguese legislation in 2018 and the GDPR provisions are, of course, directly applicable.

In Portugal, the NIS Directive was implemented by the Cyberspace Security Act approved by Law no. 46/2018 of 13 August 2018 ('the Cyberspace Security Act') (only available in Portuguese here). The Cyberspace Security Act has a narrower scope of applicability than the GDPR, insofar as its provisions directly concern, firstly, in compliance of the NIS Directive, the so-called 'operators of essential services' and 'operators of digital services', as well as Public Services and the so called 'operators of critical infrastructures' . Both the Cyberspace Security Act and the GDPR contain security requirements and breach notification provisions that fall upon the entities covered and that have become mandatory in 2018.

However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

The Law 58/2019 of 8 August 2019 ('the Data Protection Act) (only available in Portuguese here) does not focus on cybersecurity. However, considering that the most relevant portion of personal data processing occurs on IT systems, the requirements under the GDPR regarding the principles of integrity and confidentiality, resulting in the requirement for personal data to be processed in a manner that ensures their appropriate security (including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures), have cybersecurity impact. 

1.1. Legislation

General Legislation

The Cyberspace Security Act and the Cybersecurity Regulation

The Cyberspace Security Act, entered in force on 14 August 2021 and, being the NIS Directive local implementation law in Portugal, provides the basis legal cybersecurity framework with a view to extending and implementing in Portugal the EU common level of security of network and information systems laid down in the NIS Directive.

The Resolution of the Council of Ministers no. 92/2019 contains the current national strategy on the security of network and information systems.

The Cyberspace Security Act was the object of additional regulation, contained in the recently passed Decree-law no. 65/2021 of 30 July 2021 ('the Cybersecurity Regulation') (only available in Portuguese here). 

The Cybersecurity Regulation has two different scopes:

Most of the provisions of the Cybersecurity Regulation entered into force on 30 October 2021. A specific section regarding certain provisions on required technical and organisational measures applicable to the network and information systems used by Public Services, operators of critical infrastructure, and operators of essential services, aiming at guaranteeing adequate risk management, timely assessment, and update will only become mandatory from 30 July 2022.

The National Cyber Security Centre ('CNCS') is designated as the national cybersecurity certification authority.

Critical infrastructures are also covered by Decree-Law No. 62/2011 of 12 December 2011 (only available in Portuguese here) which, inter alia, sets out the need for each infrastructure identified as critical to have its own security plan, including security measures for its information systems. This act transposes Council Directive 2008/114/EC of 8 December on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection ('Council Directive 2008/114').

The GDPR 

In Portugal, as in all other EU States, personal data processing and data protection, are governed as from 25 May 2018 by the GDPR. 

In August 2019, the Portuguese parliament passed additional legislation to supplement data protection requirements of the GDPR, specifically, 'the Data Protection Act which came into force on the day following its publication on the Official Gazette.

The Cybercrime Law and the Budapest Convention

Law No 109/2009 of 15 September ('the Cybercrime Law'), complementing the criminal code, sets out cybercrime offences and regulates the surveillance of communications and apprehension of evidence in electronic format.

Portugal is also a party to the Budapest Convention on Cybercrime of the Council of Europe of 2001 ('Budapest Convention'), a binding international instrument that provides guidance for parties working on national legislation to prevent and fight cybercrime and allows international co-operation between the parties offering a clear framework for such purpose.

Sectoral Legislation

Electronic communications sector

The processing of data in the context of electronic communication service providers and services (telecom sector) is subject to specific legislation, currently covered by Law No. 46/2012 of 29 August 2012, which updated the 2004 legislation, Law No. 41/2004 ('the ePrivacy Act’) which partly transposed Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'). 

The ePrivacy Act includes a number of provisions regarding the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks, including public communications networks supporting data collection and identification devices, specifying and complementing the provisions of the GDPR (and before the GDPR, naturally, of the former Portuguese Data Protection Act (only available in Portuguese here) which, in 1998, had transposed the Data Protection Directive 95/46/EC repealed by the GDPR).  

