Cybersecurity 2025

PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados

Therefore, the Artificial Intelligence Regulation (Regulation (EU) 2024/1689) emphasises the necessity for high-risk AI systems to maintain a high level of accuracy, robustness, and cyber - security (see Article 15). AI systems with a high risk for individuals’ rights and freedoms must be resistant to unauthorised access and equipped with adequate measures for detecting, prevent - ing, and responding to cybersecurity incidents. For this purpose, providers of high-risk AI sys - tems can seek cybersecurity certification under Regulation (EU) 2019/881. In such a case, Arti - cle 43 of the AI Regulation established a pre - sumption of compliance with the cybersecurity requirements outlined in Article 15. Additionally, the cybersecurity measures implemented by the provider must be included in the technical docu - mentation accompanying the system. When the AI Regulation was approved, there was not yet a final agreement from European legislative bodies on the Cyber Resilience Act. Nonetheless, the AI Regulation’s recitals men - tion the co-ordination between the two laws. Recitals 77 onwards of the AI Regulation are mir - rored in Recital 51 and Article 12 of the Cyber Resilience Act, which presumes compliance with Article 15 of the AI Regulation when the high- risk AI system meets the essential cybersecurity requirements in Annex I of the Cyber Resilience Regulation. Furthermore, the procedure for assessing com - pliance with the essential cybersecurity require - ments for a product with digital elements that is simultaneously classified as a high-risk AI system will follow the provisions of Article 43 of Regulation (EU) 2024/1689. However, in the event that the application of this provision would lead to a reduction in the level of security required for critical or important products with

digital elements, the conformity assessment procedure provided for in the Cyber Resilience Regulation with regard to the essential cyber - security requirements should apply by way of derogation from this rule. 6.3 Cybersecurity in the Healthcare Sector Entities operating in the healthcare sector are considered essential, especially if they fall under and meet the requirements of the NIS 2 Direc - tive, making them subject to the cybersecurity framework for essential entities. Their value and impact on basic societal func - tions make them prime targets for cyber-attacks, often aimed at compromising health data and the safety of individuals. As such, Regulations (EU) 745/2017 and 746/2017 on medical devices and in vitro diag - nostic medical devices have introduced cyber - security concerns. These regulations ensure that devices placed on the EU market are equipped to address new technological challenges related to cybersecurity risks. The Medical Devices Regulation (MDR) requires medical devices with electronic programmable systems and software to meet minimum cyber - security requirements. This includes devices such as pacemakers and insulin pumps. Con - sequently, these requirements cover hardware, IT network characteristics and IT security meas - ures, including protection against unauthorised access, to ensure that the software works as intended. According to the guidance on cybersecurity for medical devices (MDCG 2019-16 Rev.1, Decem - ber 2019, available here ), manufacturers must implement state-of-the-art cybersecurity meas -

213 CHAMBERS.COM

Powered by