PORTUGAL Trends and Developments Contributed by: Ricardo Henriques, Diogo Pereira Duarte, José Maria Alves Pereira and Leonor de Sá e Frade, Abreu Advogados
Eyes Wide Open: The Portuguese Cybersecurity Agency Dives Deeper into Market Practices Introduction: NIS 2 transposition The growing importance of cybersecurity for businesses is undeniable. Consequentially, EU institutions revisited the NIS Directive (Direc - tive (EU) 2016/1148) in 2022 and issued a new regulation – known as NIS 2 Directive (Directive (EU) 2022/2555) – the transposition of which is expected to both extend and develop already applicable cybersecurity regulations in Portu - gal, complementing, in particular, Regulation (EU) 2022/2554 (known as the Digital Opera - tional Resilience Act or DORA Regulation), which requires specific cybersecurity measures to be adopted by banking and financial institutions. While the deadline for EU member states to transpose the NIS 2 Directive into national law was 17 October 2024, Portugal is still in the pro - cess of doing so. Following a public consulta - tion on the draft legislation, which ran from late November to late December 2024 and garnered over 140 contributions, we are faced with a set - back in the legislative process. The Draft Law has fallen along with the Portuguese Govern - ment. Although the process of transposition is still ongoing, and despite the period between pub - lication and implementation, we have already noticed market actors’ interest in the Directive, and its transposition process. We have received multiple requests to assess the subjective scope of the new NIS 2 Directive – ie, whether a cer - tain company is, or is not, subject to those new norms – and several requests to keep our clients posted regarding the process of elaboration and approval of the NIS 2 transposition law.
This concern is perfectly understandable. Among the specific features of the previously proposed Portuguese transposition (such as a clearer definition of the functions and competences of the Cybersecurity Officer, affording greater cer - tainty to market actors, or the qualification of the temporary banning of administrators as an ancillary sanction only) the most recent version of the transposition statute, provided for fines of up to EUR200,000 for individual members of management bodies. Given the upcoming transposition of Direc - tive (EU) 2022/2555 (Directive NIS 2) in Portu - gal – and especially of the personal and indi - vidual liability for administrators for the breach of cybersecurity regulations as outlined above – market actors in those sectors should be keen on ensuring compliance. Compliance with cybersecurity requires great investment on the part of undertakings – both financially and in terms of human resources. This includes pur - chasing and implementing antivirus software, setting up multi-factor authentication, develop - ing plans, policies and procedures, and allocat - ing additional resources, such as time, to adhere to these policies. Not to mention the costs asso - ciated with staff training, software updates, and the increasing marginal costs as the volume of protected information grows. However, the potential penalties can be even more costly. In addition to fines of up to EUR200,000 for individual administrators specif - ic to the Portuguese jurisdiction, the NIS 2 Direc - tive already provides for fines as high as EUR10 million for breaching companies and entities. The oversight by the CNCS The Portuguese National Cybersecurity Agency ( Centro Nacional de Cibersegurança , or CNCS) is the agency responsible for the oversight and
217 CHAMBERS.COM
Powered by FlippingBook