The retention and transfer of personal data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks for the purposes of the investigation, detection and prosecution of serious crimes by competent authorities is covered by Law No. 32/2008, of 17 July 2008 (only available in Portuguese here) which implemented Directive 2006/24/EC of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC.

Law No. 5/2004 of 10 February 2004 ('the Electronic Communications Law') (only available in Portuguese here), as amended, also foresees obligations that apply to telecoms – operators providing public communications networks or publicly available electronic communications services – which include the duty to adopt appropriate technical and organisational measures to prevent, manage and reduce the risks posed to security of networks and services.

The national regulatory authority for electronic communications ('ANACOM') issued specific regulation under the provisions of the Electronic Communications Law, the ANACOM Regulation No. 303/2019 on the security and integrity of electronic communications services and networks ('ANACOM Regulation No. 303/2019'), which covers:

  • technical measures to appropriately prevent, manage, and reduce the risks posed to security of networks and services, to prevent or minimise the impact of security incidents on interconnected networks and users to be complied with by companies providing public communications networks or publicly available electronic communications services (telecoms);
  • circumstances, forms, and procedures applicable to the reporting requirements for security breaches or loss of network integrity with significant impact on the operation of networks and services by telecoms; 
  • conditions applicable to disclosure, by telecoms to the public, of security breaches or loss of integrity with a significant impact on the operation of networks and services; and
  • obligations to perform security audits of networks and services by telecoms and on reporting such audits.

Financial services sector

The Central Bank of Portugal ('the Bank of Portugal') has also adopted sector specific regulation covering the reporting of cybersecurity incidents by financial sector entities under its supervision and relevant credit institutions with head office in Portugal supervised by the European Central Bank ('ECB'). These are contained in Instruction No. 21/2019 of 25 November 2019 ('Instruction No. 21/2019') (only available in Portuguese here).

1.2. Regulatory authority 

The Portuguese national authority carrying out regulatory, supervisory, and sanctioning functions on cybersecurity is the CNCS. 

The CNCS is the overarching cybersecurity agency in Portugal, being the competent authority on the security of network and information systems and is designated as the national single contact point, for the purposes of Article 8 of the NIS Directive.

The CNCS's legally defined mission is to contribute towards the free, reliable and secure use of cyberspace in Portugal, through the continuous improvement of national cybersecurity and international co-operation, in co-ordination with all competent authorities, and the implementation of measures and instruments required for the anticipation, detection, reaction and recovery of situations that, in the imminence of occurrence of incidents or cyber-attacks, may compromise the operation of critical infrastructures and national interests (Legal Statute for the National Security Cabinet ('GNS’) and the CNCS (only available in Portuguese here)).

CNCS’s role and powers include the following:

  • acting as the competent national authority for cybersecurity for in relation to the public administration and operators of national critical infrastructure;
  • producing cybersecurity normative benchmarking;
  • developing national capacities for the prevention, monitoring, detection, analysis, and resolution of cybersecurity incidents and cyberattacks; and
  • providing international cooperation on cybersecurity together with the Department of Foreign Affairs.

The CNCS also cooperates with local authorities responsible for cyberespionage, cyber defence, and cyberterrorism, being under the duty to keep the competent authorities aware of any information it may come aware of regarding the occurrence or preparation of potentially criminal actions.

The CNCS has the responsibility and necessary powers to conduct administrative infringement proceedings and impose any applicable fines. 

The role of Computer Security Incident Response Team ('CSIRT') in Portugal is entrusted to CERT.PT that is established within the competent authority, i.e. the CNCS.

Among other roles, CERT.PT is responsible for:

  • providing operational cooperation in incident response;
  • monitoring incidents with implications at a national level;
  • activating early warning mechanisms;
  • responding to, analysing and mitigating incidents;
  • providing dynamic risk analysis;
  • assuring cooperation between public and private entities;
  • promoting the adoption and use of common standardised practices; and
  • participating in the CSIRT network.

