Portugal has demonstrated a strong commitment to enhancing the country’s cybersecurity by defining a National Cybersecurity Strategy for 2019 to 2023. This government initiative outlines three strategic objectives to ensure a high national level of cybersecurity: i) maximising digital resilience; ii) promoting innovation in cyberspace; and iii) generating and securing resources. To achieve these objectives, the government has set six priorities:

• cyberspace security structure;
• prevention, education, and awareness;
• protection of cyberspace and infrastructures;
• response to threats and combating cybercrime;
• research, development, and innovation; and
• national and international co-operation.

The National Cybersecurity Centre (CNCS), as the national cybersecurity authority, has undertaken various actions to implement the Action Plan of the National Cybersecurity Strategy. The CNCS has particularly focused on preventing cyber-risks and raising awareness among citizens and companies.

However, the CNCS highlights in its 2024 Society report that the increasing number and sophistication of cyber-attacks, driven by the growing online presence of Portuguese citizens, reveal a lack of resources in the Portuguese public administration to address these new challenges. Currently, there is no national cybersecurity strategy for the upcoming years, although the CNCS has indicated that an updated strategy will be developed to address the sector’s most pressing needs.

On another note, the EU has taken on the role of legislator in cybersecurity matters, delegating the transposition and implementation of these laws to member states, considering their national contexts. Given that cybersecurity is a fundamental challenge for the Union, it is essential for member states to maintain a consistent and robust legal framework. This ensures that countries like Portugal can benefit from shared resources and guidelines, promoting a high level of cybersecurity in the borderless cyberspace.

The primary laws and regulations governing cybersecurity in Portugal are the following:

• Regulation (EU) 2016/679, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR);
• Regulation (EU) 2019/881, of 17 April 2019 on ENISA and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act);
• Commission Implementing Regulation (EU) 2024/482, of 31 January 2024;
• Regulation (EU) 2022/2554, of 14 December 2022 (DORA);
• Directive (EU) 2022/2555, of 14 December 2022 (NIS 2 Directive);
• Directive (EU) 2022/2556, of 14 December 2022 (amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector);
• Directive (EU) 2022/2557, of 14 December 2022 (Resilience of Critical Entities);
• Regulation (EU) 2024/2847, of 23 October 2024 (Cyber-Resilience Act);
• Regulation (EU) 2025/38, of 19 December 2024 (Cyber-Solidarity Act);
• Law No 46/2018, of 13 August (The Legal Framework for Cyberspace Security);
• Decree-Law No 65/2021, of 30 July (Regulates the Legal Framework for Cyberspace Security);
• Decree-Law No 3/2012, of 16 January (Approves the organisation of the National Security Office);
• Decree-Law No 20/2022, of 28 January (Approves the procedures for identifying, designating, protecting and increasing the resilience of national and European critical infrastructures);
• CNCS Regulation No 183/2022, of 21 February (Regulation setting out technical instructions on communications between organisations and the National Cybersecurity Centre); and
• Regulation (EU) 2023/2854, of 13 December (Data Act).

The CNCS is the national cybersecurity authority, pursuant to the terms of the implementing Law of NIS1 Directive (Law No 46/2018). This authority operates within the framework of the National Security Office, and its mission is to ensure the safe and free use of cyberspace in Portugal.

The CNCS is responsible for developing the national capacity to prevent and detect cybersecurity incidents, both by promoting training and by developing innovation projects in the field of cybersecurity. The CNCS is also responsible for ensuring the security of government information and communication systems and critical national infrastructures.

As the national authority responsible for the security of cyberspace, the CNCS is a national single point of contact for international co-ordination and plays a central role in liaising with other national actors in the field of cybersecurity.

From a regulatory standpoint, this authority has the power to issue cybersecurity regulations and to monitor compliance with the cybersecurity legal framework. In this context, the CNCS has the power to instruct administrative proceedings against offenders and to impose fines.

The CNCS also assumes the role of the National Cybersecurity Certification Authority (ANCC), in accordance with Decree-Law 65/2021, which implements Regulation (EU) 2019/881.

