Ricardo Henriques explains how the new cybersecurity law strengthens companies’ responsibilities

The Government has approved a new law introducing a new cybersecurity framework in Portugal, which is expected to come into force in April. This framework transposes into national law Directive (EU) 2022/2555, known as the NIS2 Directive.

Ricardo Henriques, partner at Abreu Advogados, explained in statements to ECO that this is “a fundamental step for Portugal: the aim is to standardise digital security requirements in order to adequately, effectively and preventively protect critical infrastructures, essential services and supply chains,” he said.

For many companies, especially SMEs, the challenge now lies in adapting to a more demanding regulatory framework. With this law, the goal is to strengthen Portugal’s “digital resilience”, ensuring the harmonisation and standardisation of digital security requirements across the European Union (EU).

The law imposes stricter obligations regarding governance, risk management and incident reporting, while also reinforcing the responsibility of management bodies. According to Ricardo Henriques, failures or incidents may result in civil liability for members of management. Regarding additional sanctions, he warned that “the potential impact on the entity’s reputation stands out, as well as on the continuity of its operations and activities, or even in terms of exposure to risks of contractual or legal non-compliance in other areas”.

Read the full article (available in Portuguese).