Whenever the cybersecurity incident also involves a personal data breach, as defined in the GDPR, the CNCS (CERT.PT) will act in cooperation with the Portuguese data protection authority ('CNPD'). The CNPD is the supervisory authority established by Portugal pursuant to Article 51 of the GDPR. It is the competent authority to which personal data breach notifications required under the GDPR (and personal data breaches occurred in the electronic communications sector which are also subject to notification under the E-Privacy Act) must be addressed to. 

In addition, in the electronic communications sector, network and service providers must notify the ANACOM of information security breaches or loss of integrity whenever causing serious disturbance to the operation of networks and services and involving significant impact on the continuity of the operations.

Therefore, the CNPD and ANACOM also act as supervisory authorities in the context of cybersecurity.

1.3. Regulatory authority guidance

The CNCS has published a relevant number of best practice guidelines (some of which are mentioned below).

The National Cybersecurity Framework is an extensive guideline document summing-up a set of internationally accepted cybersecurity standards made available for organisations, allowing them to voluntarily adopt relevant security measures for networks and information systems based on a risk-based approach to tackle cyber threats. With this initiative the CNCS aims to provide a cybersecurity guide that, in a comprehensive manner, organises a set of measures for today's most relevant challenges organisations face in this area. Moreover, it is intended to provide the basis to achieve a minimum set of recommended information security requirements. The National Cybersecurity Framework compiles an extensive list of best practices on cyber risk management and minimisation, also addressing several types of security measures, under the National Cybersecurity Framework objectives of:

  • identifying;
  • protecting;
  • detecting;
  • responding; and 
  • recovering. 

The CNCS also issued technical recommendations, including: 

  • Technical Recommendation 01/2020 (only available in Portuguese here) on parked domains; and 
  • Technical Recommendation 01/2019 on the adoption of SPF, DKIM, and DMARC standards for email security reinforcement (only available in Portuguese here).

Additionally, a series of documents directed both at organisations and individuals have been prepared and are made available by the CNCS on its webpage being prolific in publishing best practice guidelines, in the context of the pandemic. A relevant number of documents may also be found describing the best practices to be followed in different scenarios, including on studying from home, remote working, traveling, public offices, and guidance and recommendations regarding the use of multiple popular digital tools, such as Google Classroom and Meet, Microsoft Teams, Moodle, and Zoom. Additional information providing advice on online meetings and webinars and measures connected with the use of passwords was also produced.

2. SCOPE OF APPLICATION

2.1. Network and Information Systems

The Cyberspace Security Act adopts a definition of network and information systems aligned with Article 4(1)(a), (b) and (c) of the NIS Directive, defining network and information systems as any device or group of interconnected or related devices, one or more of which, pursuant to a program perform automatic processing of digital data, as well as the electronic communications network supporting the communication between the devices and the digital data stored, processed, retrieved or transmitted by such device or devices, for the purposes of their operation, use, protection, and maintenance.

2.2. Critical Information Infrastructure Operators

The security and notification requirements of the Cyberspace Security Act apply to critical information infrastructure operators (see section 3. on Requirements) and specific security requirements have been set forth in the Cybersecurity Regulation. 

Critical infrastructure operators are explicitly mentioned in the Cyberspace Security Act and critical infrastructure is defined therein as an asset, system, or part thereof located in Portugal, which is essential for the maintenance of vital societal functions, health, safety, security, economic or well-being of people, and the disruption or destruction of which would have a significant impact, as result of the failure to maintain those functions. This is a definition which is completely aligned – at the national level – with the key pillar of the European programme for critical infrastructure protection ('EPCIP') found in Council Directive 2008/114.

Operators of critical infrastructure are defined in Portuguese legislation as the public or private entities that operate critical infrastructures.

2.3. Operator of Essential Services

Operators of essential services are covered by the Cyberspace Security Act and the definition thereof is aligned with that of the NIS Directive (Articles 4(4) and 5(2) as well as Annex II of the NIS Directive).

