PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
Information that should be included in the final notification: • the date and time when the incident attained relevant or significant impact; • the date and time when the incident lost its relevant or significant impact; • the impact of the incident; • the indication of the measures taken to miti - gate the incident; • a description of any residual effects remaining at the time of the final notification; • where applicable, information on the submis - sion of the notification of the incident to the competent authorities (eg, the Public Pros - ecutor’s Office and the National Data Protec - tion Authority); and • any other information deemed relevant. 2.4 State Responsibilities and Obligations The mission of the Portuguese state, through the National Security Office and the CNCS, is to ensure that Portuguese citizens benefit from a free, reliable and secure cyberspace. To this end, the state has created entities that are empow - ered to implement the necessary measures to anticipate, detect, respond to and recover from situations that, due to the threat or occurrence of incidents or cyber-attacks, jeopardise the functioning of critical infrastructure and national interests. In this regard, the National Computer Security Incident Response Team (CERT.PT) was cre - ated. This team is responsible for co-ordinating the response to cybersecurity incidents at the operational level, as well as monitoring incidents with a national impact. For that purpose, it can activate early warning mechanisms to mitigate the impact of incidents.
The Portuguese government is also responsible for approving the National Cyberspace Security Strategy, which defines the state’s objectives and actions in this domain. Portugal currently has a National Cyberspace Security Strategy for 2019-2023, and the government has not pre - sented any other plans for the following years. Additionally, Decree-Law No 20/2022 requires operators of critical national infrastructure to draw up a security plan to be submitted for approval to the Secretary-General of the Internal Security System. 3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation In Portugal, as an EU country, the DORA Regu - lation applies (ie, Regulation (EU) 2022/2554, of the European Parliament and the Council, of 14 December, 2022, on digital operational resilience for the financial sector and amending Regula - tions (EC) No 1060/2009, No 648/2012, (EU) No 600/2014, No 909/2014 and No 2016/1011. As for its material scope, the DORA Regulation applies to the following entities (Article 2): • credit institutions; • payment institutions, including payment insti - tutions exempted pursuant to Directive (EU) 2015/2366; • account information service providers; • electronic money institutions, including elec - tronic money institutions exempted pursuant to Directive 2009/110/EC; • investment firms; • crypto-asset service providers as authorised under a Regulation of the European Parlia -
203 CHAMBERS.COM
Powered by FlippingBook