Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

to the processing of personal data and on the free movement of such data (the GDPR); • Regulation (EU) 2019/881, of 17 April 2019 on ENISA and on information and communica - tions technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act); • Commission Implementing Regulation (EU) 2024/482, of 31 January 2024; • Regulation (EU) 2022/2554, of 14 December 2022 (DORA); • Directive (EU) 2022/2555, of 14 December 2022 (NIS 2 Directive); • Directive (EU) 2022/2556, of 14 December 2022 (amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital opera - tional resilience for the financial sector); • Directive (EU) 2022/2557, of 14 December 2022 (Resilience of Critical Entities); • Regulation (EU) 2024/2847, of 23 October 2024 (Cyber-Resilience Act); • Regulation (EU) 2025/38, of 19 December 2024 (Cyber-Solidarity Act); • Law No 46/2018, of 13 August (The Legal Framework for Cyberspace Security); • Decree-Law No 65/2021, of 30 July (Regu - lates the Legal Framework for Cyberspace Security); • Decree-Law No 3/2012, of 16 January (Approves the organisation of the National Security Office); • Decree-Law No 20/2022, of 28 January (Approves the procedures for identifying, designating, protecting and increasing the resilience of national and European critical infrastructures); • CNCS Regulation No 183/2022, of 21 Febru - ary (Regulation setting out technical instruc - tions on communications between organisa -

tions and the National Cybersecurity Centre); and • Regulation (EU) 2023/2854, of 13 December (Data Act). 1.3 Cybersecurity Regulators The CNCS is the national cybersecurity author - ity, pursuant to the terms of the implementing Law of NIS1 Directive (Law No 46/2018). This authority operates within the framework of the National Security Office, and its mission is to ensure the safe and free use of cyberspace in Portugal. The CNCS is responsible for developing the national capacity to prevent and detect cyberse - curity incidents, both by promoting training and by developing innovation projects in the field of cybersecurity. The CNCS is also responsible for ensuring the security of government information and communication systems and critical nation - al infrastructures. As the national authority responsible for the security of cyberspace, the CNCS is a national single point of contact for international co-ordi - nation and plays a central role in liaising with other national actors in the field of cybersecurity. From a regulatory standpoint, this authority has the power to issue cybersecurity regulations and to monitor compliance with the cybersecurity legal framework. In this context, the CNCS has the power to instruct administrative proceedings against offenders and to impose fines. The CNCS also assumes the role of the National Cybersecurity Certification Authority (ANCC), in accordance with Decree-Law 65/2021, which implements Regulation (EU) 2019/881.

200 CHAMBERS.COM

Powered by