In the Portuguese Cyberspace Security Act , operators of essential services are defined as the public or private entities, of a type referred to in the relevant annex (aligned with Annex II of the NIS Directive), that operate services which are essential for the maintenance of crucial societal or economic activities functions, which provision depends upon networks or information systems, which, if affected by an incident would have relevant disrupting effects on the provision of such service. 

The security and notification requirements of the Cyberspace Security Act apply to operators of essential services (see section 3. on Requirements) and specific security requirements have been set forth in the Cybersecurity Regulation.

2.4. Cloud Computing Services

Cloud computing services are explicitly listed by the Cyberspace Security Act in Portugal amongst the relevant digital services for the purposes of defining the digital service providers subject to such legislation scope and provisions.

2.5. Digital Service Providers

Digital service providers are defined in the Cyberspace Security Act as any information society service, rendered at a distance, by electronic means. Same Act further refers that the digital service providers – included in its scope and legal provisions referring to such type of providers – render the following services:

  • online marketplace;
  • online search engine; and 
  • cloud computing service.

This is consistent with the definition of digital services found in Article 4(5) and the types of activities listed in Annex III of the NIS Directive.

Not all such digital service providers are subject to the provisions of the Cyberspace Security Act . Digital service providers that qualify as small or micro enterprises under Portuguese law are not subject to the requirements provided for in the Cyberspace Security Act. 

Small and micro enterprises refer to entities:

  • employing less than 50 people and having an annual turnover or total annual balance sheet under €10 million ('small enterprises'); or
  • employing less than ten people and having an annual turnover or total annual balance sheet under €2 million ('micro enterprises').

The specific security requirements applicable to network and information systems used by entities covered by the Cyberspace Security Act that have been set-forth in the Cybersecurity Regulation, do not apply to digital service providers. They only cover public services, operators of essential services, and critical information infrastructure operators. The provisions on incident notification contained in the Cybersecurity Regulation cover those same entities but also apply to digital service providers.

The rules for application of the NIS Directive as regards further specification of the elements to be taken into account by digital service providers for managing risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact are laid down by European Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 ('the DSP Regulation').

Digital service providers covered by the Cyberspace Security Act must notify the CNCS that they are providing digital services.

2.6. Other

Public bodies or entities are in the scope of the Cyberspace Security Act

and are fully subject to the requirements set forth therein in just the same terms as critical information infrastructure operators are. 

The Cyberspace Security Act lists the types of public entities that qualify as public bodies or entities for this purpose.

In March 2018, the Portuguese Government issued Council of Ministers Resolution No 41/2018 (only available in Portuguese here), defining technical guidelines or requirements applicable to public services regarding measures for the security of networks and information systems. This was made with the aim to define a minimum baseline on adequate technical and organisational measures pursuant to the GDPR. As far as the direct and indirect public services are concerned, some of the listed measures are mandatory (other are specifically indicated as being merely recommended) and the deadline provided to put the mandatory technical and organisational measures in place in public services was 18 months starting on 29 March 2018. 

In the case of the public corporate/entrepreneurial sector, adoption of all measures is merely recommended.

3. REQUIREMENTS

3.1. Security measures

Summarily, the Cyberspace Security Act provides the duties that fall upon the entities covered by its provisions, including duties to:

  • comply with the legally established security requirements; and
  • notify the CNCS, whenever incidents with a relevant impact (in the case of public services, critical information infrastructure operators and operators of essential services entities) or with substantial impact (in the case of digital service providers in scope) on the security of networks or information systems or in the provision of services.

Technical or organisational measures to manage risk that must be kept in place are not detailed in the NIS Implementation Act.

In the case of public services, critical information infrastructure operators and operators of essential services, general rules are as follows:

  • entities shall comply with the technical and organisational measures adequate and proportionate to manage the risks posed to the security of the networks and information systems they use;
  • such technical and organisational measures shall guarantee a level of security appropriate to the risk in question, taking into account the latest technical developments (state of the art); and
  • entities shall take appropriate measures to prevent incidents affecting the security of the networks and information systems used, and to reduce their impact to a minimum. 

