The basic legal framework for cybersecurity in Portugal is that resulting from:
In addition to the above, and complementing the Criminal Code, Law No 109/2009, of 15 September (Cybercrime Law), sets out cybercrime offences and regulates the surveillance of communications and apprehension of evidence in electronic format.
As for the enforcement and penalty environment, the infringement of the main obligations set out in Law No 46/2018, namely the obligation for public services, essential services providers and digital services providers to implement adequate technical and organisational measures to address security risks, constitutes a very serious regulatory offence, punishable with fines of up to EUR25,000 or EUR50,000, depending on whether the infringer is a physical or a legal person, respectively. Failure to notify incidents to the competent regulatory authority is also punishable with fines of up to EUR3,000 or EUR9,000, for physical and legal persons, respectively.
The supervisory authority responsible for monitoring the application of the cybersecurity rules and principles in Portugal is the Centro Nacional de Cibersegurança, also known as the CNCS, instituted by Decree Law No 3/2012, of 16 January, subsequently amended by Decree Law No 136/2017, of 6 November.
As defined by law, the CNCS’ mission is to "contribute to the free, reliable and secure use of cyberspace in Portugal, through the continuous improvement of national cybersecurity and international co-operation, in co-ordination with all competent authorities, and the implementation of measures and instruments required for the anticipation, detection, reaction and recovery of situations that, in the imminence of occurrence of incidents or cyberattacks, may compromise the operation of critical infrastructures and national interests" (Article 2(2) of Decree Law No 3/2012, as amended).
The regulatory offence procedure is split into two phases:
The Portuguese Regulatory Offence Act (Decree Law No 433/82, as amended) establishes that no penalty may be imposed without the defendant first having been heard regarding all the facts under investigation.
After hearing the defendant, if the supervisory authority decides to impose a penalty, this decision, as well as the amount of any fine imposed, may be challenged in court.
Defendants in a regulatory offence procedure are assured most of the due process rights established in criminal procedure laws, notably the presumption of innocence, the right to produce and present evidence and the right to appeal against unfavourable decisions. However, in these procedures, the privilege against self-incrimination may be mitigated, since controllers and processors are obliged to co-operate with the CNCS, according to Article 7, paragraph 2, of Law No 46/2018 of 13 August – for example, by supplying the authority with documents required and responses to information requests in the investigation stage of the procedure.
Being an EU member state, all relevant cybersecurity regulation in Portugal is either European legislation or local legislation based on European instruments.
The first specific cybersecurity law in Portugal is Law No 46/2018 of 13 August, which establishes the legal framework for security in cyberspace and transposes Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (NIS Directive), concerning measures for a high common level of security of network and information systems across the European Union.
In March 2018 the Portuguese Government issued Council of Ministers Resolution No 41/2018, which defines technical guidelines to be adopted by public services regarding measures for the security architecture of networks and information systems. The aim is to define a minimum baseline regarding adequate technical and organisational measures to be adopted by such entities, pursuant to being GDPR-compliant.
Additionally, the Cybersecurity Act is directly applicable in Portugal.
The instruments above are national in scope.
The CNCS is at the centre of governmental intervention in cybersecurity and liaises with other agencies and organisations. The criminal investigation police authority (Polícia Judiciária) also has a special unit dedicated to the investigation of cybercrime and technological criminality, the UNC3T (Unidade Nacional de Combate ao Cibercrime e à Criminalidade Tecnológica). In the academic field, several universities – such as Instituto Superior Técnico (IST) – have developed in-depth capabilities in the analysis and study of cybersecurity issues and regularly promote information sharing and specialised training in this field.
The Portuguese legal system follows the EU model, since Portugal belongs to the European Union. Additionally, Regulations issued by the European Union – such as the Cybersecurity Act – are directly applicable in Portugal.
The legal regime for cybersecurity in force in Portugal is recent and, for that reason, it still at the early stages of its interpretation and enforcement.
