Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

Pursuant to the current cybersecurity legal framework for critical infrastructures (ie, Decree- Law No 20/2022), there are sectoral entities which have the obligation to elaborate a list of potential national and European critical infra - structures. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation The NIS 2 Directive (Directive (EU) 2022/2555) sets out cybersecurity risk management meas - ures and reporting obligations for critical infra - structures regardless of their size, as well as for essential and important entities. This Directive is complemented by the CER Directive (Directive (EU) 2022/2557, of 14 December 2022). Both directives came into effect in 2022 and became applicable from 18 October 2024, the date on which EU member states had to ensure the transpositions into national law. However, Por - tugal has not yet approved such legislation, thus infringing this requirement. In this regard, we note that on 6 February, the Council of Ministers approved the draft legis - lation authorisation law establishing the new Cybersecurity Legal Framework, which trans - poses the NIS 2 Directive. However, due to the recent political landscape of Portugal, the prom - ising Draft Law has been dropped. For the moment, companies that are qualified as critical infrastructures are currently governed by Law No 46/2018, which provides the general cybersecurity legal framework, and Decree-Law No 20/2022, governing the resilience of national critical infrastructures. The concept of “critical infrastructures”, as contemplated in Decree-Law

No 20/2022 and the CER Directive, includes all the facilities or networks that are necessary for the provision of a service deemed crucial for society. Pursuant to this Directive, member states must indicate a list of critical entities that belong to any of the categories established in the Annex (eg, entities operating in the electric - ity sector). Therefore, stakeholders are currently waiting for the implementation of the NIS 2 Directive, as this law is currently undergoing a legislative process with no clear end date. 2.2 Critical Infrastructure Cybersecurity Requirements In accordance with Decree-Law No 20/2022, critical infrastructure is required to enhance its resilience and safeguard the infrastructure that enables the provision of essential services. This must be achieved through collaboration between national and European critical infrastructure. Additionally, the Decree-Law mandates that each national critical infrastructure develop an operator security plan. Such infrastructure is required to designate security liaison officers, who function as a point of contact for security-related issues between the operator and other critical infrastructure. The designation of the officer must be communicat - ed to the National Security Office, the Secretary- General of the internal security system, and the Portuguese National Authority for Emergency and Civil Protection. Moreover, the infrastruc - ture must also designate a point of contact to establish communication with emergency and civil protection authorities. Under Law No 46/2018, critical infrastruc - ture operators must implement technical and organisational measures that are proportionate

201 CHAMBERS.COM

Powered by