Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

Presentation of the CE Marking It shall be mandatory for products with digital elements covered by this Regulation to bear the CE marking as the visible proof for users of conformity with the essential cybersecurity requirements set out in Annex I. Prior to apply - ing the CE marking, a conformity assessment procedure, harmonised by the Regulation, must be conducted. Conformity Assessments Procedure The conformity assessment of products with digital elements, which are not listed as impor - tant or critical products with digital elements in this Regulation, can be carried out by the manu - facturers themselves, according to the proce - dure laid down in Decision No 768/2008/EC. However, due to the high impact of products with digital elements classified as “important”, they are subject to different procedures: • For Important Class I Products: Manufactur - ers can assess these products themselves, provided that they adhere to harmonised standards, common specifications or comply with a European cybersecurity certification. If the manufacturer chooses not to apply the above security measures, it must undergo a third-party conformity assessment. • For Important Class II Products: The con - formity assessment must always involve a third party. For critical products with digital elements, and in accordance with their importance for society, it is mandatory that they have a certification under the European Cybersecurity Certification Scheme with a minimum level of “substantial”. If this condition is not met, critical products are subject to the conformity assessment defined for Class II important products.

general product safety requirements, apply to products with digital elements that pose safety risks not covered by the Cyber Resilience Act. Additionally, this regulation does not affect the health and safety requirements established in Regulation (EU) 2023/1230, when applicable. As a result, since the first provisions of the Cyber Resilience Act will only be applicable in Sep - tember 2026 (see Article 71), Portugal currently relies on the general cybersecurity legal frame - work indicated in 1.2 Cybersecurity Laws and detailed in 2 Critical Infrastructure Cybersecu- rity . Furthermore, there is not yet a proposal of a draft law for the implementation of the Regu - lation. 4.2 Key Obligations Under Legislation The Cyber Resilience Act provides a robust level of cybersecurity for products with digital ele - ments to be placed on the internal market. At the outset, it is essential to clarify that the Regulation identifies three categories of prod - ucts with digital elements: • products with digital elements not classified as important or critical; • important products with digital elements, which possess the core functionality of a product category outlined in Annex III, further subclassified into Class I and Class II; and • critical products with digital elements, which possess the core functionality of a product category outlined in Annex IV. Although the level of compliance varies, prod - ucts with digital elements that are subject to this Regulation must comply with the key obligations outlined below.

210 CHAMBERS.COM

Powered by