In the last 12 months, the most important developments in cybersecurity were:
Cybersecurity requirements for 5G networks will probably be the hottest topic over the next 12 months. The European Commission recently approved an EU toolbox of risk-mitigating measures addressing issues related, inter alia, to network standardisation and supply chain risks. In Portugal, the public tender procedure for the award of spectrum licences for 5G is scheduled to conclude by June 2020 and, therefore, implementation of the risk-mitigation measures set out in the EU toolbox will be one of the main challenges for local mobile operators in the near future.
Law No 46/2018 applies in general, as a cybersecurity framework, to information networks and systems, notably those operated by public authorities, critical infrastructure operators, essential services and digital services providers. The GDPR, and Law No 58/2019, of 8 August – which regulates and ensures the enforcement of the GDPR in Portugal – apply to personal data specifically. ANACOM Regulation 303/2019 applies specifically to the integrity and security of electronic communications networks and services.
The CNCS is the central authority in Portugal tasked with monitoring compliance with legal cybersecurity requirements. See 2.4 Data Protection Authorities or Privacy Regulators and 2.5 Financial or Other Sectoral Regulators for reference to other relevant regulatory bodies in the field of cybersecurity.
The overarching cybersecurity agency in Portugal is the CNCS, described in 1.2 Regulators.
The Portuguese data protection authority (Comissão Nacional de Proteção de Dados, or CNPD) has an important role when a breach of security occurs that results in an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (ie, personal data breach).
In these cases, the CNCS acts in co-ordination with the CNPD, according to Article 7, paragraph 8, of Law No 46/2018 of 13 August.
The Portuguese central bank and supervisory authority for the banking sector (Banco de Portugal) held a public consultation during 2019 (consultation 2/2019) regarding draft guidelines on the reporting of cybersecurity incidents by financial institutions. In addition, cybersecurity incidents affecting credit institutions qualified as significant under Regulation (EU) 468/2018 of the European Central Bank (ECB), of 16 April 2014, and having a registered office in Portugal must be reported directly to the ECB.
All key relevant regulators are as mentioned previously in this section.
Several standards provide guidance and are commonly relied upon, such as ISO/IEC 27032, ISO 22301, ISO/IEC 22000, ISO/IEC 27000, ISO/IEC 27001 and ISO 9000.
This issue has not arisen in this jurisdiction.
Standards applying to the specific items above are defined in the CNCS’s National Reference Framework for Cybersecurity under a taxonomy of security measures defined in accordance with the following categories:
This framework document seeks to provide organisations with a cybersecurity guide and set out minimum security information requirements.
CNCS liaises on a regular basis with ENISA, ISAC (Information Sharing and Analysis Centre) and with the OSCE.
Security requirements are addressed in Article 32 GDPR (see also Recitals 74, 77 and 83) in relation to the security of processing personal data and include measures pseudonymisation and encryption of personal data, regular testing and assessment of technical and organisational measures as well as adherence to approved codes of conduct or certification mechanisms.
Currently, we identify no relevant affirmative security requirements in this jurisdiction regarding material business data or non-public information.
Critical infrastructure is covered by Decree Law No 62/2011 which, inter alia, sets out the need for each infrastructure identified as critical to have an own security plan including security measures regarding its information systems; see Article 10 (3) (e). There is also a 2017 best practices guide published by the National Platform for the Reduction of Catastrophe Risk which explicitly refers the need to “implement measures for the protection of critical information systems, mitigating the risk of eventual cyberattack occurrences” (page 29).
Currently, we identify no relevant affirmative security requirements in this jurisdiction regarding denial of service attacks or similar attacks.
ANACOM Regulation 303/2019 contains specific rules and obligations applying, specifically, to undertakings that offer public communications networks. These obligations extend to asset classification and inventory, to having and updating a security plan as well as reporting obligations (including an annual security report). Any breaches or loss of integrity incidents with a significant impact on the networks’ functioning must be reported to ANACOM. Several circumstances, such as number of subscribers affected or geographic scope of the incident, are laid out in the Regulation as relevant criteria towards assessing whether an incident may cause serious harm to the operation and continuity of networks and services.
Article 3 (c) of Portuguese Law No 46/2018 of 13 August defines an incident as an event having an actual adverse effect on the security of network and information systems.