Pursuant to the current cybersecurity legal framework for critical infrastructures (ie, Decree-Law No 20/2022), there are sectoral entities which have the obligation to elaborate a list of potential national and European critical infrastructures.

Notwithstanding the above, in the near future, the Draft Law on the implementation of the NIS2 Directive will lead to some changes to the institutional framework of cybersecurity. We highlight the following:

• national sectoral cybersecurity authorities: (i) the National Security Office (GNS), with regard to trust services in electronic transactions in the internal market; (ii) the National Communications Authority (ANACOM), with regard to electronic communications; and (iii) the postal service; and
• special national cybersecurity authorities on digital operational resilience in the financial sector: (i) the Insurance and Pensions Authority (ASF); (ii) the Portuguese Securities Market Commission (CMVM); (iii) the Bank of Portugal; and (iv) the Cyberspace Security Assessment Commission.

The NIS 2 Directive (Directive (EU) 2022/2555) sets out cybersecurity risk management measures and reporting obligations for critical infrastructures regardless of their size, as well as for essential and important entities. This Directive is complemented by the CER Directive (Directive (EU) 2022/2557, of 14 December 2022). Both directives came into effect in 2022 and became applicable from 18 October 2024, the date on which EU member states had to ensure the transpositions into national law. However, Portugal has not yet approved such legislation, thus infringing this requirement.

In this regard, we note that on 6 February, the Council of Ministers approved the draft legislative authorisation law establishing the new Cybersecurity Legal Framework, which transposes the NIS 2 Directive, and which will now be submitted to Parliament for approval. Given the state of the legislative process, this law may still be approved and enter into force in 2025.

Until such approval, companies that are qualified as critical infrastructures are currently governed by Law No 46/2018, which provides the general cybersecurity legal framework, and Decree-Law No 20/2022, governing the resilience of national critical infrastructures. The concept of “critical infrastructures”, as contemplated in Decree-Law No 20/2022 and the CER Directive, includes all the facilities or networks that are necessary for the provision of a service deemed crucial for society. Pursuant to this Directive, member states must indicate a list of critical entities that belong to any of the categories established in the Annex (eg, entities operating in the electricity sector).

Therefore, stakeholders are currently waiting for the implementation of the NIS 2 Directive, as this law is currently undergoing a legislative process with no clear end date.

In accordance with Decree-Law No 20/2022, critical infrastructure is required to enhance its resilience and safeguard the infrastructure that enables the provision of essential services. This must be achieved through collaboration between national and European critical infrastructure. Additionally, the Decree-Law mandates that each national critical infrastructure develop an operator security plan.

Such infrastructure is required to designate security liaison officers, who function as a point of contact for security-related issues between the operator and other critical infrastructure. The designation of the officer must be communicated to the National Security Office, the Secretary-General of the internal security system, and the Portuguese National Authority for Emergency and Civil Protection. Moreover, the infrastructure must also designate a point of contact to establish communication with emergency and civil protection authorities.

Under Law No 46/2018, critical infrastructure operators must implement technical and organisational measures that are proportionate and appropriate to prevent, detect, and mitigate cybersecurity risks to their networks and information systems. These measures are further detailed in Decree-Law No 65/2021, which also requires that operators of critical infrastructures elaborate risk assessments and an annual report describing the main developed activities in terms of cybersecurity and demonstrating an aggregated assessment of all the incidents with a substantial or relevant impact (see Article 8 of Decree-Law No 65/2021).

Additionally, they are required to fulfil specific notification obligations in the event of a cybersecurity incident.

In the Portuguese legal framework, the notification requirements for critical infrastructure owners and operators are laid down in Law No 46/2018, and regulated in detail in Decree-Law No 65/2021.

When operators have knowledge of a significant incident that substantially impacts the continuity of services, they must proceed with an initial notification. The term to notify the CNCS shall be the moment of knowledge of the incident, or up to two hours after that knowledge. Regardless of the notification obligation, the entity should prioritise the implementation of mitigation measures for the risks.

