PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
and appropriate to prevent, detect, and miti - gate cybersecurity risks to their networks and information systems. These measures are fur - ther detailed in Decree-Law No 65/2021, which also requires that operators of critical infrastruc - tures elaborate risk assessments and an annual report describing the main developed activities in terms of cybersecurity and demonstrating an aggregated assessment of all the incidents with a substantial or relevant impact (see Article 8 of Decree-Law No 65/2021). Additionally, they are required to fulfil specific notification obligations in the event of a cyber - security incident. 2.3 Incident Response and Notification Obligations In the Portuguese legal framework, the notifi - cation requirements for critical infrastructure owners and operators are laid down in Law No 46/2018, and regulated in detail in Decree-Law No 65/2021. When operators have knowledge of a significant incident that substantially impacts the continu - ity of services, they must proceed with an initial notification. The term to notify the CNCS shall be the moment of knowledge of the incident, or up to two hours after that knowledge. Regardless of the notification obligation, the entity should prioritise the implementation of mitigation meas - ures for the risks. The following information must be included in the initial notification: • name, telephone number and email address of a representative of the organisation; • date and time when the incident began or, if
• estimate of the impact, considering: (a) the number of users affected by the ser - vice disruption; (b) the duration of the incident; and (c) the geographical distribution, with regard to the area affected by the incident, including an indication of cross-border impact; • other information deemed relevant. Additionally, operators should submit a notifica - tion to the CNCS communicating the end of the relevant impact of the incident, which shall be done at the moment of knowledge of the inci - dent, or up to two hours after that knowledge. Information that should be included in the noti - fication communicating the end of the relevant impact of the incident: • an update, if any, of the information provided in the initial notification; • a brief description of the measures taken to deal with the incident; • a description of the impact situation at the time of the loss of relevant or significant impact, namely: (a) the number of users affected by the ser - vice interruption; (b) the duration of the incident; (c) the geographical distribution in terms of the area affected by the incident, includ - ing an indication of the cross-border impact; and (d) the estimated time for full restoration of services. Lastly, critical infrastructure must issue a final notification within 30 working days from the moment the incident ceased.
unknown, when it was detected; • brief description of the incident;
202 CHAMBERS.COM
Powered by FlippingBook