Networks and information systems must ensure the adequate protection of both stored data and data in transit.
Law No 46/2018 covers cybersecurity requirements for information systems and networks in general, defined in accordance with the NIS Directive. These include electronic communications networks, devices or groups of interconnected devices that, pursuant to a program, carry out the automatic processing of digital data; and the digital data stored, processed, retrieved or transmitted by said networks or devices, for the purposes of their operation, use, protection and maintenance.
Operators of critical infrastructure (which include public or private entities who operate health-related components or systems) must notify the CNCS of any incidents with a relevant impact on network and information systems security (see articles 3 and 15 (1) of Law No 46/2018 of 13 August).
This issue has not arisen in this jurisdiction.
The eventual need for specific security measures regarding IoT devices has been identified by the CNCS although no guidelines or list of requirements have been published. Possible measures might include inhibiting wireless connections, ensuring access credentials are updated regularly, encrypting communications or mandating firmware updates.
Under the GDPR provisions fully applicable in Portugal, personal data breaches must be notified by the controller to the CNPD without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.
Notification to the CNPD is made online on an appropriate form made available by the authority in its public website.
Portuguese Law No 46/2018 of 13 August requires various service providers to notify the CNCS in the event of cybersecurity incidents.
The CNCS is the national competent authority in Portugal both for the Digital Service Providers and Operators of Essential Services.
Under the implementation provisions the public administration and critical infrastructure operators shall notify the CNCS of incidents with a relevant impact in network security and information systems, within the period provided for in specific legislation. This notification must include information that allows the CNCS to determine the transborder impact of the incidents. Whenever the circumstances allow, the CNCS provides the notifier with the relevant information regarding the follow-up of the notification, namely information that may contribute to the efficient handling of the incident. After consulting with the notifier, the CNCS may disclose specific incidents, with respect to public interest, safeguarding the safety and the interests of critical infrastructures operators.
Operators of essential services notify the CNCS of incidents with a relevant impact on the continuity of essential services provided by them, within the period provided for in specific legislation. This notification must also include information that allows the CNCS to determine the transborder impact of the incidents.
Providers of digital services must notify the CNCS of incidents with a substantial impact on the provision of digital services, within the period provided for in specific legislation. This notification must include information that allows the CNCS to determine the significance of the transborder impact. The obligation to notify an incident is only applicable if the digital service provider has access to the necessary information to assess the transborder impact of an incident. If these incidents concern more than one member state, the CNCS must inform the single contact point of the other member states involved.
Pursuant to Article 44, paragraph 1, of the GDPR, when the personal data breach is likely to result in a high risk to the rights and freedoms of the affected data subjects, the controller shall communicate the personal data breach to the data subjects without undue delay.
The relevance of any incident, whether it affects public services, operators of essential services, essential service providers or digital service providers, must be assessed in light of several criteria including: the number of affected users; the incident’s duration; and its geographical distribution. In the case of digital services (ie, online marketplaces, online search engines and cloud computing services), the seriousness of the disturbance to the service’s performance as well as the extent of its impact on social and economic activities must also be considered.
Article 18 of the Portuguese Law No 109/2009 of 15 September (Cybercrime Law) allows for the real-time interception of content and traffic data for the investigation of cybercrimes and crimes where wiretaps would be allowed under the Criminal Procedure Code. The real-time collection of data must be authorised by an investigating judge and must be indispensable for the investigation of the crimes at hand.
Cybersecurity and data protection, while being distinct areas with distinct concerns, often overlap. Namely, the legal frameworks for both cybersecurity and data protection require companies to implement adequate security measures to ensure the confidentiality, integrity, and access to data, and also require companies to notify the competent authority in the case of security incidents. Furthermore, cybersecurity risks and measures will often be relevant when conducting a Data Protection Impact Assessment, pursuant to Article 35, paragraph 7, subparagraphs c) and d), of the GDPR.