The following information must be included in the initial notification:

• name, telephone number and email address of a representative of the organisation;
• date and time when the incident began or, if unknown, when it was detected;
• brief description of the incident;
• estimate of the impact, considering:
1. the number of users affected by the service disruption;
2. the duration of the incident; and
3. the geographical distribution, with regard to the area affected by the incident, including an indication of cross-border impact;
• other information deemed relevant.

Additionally, operators should submit a notification to the CNCS communicating the end of the relevant impact of the incident, which shall be done at the moment of knowledge of the incident, or up to two hours after that knowledge.

Information that should be included in the notification communicating the end of the relevant impact of the incident:

• an update, if any, of the information provided in the initial notification;
• a brief description of the measures taken to deal with the incident;
• a description of the impact situation at the time of the loss of relevant or significant impact, namely:
1. the number of users affected by the service interruption;
2. the duration of the incident;
3. the geographical distribution in terms of the area affected by the incident, including an indication of the cross-border impact; and
4. the estimated time for full restoration of services.

Lastly, critical infrastructure must issue a final notification within 30 working days from the moment the incident ceased.

Information that should be included in the final notification:

• the date and time when the incident attained relevant or significant impact;
• the date and time when the incident lost its relevant or significant impact;
• the impact of the incident;
• the indication of the measures taken to mitigate the incident;
• a description of any residual effects remaining at the time of the final notification;
• where applicable, information on the submission of the notification of the incident to the competent authorities (eg, the Public Prosecutor’s Office and the National Data Protection Authority); and
• any other information deemed relevant.

The mission of the Portuguese state, through the National Security Office and the CNCS, is to ensure that Portuguese citizens benefit from a free, reliable and secure cyberspace. To this end, the state has created entities that are empowered to implement the necessary measures to anticipate, detect, respond to and recover from situations that, due to the threat or occurrence of incidents or cyber-attacks, jeopardise the functioning of critical infrastructure and national interests.

In this regard, the National Computer Security Incident Response Team (CERT.PT) was created. This team is responsible for co-ordinating the response to cybersecurity incidents at the operational level, as well as monitoring incidents with a national impact. For that purpose, it can activate early warning mechanisms to mitigate the impact of incidents.

The Portuguese government is also responsible for approving the National Cyberspace Security Strategy, which defines the state’s objectives and actions in this domain. Portugal currently has a National Cyberspace Security Strategy for 2019-2023, and the government has not presented any other plans for the following years. However, the Draft Law will lead to the implementation of a new National Strategy, which shall be reviewed every five years.

Additionally, Decree-Law No 20/2022 requires operators of critical national infrastructure to draw up a security plan to be submitted for approval to the Secretary-General of the Internal Security System.

In Portugal, as an EU country, the DORA Regulation applies (ie, Regulation (EU) 2022/2554, of the European Parliament and the Council, of 14 December, 2022, on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, No 648/2012, (EU) No 600/2014, No 909/2014 and No 2016/1011.

As for its material scope, the DORA Regulation applies to the following entities (Article 2):

• credit institutions;
• payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
• account information service providers;
• electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
• investment firms;
• crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (“the Regulation on markets in crypto-assets”) and issuers of asset-referenced tokens;
• central securities depositories;
• central counterparties;
• trading venues;
• trade repositories;
• managers of alternative investment funds;
• management companies;
• data reporting service providers;
• insurance and reinsurance undertakings;
• insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
• institutions for occupational retirement provision;
• credit rating agencies;
• administrators of critical benchmarks;
• crowdfunding service providers;
• securitisation repositories (the aforesaid are jointly referred to as “financial entities”); and

• ICT third-party service providers.

DORA applies to all the above-mentioned entities that provide services in the EU and are located herein.

Additionally, the territorial scope of DORA is broad and extends to organisations based outside the EU, where, for example, they (in the case of financial entities) offer certain financial services in the EU market or (in the case of ICT providers) contract with financial entities that are in scope of DORA.

