PORTUGAL Law and Practice Contributed by: Jorge Silva Martins, João Carminho and Inês Coré, CS’Associados
electronic communications networks and services; • communication and notification contacts; • a concise description of the network or ser - vice to be provided, detailing (i) the type of network or service type; (ii) the target mar - ket (wholesale or retail); (iii) the supporting network infrastructure; (iv) the key network characteristics and intended purpose; (v) whether numbering or frequency resources are required, along with a specification of such resources;, and (vi) a general description of the service offering; and • the anticipated commencement date of operations. Additionally, individual licences are required for the use of numbering and frequency resources. Security Requirements Under Portuguese electronic communications laws, particularly Law 16/2022, telecommuni - cations service providers are subject to strict security requirements to ensure the integrity, availability, and confidentiality of their networks and services. These obligations aim to mitigate risks associated with cybersecurity threats, sys - tem failures, and other vulnerabilities that could impact service continuity or user security. Providers of public electronic communications networks and services must implement appro - priate technical and organisational measures to manage security risks. These include ensuring network resilience, maintaining service continu - ity in the event of disruptions, and protecting against cybersecurity threats such as hacking, malware, and denial-of-service attacks. The measures adopted must be proportionate to the risks identified, considering technological advancements and sector best practices.
In the event of a significant security breach or service disruption, providers are required to notify ANACOM, the national regulatory author - ity, without undue delay. If an incident poses a broader cybersecurity risk to national infra - structure, notification must also be made to the National Cybersecurity Centre (CNCS). Further - more, if a security incident affects users’ per - sonal data or service availability, providers may be required to inform affected customers and advise them on mitigation measures. The security framework is further detailed in ANACOM’s Regulation 303/2019, which estab - lishes specific security and integrity obligations for electronic communications networks and services. This regulation requires operators to assess security risks, define mitigation meas - ures, and submit periodic security reports to ANACOM. It also sets criteria for incident clas - sification, determining which events must be reported based on their impact on service avail - ability, confidentiality, and user protection. Failure to comply with security obligations can result in administrative fines imposed by ANA - COM. Repeated violations or serious negligence in protecting networks and services may lead to operational restrictions or, in extreme cases, the revocation of a provider’s licence to operate. 6.2 Net Neutrality Regulations Key Rules and Principles In Portugal, net neutrality is primarily governed by EU law, particularly Regulation (EU) 2015/2120, which establishes open internet access rules across the European Union. Key aspects of net neutrality in Portugal include: • No blocking or throttling: ISPs may not block, slow down, or discriminate against lawful
391 CHAMBERS.COM
Powered by FlippingBook