Cybersecurity 2025

PORTUGAL Trends and Developments Contributed by: Ricardo Henriques, Diogo Pereira Duarte, José Maria Alves Pereira and Leonor de Sá e Frade, Abreu Advogados

tools, compared to only 14% of companies in the Portuguese healthcare sector. The combination of less than 25% of staff receiving basic cybersecurity training, the lack of dedicated cybersecurity officers, the absence of log records, and the deficiency of cybersecu - rity plans highlights the urgent need for compa - nies to reflect on and adapt to new regulations. This is particularly critical when, for a significant majority (well over 50%) of these companies, at least 50% of their staff rely on digital devices and tools for their daily work. While the banking and financial institutions sec - tor demonstrates better compliance compared to others, it is important to acknowledge that this sector is subject to specific, stringent cyberse - curity regulations, such as the DORA regulation. This explains their significantly higher compli - ance levels. However, it also underscores that they operate under stricter norms and standards. Therefore, their relative success should not lead to complacency among their administrators. The data concerning energy, digital infrastruc - ture and healthcare is particularly concerning: all three are designated as essential services, critical to the maintenance of a modern work - able society – and yet all three show significant deficiencies in their cybersecurity actions and policies. Recommendations Having now comprehensively examined techno - logical specificities and threats, capacity build - ing, identifiable investment in cybersecurity, applicable standards and good practices, and market shortcomings, the CNCS is now far bet - ter positioned to determine the legal compliance status of providers and other market partici - pants. This enhanced insight allows them to hold

both these entities and, crucially, their adminis - trators personally accountable for breaches of cybersecurity norms. The data presented above unequivocally dem - onstrates that staff training must be a priority for providers across all sectors subject to cyber - security requirements, including public admin - istration entities, postal services, and food pro - duction and distribution, not just the previously mentioned sectors. These training programmes should encompass both basic cybersecurity practices – such as strong password adoption, the avoidance of sharing personal or sensitive information online, and screen locking – and more advanced topics like incident response protocols and reporting obligations. A robust enterprise cybersecurity strategy must focus on both incident prevention and effective response to safeguard digital infrastructure and sensitive data. Equally important is the implementation of legally mandated good practices. Regular risk assessments, vulnerability checks, and the maintenance of comprehensive log-in and log- out records are essential for demonstrating clear compliance. Crucially, the production of thorough documentation proving adherence to cyberse - curity requirements is paramount. Companies and cybersecurity managers are accountable for maintaining legally required documentation. The absence of such documentation constitutes a breach in itself and will lead to the presump - tion that the underlying obligation, which should have been evidenced by the documentation, has also been unmet. Beyond these reports, which, again, are more akin to an enforcement tool than to an act of enforcement, the CNCS, in collaboration with ANACOM (the Portuguese National Authority

220 CHAMBERS.COM

Powered by