At the national level, the implementation of all obligations arising from DORA remains ongoing. The competent authorities (Bank of Portugal (BdP), Portuguese Securities Market Commission (CMVM) and Portuguese Insurance and Pension Funds Supervisory Authority (ASF)) are in the process of drafting the regulations that will implement the framework. At this stage, developments have been observed in the following areas:

Regarding risk management associated with information and communication technologies, a significant development is the revision of Bank of Portugal Instruction No 4/2021, which governs the management and reporting of operational and security risks by payment service providers. This revision will eliminate the annual reporting requirement for operational and security risks to prevent redundancy with EBA/GL/2019/04, which may itself be subject to amendment by the European Banking Authority (EBA).

For incident reporting and cyber threats, a transitional arrangement requires severe ICT incidents and voluntary cyber threat notifications to be sent to dorareport@bportugal.pt until a final reporting mechanism is established.

The CMVM, in response to the implementation of DORA in Portugal, has outlined its plans through the Annual Circular on Financial Intermediation and Crowdfunding Services, with the national regulation of DORA set as one of its key objectives for 2025.

In the insurance sector, implementation has been carried out through Regulatory Standard No 9/2024-R, which governs the reporting of severe incidents related to information and communication technologies to the ASF and Regulatory Standard No 7/2024-R, regarding the security and governance of information and communication technologies, and subcontracting to cloud computing service providers within the management of pension funds.

ICT services are defined as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services (Article 3(20) of DORA).

An ICT service provider is defined as an undertaking providing ICT services (Article 3(19) of DORA).

The DORA Regulation also defines what is considered a critical ICT third-party service provider, namely entities designated as such in line with Article 31 of the Regulation, which considers a series of criteria laid out in said article, such as the systemic impact on stability, continuity or quality of the service or the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider.

DORA also requires a register of ICT service agreements, reinforcing oversight of third-party dependencies. At the national level, while this overlaps with Bank of Portugal Notice No 8/2023, which governs outsourcing agreements, the annual submission of outsourcing records will continue. Adjustments may follow once the EBA Guidelines on Outsourcing (EBA/GL/2019/02) are revised by late 2025.

For the entities subject to CMVM supervision, the regulation of reporting obligations under DORA is currently underway, in alignment with the content and formats defined by European legislation. Until the required files can be submitted via the Electronic One-Stop Shop (BUE), as part of the ongoing regulatory development, an alternative submission method is via email to cmvm@cmvm.pt.

The main objective of the DORA Regulation is to achieve a high common level of digital operational resilience (Article 1(1)).

For that purpose, the Regulation lays down uniform requirements concerning the security of network and information systems supporting the business process of financial entities, which are as follows:

• requirements applicable to financial entities in relation to:
1. information and communication technology (ICT) risk management;
2. reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
3. reporting of major operational or security payment-related incidents to the competent authorities by financial entities;
4. digital operational resilience testing;
5. information and intelligence sharing in relation to cyber threats and vulnerabilities; and
6. measures for the sound management of ICT third-party risk;
• requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
• rules for the establishment and conduct of the oversight framework for critical ICT third-party service providers when providing services to financial entities; and
• rules on co-operation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.

Some of the main obligations under the DORA Regulation for financial entities are as follows:

• implementing an ICT risk management framework, which shall include at least strategies, policies, procedures, ICT protocols and tools necessary to duly and adequately protect all information and ICT assets;
• using and maintaining updated ICT systems, protocols and tools that are appropriate to the magnitude of operations;
• continuously monitoring and controlling the security and functioning of ICT systems and tools;
• having mechanisms in place to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and identifying potential material single points of failure;
• establishing a comprehensive ICT business continuity policy; and
• developing and maintaining back-up policies and procedures and restoration and recovery procedures and methods, for the purpose of ensuring the restoration of ICT systems and data with minimum downtime and limited disruption and loss.

Given that Portugal is still in the implementation phase, there are currently few specific rules governing the obligations related to operational resilience.

The ASF Regulatory Standard No 9/2024-R establishes the information elements, format and deadlines for reporting severe incidents related to ICT, under the information reporting obligation incumbent upon entities supervised by the ASF, in accordance with their supervisory responsibilities.