However, there may be cases where cybersecurity obligations may be at odds with individuals’ rights and freedoms, granted under data protection legislation, such as when network monitoring involves the processing of personal data. In such cases, cybersecurity concerns may be construed as a “legitimate interest”, pursuant to Article 6, paragraph 1, subparagraph f), of the GDPR, thus allowing for the lawful processing of personal data. Furthermore, cybersecurity measures may themselves warrant the performance a Data Protection Impact Assessment if the measures in question are likely to result in a high risk to the rights and freedoms of natural persons, pursuant to Article 35, paragraph 1, of the GDPR.
Companies subject to Law 46/2018 are required to notify the National Cybersecurity Centre (CNCS) of any cybersecurity incidents with a substantial impact on their activities. The information shared depends on the kind of entity affect by the incident – critical infrastructure operator, essential services provider or digital services provider – but always includes, at least, the number of affected users, the duration and the geographical scope of the incident.
Moreover, under Article 33 of the GDPR, data controllers must notify the National Personal Data Commission (CNPD) of any personal data breach within 72 hours of its discovery. Notifications must include, at least: the nature of the personal data breach; the name and contact information of the Data Protection Officer or of another contact point; the likely consequences of the personal data breach; and a description of the measures taken or proposed to address the personal data breach.
In the telecoms sector, under Regulation 303/2019, providers are required to notify ANACOM of information security breaches. Furthermore, companies must draft a cybersecurity policy and keep it updated. A company’s cybersecurity policy must be sent to ANACOM within 20 days of the beginning of its activities. Providers are also required to draft an annual security report and send it to the regulator.
Notwithstanding the above-mentioned obligation to notify incidents, any entities may voluntarily notify the CNCS of incidents with a significant impact on the continuity of services provided by them, pursuant to Article 20 of Law No 46/2018 of 13 August.
The voluntary notification cannot give rise to the imposition of obligations to the notifying entity to which said entity would not have been subjected to had it not made that notification.
We have been involved in one of the biggest and more complex judicial cases concerning data breaches and cybersecurity. This specific case began with the access to various private email accounts and the disclosure of millions of documents concerning top football clubs by the Portuguese computer hacker Rui Pinto. The disclosure of these documents in a public online platform, which then led to what became known as the “Football Leaks” case, was the largest leak in the history of sports and it was widely used to support suspicions of alleged corruption within the European football leagues. Rui Pinto is currently facing more than 90 criminal charges, in different judicial cases, including attempted extortion, violation of secrecy and numerous other cybercrimes such as illegal access.
There are Regulatory Offences laid down in Portuguese Law No 46/2018 of 13 August. These offences are divided between “serious offences” and “very serious offences”.
Very serious offences, which include non-compliance with the obligation to implement security requirements and non-compliance with the instructions of cybersecurity issued by the CNCS, are punished with a fine of between EUR5,000 and EUR25,000, in case of an offence by a natural person, and a fine of between EUR10,000 and EUR50,000, in case of an offence by a collective entity.
Serious offences include non-compliance with the obligation to notify the CNCS of any incidents occurred, non-compliance with the obligation to notify the CNCS of activities carried out in the digital infrastructure sector, and the non-compliance with the obligation to notify the CNCS of the identification as a digital service provider. These offences are punished with a fine of betweenEUR1,000 and EUR3,000, in case the offence is committed by a natural person, and a fine of between EUR3,000 and EUR9,000, in case the offence is committed by a collective entity.
Regarding private litigation, the general principles of civil law apply to data security incidents or breaches.
The applicable legal standards refer, predominantly, to conduct that may qualify as being criminal in nature (under the Cybercrime Law) or to constitute a regulatory offence, notably punishable with fines, under Law 46/2018 of 13 August. In addition, to the extent responses to security incidents and breach situations involve access to or processing of personal data, data protection rules are also relevant, both under the GDPR and according to Law 58/2019, of 8 August, which adopted measures seeking to ensure the GDPR’s enforcement in Portugal. For further information, please see comments under 1.1 Laws and 2.1 Key Laws
This issue has not arisen in this jurisdiction.
Portuguese Civil Procedure Law allows for class action lawsuits for the protection of consumer interests.
This issue has not arisen in this jurisdiction.
We are not aware of any laws under this heading.
We are not aware of any other significant issues.