Digital service providers shall:

  • dentify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the networks and information systems they use in the context of the supply of digital services;
  • such technical and organisational measures shall guarantee a level of security of the networks and information systems appropriate to the risk in question, taking into account the latest technical developments (state of the art) and the following factors must be taken into account:
    • (a) the security of the systems and installations
    • (b) incident handling
    • (c) business continuity management;
    • (d) monitoring, auditing and testing; and
    • (e) compliance with international standards.
  • shall take measures to prevent incidents that affect the security of their networks and information systems and to reduce to a minimum their impact on digital services, in order to ensure the continuity of those services. 

In the case of the digital service providers NIS Implementation Act also provides that the above elements will be the object of a Commission Implementing Regulation.

The NIS Implementation Act refers to complementary legislation for the definition of:

  • requirements for the security of networks and information systems which must be complied with by public administration, critical information infrastructure operators, and operators of essential services; and
  • the rules for the notification of incidents, which must be complied, again by the public administration, critical information infrastructure operators, and operators of essential services and also by digital service providers. 

The above definitions are included in the Cybersecurity Regulation. 

Entities covered by the requirements on security of the networks and information systems set out in the Cybersecurity Regulation are:

  • public administration and public services;
  • critical information infrastructure operators; and
  • operators of essential services.

The requirements on security of the networks and information systems set out therein do not apply to:

Other measures that are contained in the Cybersecurity Regulation are that entities must: 

  • indicate at least one permanent contact point in order to ensure the flows of information at an operational and technical level with the CNCS;
  • appoint a security officer (see section 3.4.);
  • prepare an inventory of all assets essential to the provision of the respective services and keep it updated and communicate the list of assets included in the inventory to the CNCS;
  • prepare and keep an updated security plan, containing: 
    •  (the security policy, including the description of the organisational measures and the training of human resources; 
    • the description of all measures taken regarding security requirements and incident reporting; and
    • identification of the security officer; and (iv) identification of the permanent point of contact; and
  • prepare an annual report which, in respect of the calendar year to which it refers contains the following elements: 
    • summarised description of the main activities carried out with regard to security of the network and information services; 
    • quarterly statistics of all incidents, indicating the number and type of incidents;
    • aggregate analysis of the security incidents with relevant or substantial impact, indicating the number of users affected by the service disruption, the duration of the incidents and their geographical distribution (including an indication on any cross-border impact); 
    • recommendations on activities, measures or practices contributing for the improvement of the security of the network and information systems; 
    • problems identified and measures implemented as a result of the incidents; and
    • any other relevant information.

Public administration and public services, critical information infrastructure operators, and operators of essential services must carry out – and fully document - a risk analysis on all assets ensuring the continued operation of the networks and information systems they use and, in the case of operators of essential services, also in relation to the assets that guarantee the provision of essential services.

The analysis of risks of global scope (i.e. all assets) should be carried out:

  • at least once a year; and
  • following notification by the CNCS of an emerging risk, threat or vulnerability involving a high probability of an incident with relevant impact, within the period of time set by the CNCS.

The analysis of risks of partial scope (i.e. certain assets) should be carried out:

  • during the planning and preparation of the introduction of a change to the asset or assets, in relation the asset(s) involved;
  • after the occurrence of an incident with relevant impact or another extraordinary situation, in relation to the affected assets; and
  • following notification by the CNCS of an emerging risk, threat, or vulnerability involving a high probability of an incident with relevant impact, within the period of time set by the CNCS.

The risk analysis should cover for each asset:

  • the identification of threats, internal or external, intentional or unintentional (some, in particular, explicitly mentioned in the Portuguese Cybersecurity Regulation, such as system failure; natural phenomenon; human error; malicious attack and failure in the supply of goods or services by a third party); and
  • the characterisation of the impact and probability of the occurrence of the threats identified.