The ASF Regulatory Standard No 7/2024-R sets the following requirements and general principles concerning the security and governance of ICT, as well as specific requirements regarding subcontracting to cloud computing service providers within the management of pension funds:

• the definition of general governance requirements for ICT, including the responsibilities of the management body in this area, the obligation for pension fund management companies to have an ICT strategy, the integration of ICT and security-related risks into the company's overall risk management system, and the conduct of periodic audits;
• the establishment of requirements related to information security, notably that pension fund management companies must have an information security policy and an information security function;
• the regulation of duties that pension fund management companies must comply with concerning the operational management of ICT;
• the provision of requirements applicable to business continuity management within the scope of ICT;
• the definition of general governance requirements for the subcontracting of cloud computing services; and
• the establishment of requirements prior to entering into a cloud computing service subcontracting agreement, and the regulation of the rights and obligations that must be clearly identified and specified in the written agreement.

It should be noted that insurance companies managing pension funds are already subject to the requirements applicable to the insurance activity under Regulatory Standard No 6/2022-R. However, Regulatory Standard No 7/2024-R further supplements the implementation of provisions related to subcontracting to cloud computing service providers in relation to the pension fund management activities of these companies.

DORA mandates the identification and designation of critical ICT third-party service providers (CTPPs) based on a set of qualitative and quantitative criteria, including the number of financial institutions they serve, the potential systemic impact, continuity of quality of the provision of financial services in the event of a large-scale operational failure and the degree of substitutability of the ICTT (Article 31(2)). 

Once designated as a CTPP, an ICT provider falls under the direct oversight of a Lead Overseer (see Article 33).

The Lead Overseer is vested with broad oversight powers (Article 35 (1)), including:

• requiring all relevant information and documentation related to ICT risk management frameworks;
• conducting general investigations and inspections;
• issuing recommendations to enhance operational resilience measures; and
• imposing corrective measures in cases of non-compliance, ensuring financial stability and service continuity.

Regulatory enforcement under DORA incorporates a graduated and proportionate approach, balancing oversight with proportionate interventions. 

Nevertheless, the Lead Overseer, before issuing recommendations or imposing a periodic penalty payment, shall give the representatives of the ICTT the opportunity to be heard (Article 35 (3) (11)).

Key enforcement actions include:

• a periodic penalty payment to compel the ICT third-party service to comply with those measures; this penalty is imposed on a daily basis until compliance is achieved (and for no more than a period of six months), which amounts to 1% of the average daily worldwide turnover of the ICTT in the preceding business year; and
• possible service restrictions, including potential prohibitions on providing ICT services to financial entities if resilience obligations are not met. 

We are still awaiting the national implementing law for DORA, which may provide further details on sanctioning powers.

At present, the authorities with sectoral competence in supervising and enforcing digital operational resilience requirements are as follows:

• Bank of Portugal for credit institutions;
• Portuguese Securities Market Commission (CMVM) for investment firms, market operators, and crowdfunding service providers; and
• Portuguese Insurance and Pension Funds Supervisory Authority (ASF) for insurance companies.

DORA requires financial institutions to ensure that third-party ICT service providers meet specific requirements in their contractual relationships. These include incorporating certain contractual provisions (Article 30) and assessing whether conditions for supervisory oversight, such as those related to subcontracting, are satisfied (Article 28(4)(b)).

When the service provider is based in a third country (ie, outside the European Union) and is classified as critical, the institution must also ensure compliance with EU data protection rules and verify the effective enforcement of such laws in that country (Article 29(2)).

In this regard, international data transfers between financial institutions and ICT service providers will likely involve the processing of both personal and non-personal data.

On the one hand, financial institutions must ensure that the international transfer of personal data directed to data importers (eg, ICT service providers) located in a third country provides appropriate safeguards to data subjects (ie, banking clients), as outlined in Chapter V of the GDPR.

In particular, financial institutions may transfer personal data to a third country covered by an adequacy decision, which ensures that such a country or region provides an adequate level of protection for data subjects. Currently, the Commission has issued several adequacy decisions, including for Canada, Israel and Japan.

