PORTUGAL Trends and Developments Contributed by: Ricardo Henriques, Diogo Pereira Duarte, José Maria Alves Pereira and Leonor de Sá e Frade, Abreu Advogados
Market state and sector practices • Regarding policies for staff training, and cybersecurity managers, despite the obliga - tions provided in the NIS 2 Directive, Law No 46/2018, of 13 August, and Decree-Law No 65/2021 of 30 July: (a) Digital infrastructure providers have the worst results of all the sectors analysed by CNCS. 33% have untrained cyberse - curity managers, and 74% of companies in the Portuguese digital infrastructure sector have less than 25% of staff trained to even a basic level. 58% of companies do not even offer training in cybersecurity. (b) 20% of companies in the Portuguese energy sector, in turn, have untrained cybersecurity managers, and nearly half (45%) have less than 25% of staff trained to even a basic level. 33% of companies do not even offer training in cybersecurity, despite the legal mandate, and, of those that do, half offer it on an optional basis. (c) Similarly, in the transport sector, 19% of companies in the Portuguese transport sector have untrained cybersecurity man - agers, and over half (57%) have less than 50% of staff trained to even a basic level. (d) Healthcare providers report better scores. 36% have untrained cybersecurity man - agers, and 60% of companies in the Por - tuguese healthcare sector have less than 50% of staff trained to even a basic level. (e) Banking and financial institutions are overall the best prepared. All claim to have duly trained cybersecurity manag - ers, despite 25% of companies in the Portuguese banking admitting to having less than 50% of staff trained to even a basic level. • Regarding cybersecurity documentation, in particular, regarding the preparation and implementation of cybersecurity plans, inci -
enforcement of cybersecurity legislation in Por - tugal (including the future NIS 2 Directive trans - position statute). Up to now, the CNCS has largely adopted a proactive, supportive approach. Their core prin - ciple revolves around educating and mitigating the risks of breaches and damage by fostering a strong culture of compliance with legal require - ments. This is evidenced by the relatively infre - quent use of sanctions for breaches of cyber - security statutes. The CNCS has been notably active, but their focus has primarily been on organising talks, conferences and newsletters, and developing best practice codes and stand - ards to cultivate a culture of legal compliance within the Portuguese market. Very recently, in fact, the CNCS published a series of reports on market cybersecurity conditions and practices. While these reports do not represent legal enforcement actions in themselves, their creation signifies preparatory steps towards such actions. And the publica - tion of these reports – containing a framework of analyses, a comparative baseline, international standards and recommendations – may inspire other jurisdictions to also pay closer attention to market practices. Within these reports, the CNCS identified signifi - cant disparities in cybersecurity practices and the level of protection afforded to information stored in digital systems across various sectors, despite the widespread use of digital tools. We have compiled some of the data from these reports below to enable a comparison between sectors, with the aim of gleaning insights and recommendations.
218 CHAMBERS.COM
Powered by FlippingBook