The Cybersecurity Regulation also provides criteria that must be taken into account in the risk analysis (e.g. history of incidents, number of affected users, their duration, etc.) and must also reflect the integrated risk assessment for the security of network and information systems at national, European and international level, published annually or notified to the entities by the CNCS.

3.2. Notification of cybersecurity incidents

Incidents – defined as events having an actual adverse effect on the security of network and information systems - trigger mandatory notification duties to the CNCS.

The following are the entities or operators that are subject to notifying incidents:

  • public services and critical infrastructure operators, if the incident has a relevant impact on network and information systems' security; 
  • operators of essential services, again, if the incident has a relevant impact on the continuity of the services provided; and 
  • digital service providers (except for micro or small enterprise digital service providers), if the incident has a substantial impact on the provision of digital services. 

The seriousness of the impact caused by the incident is assessed in light of several criteria (e.g., number of affected users, incident duration, and geographic spread).

To determine whether an incident has substantial impact, the level of seriousness of a service disturbance and the extent of the impact of the incident on social and economic activities are also taken into consideration.

Voluntary notification to the CNCS is also open to all entities using networks and information systems, for incidents involving relevant impact on service continuity.

Under the Cyberspace Security Act notifications served to the authority must include sufficient information to enable the CNCS to assess whether the incident has cross-border impact.

The Cyberspace Security Act refers to subsequent legislation for more detailed regulation of notification requirements, including subject matters such as formats and applicable timeframes. This subsequent legislation is, again, the Cybersecurity Regulation.

For each incident that must be notified the entities must submit to the CNCS:

  • an initial notification;
  • a notification of end of relevant or substantial impact; and
  • a final notification.

For incidents immediately resolved – within the first two hours – entities may simply sumbit the final notification fully completed.

The initial notification should be submitted as soon as the entity is able to conclude that there is or may be a relevant or substantial impact and within two hours of conclusion and will include, among other information, the following:

  • date and time the incident started or, if unknown, date and time incident was detected;
  • brief description of the incident, including category of its root cause and of the effects produced, in accordance with legally provided taxonomy (provided in Article 16 of the Cybersecurity Regulation);
  • possible estimate of the impact, according to the number of users affected by the service disruption, the duration of the incident, its geographical distribution; and
  • other information considered relevant by the notifying entity.

Notification of the end of relevant or substantial impact of the incident must be submitted to the CNCS as soon as possible, but no later than two hours after the loss of relevant or substantial impact and it must also contain specific information listed in the Cybersecurity Regulation.

The final notification is due no later than 30 working days from the moment the incident no longer occurs and shall include the following information:

  • date and time the incident assumed relevant or substantial impact;
  • date and time the incident lost relevant or substantial impact;
  • impact of the incident, considering a list of criteria (e.g., number of users affected by the service disruption, duration of the incident, incident geographical distribution, root cause category of and effects produced by the incident);
  • measures adopted to mitigate the incident;
  • residual situation of the impact remaining on the date of the final notification (e.g., number of users affected by the service disruption, incident geographical distribution, estimated time for the total recovery of the services still affected);
  • indication, whenever applicable, of notification of the incident in question being served to other competent authorities (e.g., ANACOM, CNPD, sectorial authorities); and
  • other information that the entity considers relevant.

Where there is a residual situation of impact on the date of the final notification, total recovery of this residual situation must be communicated to the CNCS, as soon as possible.

The notification requirements set out in the Cyberspace Security Act do not apply to electronic communications network and service providers, who must notify breach of security or loss of integrity with a significant impact on the operation of networks or services to ANACOM, or to providers of trust services for electronic transactions (under Regulation No. 910/2014).

They also do not apply to digital service providers that qualify as micro or small enterprises (see section 2.5.).

In the case of the electronic communications sector, ANACOM Regulation No. 303/2019 requires notification in cases of information security breaches or loss of integrity capable of causing serious disturbance to the operation of networks and services and with a significant impact on the continuity of operations. 

