PORTUGAL Trends and Developments Contributed by: Margarida Roda Santos, Paulo Sampaio Neves and Mariana Pereira Dias, Eversheds Sutherland
More recently, after a period in which various European laws were published, and in contrast to other major world powers such as the United States of America, the European Union appar- ently realised that there was a need to slow down its regulatory activities. Notwithstanding its virtues and legitimate objec- tives, it is clear that the proliferation of Euro- pean legislation has disincentivised innovation in some sectors, as well as investment and the deployment of venture capital, due to the num- ber of requirements and demands imposed on companies and technology creators. For many observers, Europe now seems to be trying to find a middle ground, promoting the updating of legislation while not jeopardising change and innovation. Cybersecurity Attacks on hospital computer systems, data breaches and medical device hacking are all threats that healthcare organisations must be increasingly careful about and prepared for. The concern should not be if they will be attacked, but rather when they will be attacked, since it is impossible to completely eliminate the risk of all possible types of attacks in the face of asset vulnerabilities, no matter how robust the infor - mation security system. With this in mind, the regulatory power of the European Union will again play a key role, highlighting the importance of Directive (EU) 2022/2555 – commonly referred to as Network and Information Security Directive 2 (NIS2) or Security of Network and Information Systems 2 (SRI2), to use the nomenclature of the National Cybersecurity Centre – which introduces more stringent cybersecurity requirements for the life sciences sector.
NIS2 has changed the cybersecurity paradigm, widening the scope of application of Directive (EU) 2016/1148 – also called the Network and Information Security (NIS) Directive (now NIS1 or SRI1) – to healthcare providers, manufactur- ers of medical devices and entities that carry out research and development activities for medicines as “essential entities” or “important entities” . Organisations identified as such must ensure that improved cybersecurity measures are in place, carry out risk assessments and ensure that any cybersecurity incidents are reported within 24 hours. If organisations fail to comply with the NIS2 standards, fines of up to EUR10 million euros or 2% of the annual worldwide turnover, whichever is higher, can be imposed. In Portugal, as in several other European Union countries, the deadline for transposing NIS2 has long since passed. However, the Portuguese government presented a draft law to transpose the Directive – which was subject to public con- sultation during December 2024, leading to its revision and the presentation of a new draft law – with a vote on the approval of this second law by the Assembly of the Republic scheduled for 20 March 2025; this would give the government the power to pass the transposition law. However, because Portugal will hold an election again on 18 May 2025, the vote has been with- drawn, and the transposition of NIS2 will thus occur during the next parliamentary term. At the moment, it is not known when the Directive will be transposed, and it is possible that the Euro- pean Union will impose sanctions because of the delay in transposition. Despite this legislative delay in Portugal, com- panies and public organisations to which NIS2
251 CHAMBERS.COM
Powered by FlippingBook