Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

Assessment of the Cybersecurity Risks Manufacturers of products with digital elements must carry out and document an assessment of the cybersecurity risks of the product, and demonstrate that it complies with the essen - tial cybersecurity requirements listed in Annex I. This assessment shall be integrated into the technical documentation of the product. Reporting Obligations The Regulation mandates that manufacturers of products with digital elements must report to both the designated Computer Security Incident Response Team (CSIRT) and ENISA, via a single platform to be established by the latter author - ity. The reporting comprises a notification on (i) actively exploited vulnerabilities in their products and (ii) serious incidents impacting the security of these products. The law also sets out different obligations for the different actors in the supply chain (ie, manufac - turers, importers and distributors) to ensure that the essential requirements for cybersecurity are met from the manufacturing stage onwards. This aligns with the primary aim of the Cyber Resil - ience Act, which is to establish essential cyber - security requirements for the design, develop - ment, and manufacture of products with digital elements, as well as their monitoring once they are available on the market. 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation The Cybersecurity Act (Regulation (EU) 2019/881) establishes the “European cybersecurity certifi - cation framework” and provides a harmonised standard for cybersecurity certification across

the EU. The European Commission has adopted an implementing act for the voluntary European Common Criteria-based cybersecurity certifica - tion scheme (EUCC) (Commission Implementing Regulation (EU) 2024/482, of 31 January 2024). Portugal has designated the CNCS as the Nation - al Cybersecurity Certification Authority (ANCC), responsible for implementing a national cyberse - curity certification framework. In this context, the CNCS has developed the EC QNRCS certifica - tion, based on European schemes. The EC QNRCS certification scheme has been designed for central and local administration organisations, operators of critical infrastructure, essential and important service providers, digi - tal service providers, and other private and non- governmental organisations, whether for profit or not. The CNCS manages and supervises this national certification scheme in co-operation with the Portuguese Quality Institute (IPQ) and the Portuguese Accreditation Institute (IPAC).

6. Cybersecurity in Other Regulations

6.1 Cybersecurity and Data Protection The cornerstone of data protection in the EU, and consequently in Portugal, is the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR). One of the main principles of the GDPR is the integrity and confidentiality principle, estab - lished in Article 5(1)(f), which provides that per - sonal data “shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate

211 CHAMBERS.COM

Powered by