Significant impact is assessed in light of criteria relating to duration of the event and number of users affected (or, exceptionally, geographic area affected). An initial notice must be sent to ANACOM with in the shortest delay (assuming the company is in a position to anticipate a significant impact) and within one hour following the relevant security or integrity breach, and the incident must be disclosed to the public within four hours from this initial notification. Notice must also be given within four hours of the moment when the significant impact ceases and a final report sent to ANACOM within 20 business days after that. 

Still in this sector, data breaches specifically involving personal data must be notified to the the CNPD without undue delay, under the provisions of the E-Privacy Act.

The E-Privacy Act lays out personal data breach notification duties that operators in the electronic communications sector are subject to. Data breach notifications are submitted to the CNPD. The relevant breaches that trigger notification duties are data breaches involving personal data, defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available electronic communications services.

Banking institutions under the supervision of the Bank of Portugal also have specific rules for notifying incidents to this authority (see section 4.).

Provided they carry out activities in Portugal, banks or credit entities, investment companies, payment and digital currency services providers must report all significant or severe cybersecurity incidents to the Bank of Portugal no later than two hours after the incident is detected. 

Incidents are classified as significant or severe in relation to a set of criteria which include (number or proportion of) affected users, economic impact, reputational impact, activation of crisis management mechanisms, systemic risk, and exert assessment.

The GDPR also includes data breach notification requirements. Personal data breaches must be notified by the controller to the CNPD without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

3.3. Registration with a regulatory authority

There is no registration requirement under the Cyberspace Security Act or the GDPR (or the Data Protection Act).

Companies providing electronic communications networks and services in Portugal are subject to general authorisation scheme under which prior communication of their intention to initiate such activity in Portugal must be completed with ANACOM using an appropriate form available online. ANACOM keeps a record of companies that offer electronic communications networks and services and updates and information on the registered entities is publicly available.

Entities operating in the digital infrastructure sector and digital service providers must notify the CNCS of the fact, except for small or micro enterprises (see section 2.5. digital service providers). 

3.4. Appointment of a 'security' officer

The Cybersecurity Regulation provides that the public bodies or entities and the relevant operators covered by its provisions must appoint a security officer to manage the required (and adopted) measures on security requirements and the incident notification procedures. Newly incorporated entities must inform the CNCS of the appointed security officer 20 business days upon coming into business. Entities previously operating must inform the CNCS no later than 20 business day starting from 30 October 2021.

3.5. Other requirements

The public bodies or entities and the relevant operators subject to the Cybersecurity Regulation must organise an inventory of all assets essential for their operation or provision of their services. The inventory must be signed by the security officer, and this must be provided to the CNCS and updated on an annual basis.

Same entities must prepare an annual report and provide it to the CNCS, covering:

  • brief description of the main activities carried out on the security of networks and information services;
  • quarterly statistics of all incidents, indicating number and type of incidents;
  • aggregate analysis of security incidents with a material or substantial impact, indicating: 
    • number of users affected by service disruption; 
    • duration of the incidents; 
    • geographical area affected by the incident (including any cross-border impact);
  • recommendations for activities, measures or practices for the improvement of network and information system security;
  • problems identified and measures implemented following the incidents; and
  • any other relevant information.

4. SECTOR-SPECIFIC REQUIREMENTS

Cybersecurity in the health sector

The NIS Cooperation Group, which gathers national cybersecurity authorities, in mid-2020, decided to set up a work stream focused on cybersecurity in the health sector. Supporting this work stream are the eHealth Network (created under Article 14 of Directive 2011/24/EU on the Application of Patients’ Rights in Cross-border Healthcare), the European Cybersecurity Health Group, the European Union Agency for Cybersecurity ('ENISA') and the European Commission and acknowledgement of the need to open this new work stream resulted from the need to align harmonised practices and minimum requirements for the protection of health information growingly crucial in the context of a heterogenous and interconnected health context. Portugal is involved and presiding to the work in progress contributing for a sectorial approach of the health care providers whilst operators of essential services.

