PORTUGAL Trends and Developments Contributed by: Ricardo Henriques, Diogo Pereira Duarte, José Maria Alves Pereira and Leonor de Sá e Frade, Abreu Advogados
dent response plans and report obligations – all of which, again, were already mandated under Law No 46/2018 and Decree-Law No 6572021, and are further detailed in the NIS 2 Directive and its transposition statute, the situation is quite similar: (a) As for providers of digital infrastructure, there is a clear disconnect between the acknowledged importance of data securi - ty and actual practice. 54% concede they lack both a cybersecurity plan and an incident response plan. Furthermore, 4% failed to submit their mandatory annual reports to the CNCS in 2023. (b) In the energy sector, 33% admit to not having a cybersecurity plan implemented at all, 20% admit to not having an inci - dent response plan, and 10% have not submitted their mandatory annual reports to CNCS in 2023. (c) In the transport sector, the figures are 35%, 48% and 12%, respectively. (d) Among healthcare providers, 54% admit to not having a cybersecurity plan, 38% admit to not having an incident response plan, and 13% have not submitted their mandatory annual reports to CNCS in 2023 – despite the sensitivity of the data they manage on a daily basis. (e) And, lastly, again, the banking and fi - nancial institutions sector shows greater compliance, with only 13% admitting to not having a cybersecurity plan imple - mented at all. • Finally, regarding statutorily required good cybersecurity practices, the numbers are tell - ing: (a) Only 23% of healthcare providers regu - larly conduct risk analysis assessments, as compared to 36% of the providers of digital infrastructure, 50% in the energy and transport sector, and, again, being
the best prepared sectors overall, 75% of companies in banking and financial institutions. (b) Regarding the maintenance of logs for post-incident reconstruction and analy - ses, 50% of companies in the Portu - guese transport and healthcare sector do not keep logs for this purpose; nei - ther do 48% of companies in the digital infrastructure sector; 30% in the energy sector; and, lastly, 23% among financial institutions. (c) Regarding the undertaking of vulnerability checks and vulnerability management policies, only 20% of companies in the digital infrastructure sector undertake them regularly, compared to 70% of companies in the energy and transport sectors. Notably, the banking and finan - cial institutions sector reports complete adherence, with all companies claiming to conduct these checks. The implications of the aforementioned statistics become increasingly concerning when consid - ered alongside the pervasive reliance on digital tools and devices within these sectors: • 56% of companies in the Portuguese energy sector report that between 75% and 100% of their workforce utilise digital devices and tools for their daily tasks. Conversely, only 10% of these companies indicate that less than 25% of their staff engage in such usage. • In the banking and financial market institu - tions sectors, 100% of companies report that virtually all their employees access and manage digital devices and tools to perform their work. • Lastly, in the Portuguese digital infrastructure sector, 58% of companies state that over 50% of their staff utilise digital devices and
219 CHAMBERS.COM
Powered by FlippingBook