Do you know new Portuguese legal regime for cyberspace security?

What is new?

This decree-law regulates some aspects that had been left unregulated by Law nº 46/2018 (law on security in cyberspace), namely:

  1. Information networks and systems’ safety requirements; and
  2. The procedure for the notification of incidents

It also lays down the foundations for the creation of a national cybersecurity certification, provided by the National Cybersecurity Certification Authority (CNCS). The CNCS shall develop and implement specific cybersecurity certification schemes for TMT goods, services and procedures.

 What are the new obligations and who is obliged by them?

The new obligations fall on:

  • The Public Administration,
  • The operators of critical infrastructures,
  • The operators of basic services,
  • The providers of digital services

These entities must:

  • Appoint at least one permanent contact point for CNCS, with both main and alternative means of communication, where there shall be someone available 24 hours a day, 7 days a week.
  • Designate a security officer (and his/hers substitute) for the management of the adopted measures regarding safety requirements and regarding the notification of incidents.
  • Notify the CNCS of any substitution’s regarding the security officer position
  • Elaborate and keep up to date an inventory of all assets that relate to their economic activity. This inventory must be signed by the security officer and then sent to the CNCS.
  • Elaborate and keep up to date a security plan, which must be signed by the security officer and contain, amongst other elements, the internal, security policy of the entity ion question.
  • Elaborate an annual report which contains, amongst others, a summary description of the main activities developed in matters of information network and services security, which must then be dully signed by the security officer and sent to the CNCS.
  • Comply with the risk management technical and organizational procedures that apply to the network and systems of information that are being used.
  • Notify the CNCS of the occurrence of incidents that have a relevant or substantial impact, as well as implement all necessary means and procedures to the detection of incidents, impact evaluation and its notification. Each incident must be object to three notifications:
    • An initial notification,
    • A notification regarding the cease of the substantial or relevant impact,
    • A final notification.


What are the consequences of the breach of these provisions?

  • In general, as provided for in the Regulation for Cyberspace Security, the person who fails to fulfill its obligations shall be sanctioned with a fine ranging from 500 to 50 000 euros;
  • Nonetheless, there are three special infringements (related to the certification by CNCS), that are punished with a fine ranging from 1 000 to 44 891, 81 euros.

When does the diploma enter into force?

On the tenth day after its publication – i.e. on the 9th of August 2021.