Cybersecurity in the financial sector

Under Instruction No. 21/2019 issued by the Bank of Portugal, cybersecurity incidents affecting financial sector entities under the supervision of the local Central Bank must be reported to the Bank of Portugal. All significant or severe incidents must be notified.

Additionally, cybersecurity incidents affecting credit institutions considered as significant under Regulation (EU) 468/2014 of the ECB of 16 April 2014 ('the Single Supervisory Mechanism  ('SSM')  Framework Regulation'), having a registered office in Portugal must also be reported and will be forwarded by the Bank of Portugal to the ECB.

In Instruction No. 21/2019, the Bank of Portugal underlines that it is a context of increasing importance of the operational risk associated with information and communication technologies that cybersecurity incidents, whilst potential compromising factors for systems and data should be reported to the financial supervisor (the Bank of Portugal).

Some credit institutions in Portugal (including some credit institutions considered as significant under the SSM Framework Regulation), would already be subject to reporting incidents to the CNCS, under the provisions of the EU Cybersecurity Act, whilst operators of essential services.

Financial entities registered and authorised as payment service providers are also subject to reporting incidents to the Bank of Portugal, under a specific reporting model and channel regulated by Instruction No. 1/2019 of 15 January 2019 (only available in Portuguese here) in line with Article 96 of Directive (EU) 2015/2366 of 25 November on Payment Services in the Internal Market that subjects payment service providers to a notification duty before the competent entity of the home Member State, in the case of a major operational or security incident.

None of these specific rules exclude the duty of notifying the CNPD to the extent the incidents in question also qualify as a personal data breach case, subject to notification to the supervisory authority competent under Article 33 of the GDPR.

Cybersecurity practices for employees

Not applicable.

Cybersecurity in the education sector

Not applicable.

5. PENALTIES

The CNCS is the competent authority for the enforcement of penalties that may result from the infringement of the main obligations set out in Cyberspace Security Act.

Infringement by public services, critical information infrastructure operators, operators of essential services, and digital service providers to implement adequate technical and organisational measures to address security risks, is treated as very serious regulatory offence, punishable with fines of between €5,000 and €25,000 and between €10,000 and €50,000, depending on whether the offender is, respectively, a natural or a legal person. 

Failure to report incidents to the competent regulatory authority is also punishable with fines of between €1,000 and €3,000 and between €3,000 and €9,000, for natural and legal persons, respectively.

The same fines apply in case of non-compliance with the notification duty towards the CNCS both of activities carried out in the digital infrastructure sector, and of the identification as a digital service provider.

Under the GDPR, enforcement penalties for data privacy or data protection violations may reach €20 million or up to 4% of a company’s total worldwide annual turnover of the preceding financial year, whichever is higher.

Under the ePrivacy Act, fines are capped at €5 million for legal persons (and to €25,000 for offenders who are natural persons).

6. OTHER AREAS OF INTEREST

Eyes are drawn to the proposal presented by the Commission in December 2020 ('the NIS2 Directive') aimed at tackling the limitations of the current NIS Directive comprising a proposed expansion of the scope covered by the new NIS Directive covering more entities and sectors and contributing to boosting the overall level of cybersecurity in Europe in the long run, strengthening security requirements, addressing the security of supply chains, streamline reporting obligations, and introducing more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The proposed expansion of the scope covered by the NIS2 Directive, by effectively obliging more entities and sectors to take measures, which would assist in increasing the level of cybersecurity in Europe in the long term

Updating and expanding the scope of the NIS Directive is certainly a must to meet existing risks and challenges that are at our doorstep one of them being by ensuring 5G technology is secure.   The Coronavirus crisis undoubtedly led our economy to grow increasingly dependent on network and information systems, confirming the need to improve cyber-resilience and also put a light on sectors such as the health sector and the need to cover other elements such as those on the medical research and development activities. Helena Tapp Barroso Partner [email protected] MLGTS,Lisbon

Feedback