Cybersecure-r!

On October 24, 2024, Portuguese ministers, meeting in Council, approved the Proposal for a Law to transpose Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14 (known as “NIS 2”), which aims to guarantee a high common level of cybersecurity throughout the European Union, and whose internal transposition period ended on October 17.

As required by that Directive, the proposal significantly expands the set of entities covered, prioritizing the generalization of cybersecurity risk prevention and graduating the requirement of the obligations imposed according to the size of the entity and the importance of its activity. The law also determines the creation of three fundamental instruments: i) National Cyberspace Security Strategy; ii) National Response Plan for Large-Scale Cybersecurity Crises and Incidents; iii) National Reference Framework for Cybersecurity, which are intended to facilitate compliance with the three fundamental duties of this law: adjustment of security measures, report obligations and submission to and collaboration with the supervisory body.

At the press conference after the Council of Ministers meeting on October 24, the Minister for the Presidency, António Leitão Amaro, recalled the recent cyber-attack on state digital platforms known as “Gov.pt” or “ePortugal” and its significant consequences, as for more than five days it was impossible to carry out or access registration platforms, financial platforms and other relevant state services.

The new regime, therefore, “provides for a strengthening of the security measures that entities, depending on their size and the critical and essential nature of the services they manage” (health facilities, certain Public Administration entities, communications or transport infrastructures, entities with more workers…), will have to take” and also the extension and strengthening of the powers of supervisory bodies, such as the National Cybersecurity Center or ANACOM to promote the adoption of good practices, the duties to report in the event of an incident and to act as quickly as possible.

The Proposal is, however, still a long way from becoming law: this draft will be subject to public consultation, following a meeting of the Council for Cyberspace Security, and will be placed under public consultation at the beginning of November. The consultation will take place during the month of November and only then will the draft law be sent to Parliament.

Knowledge