If the third country is not subject to an adequacy decision by the Commission, financial institutions, as data controllers and data exporters, must implement appropriate safeguards, which may take the form of:

• binding corporate rules;
• standard data protection clauses adopted by the Commission;
• standard data protection clauses adopted by a supervisory authority with the approval of the Commission;
• an approved code of conduct, complemented by binding commitments of the controller or processor in the third country; or
• an approved certification mechanism, complemented by binding commitments of the controller or processor in the third country.

The GDPR provides additional exceptions that may legitimise international data transfer in the absence of an adequacy decision or the implementation of appropriate safeguards. In the context of financial institutions as data controllers, the explicit and informed consent of data subjects may be an appropriate legal basis for the transfer. Other exceptions may be relevant for this purpose, such as the exercise or defence of legal claims (Article 49 GDPR).

Non-personal data, on the other hand, is not covered by the GDPR and is therefore not subject to any specific restrictions on international data transfers. Nevertheless, Article 32 of the Data Act (Regulation (EU) 2023/2854) provides that customers of cloud service providers who store their non-personal data in the EU are entitled to protection against international and third-country governmental access and transfer of data. Providers of data processing services must therefore take appropriate measures to prevent such unlawful access and transfer.

Ultimately, financial institutions are required to ensure that the contractual provisions established with third-party ICT service providers located in a third country meet both the requirements of DORA and the appropriate safeguards described in the GDPR.

Financial entities (with some exceptions) under the DORA Regulation shall carry out, at least every three years, advanced testing by means of threat-led penetration testing (TLPT). This TLPT shall cover several or all critical or important functions of a financial entity, and shall be performed on live production systems supporting such functions.

At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers, shall provide to the competent authority a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements.

Financial entities must contract testers for the purposes of undertaking TLPT in line with the DORA Regulation. Whenever financial entities use internal testers for the purpose of undertaking the TLPT, they shall contract external testers every three tests.

Financial entities shall only use testers for the carrying out of the TLPT that:

• are of the highest suitability and reputability;
• possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
• are certified by an accreditation body in a member state or adhere to formal codes of conduct or ethical frameworks;
• provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity; and
• are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.

When using internal testers, financial entities shall ensure that, in addition to the above-mentioned requirements, (i) such use has been approved by the relevant competent authority designated in line with applicable law; (ii) the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured conflicts of interest are avoided throughout the design and execution phases of the test; and (iii) the threat intelligence provider is external to the financial entity.

At the national level, the TIBER-PT framework for resilience testing will be updated in line with TIBER-EU, expected by mid-2025. The Bank of Portugal will continue to use this framework to certify digital resilience testing under DORA.

In October 2024, the EU introduced the Cyber Resilience Act, a regulation that harmonises security requirements for products with digital elements, ensuring a consistently high level of cybersecurity.

This Regulation is directly applicable in Portugal and requires the adoption of national implementing legislation only for specific provisions that empower the national legislature (eg, provisions on penalties).

Due to its limited material scope, other legislations, such as Regulation (EU) 2023/988 on general product safety requirements, apply to products with digital elements that pose safety risks not covered by the Cyber Resilience Act. Additionally, this regulation does not affect the health and safety requirements established in Regulation (EU) 2023/1230, when applicable.

As a result, since the first provisions of the Cyber Resilience Act will only be applicable in September 2026 (see Article 71), Portugal currently relies on the general cybersecurity legal framework indicated in 1.2 Cybersecurity Laws and detailed in 2 Critical Infrastructure Cybersecurity. Furthermore, there is not yet a proposal of a draft law for the implementation of the Regulation.

The Cyber Resilience Act provides a robust level of cybersecurity for products with digital elements to be placed on the internal market.

At the outset, it is essential to clarify that the Regulation identifies three categories of products with digital elements:

• products with digital elements not classified as important or critical;
• important products with digital elements, which possess the core functionality of a product category outlined in Annex III, further subclassified into Class I and Class II; and
• critical products with digital elements, which possess the core functionality of a product category outlined in Annex IV.

Although the level of compliance varies, products with digital elements that are subject to this Regulation must comply with the key obligations outlined below.

Presentation of the CE Marking

It shall be mandatory for products with digital elements covered by this Regulation to bear the CE marking as the visible proof for users of conformity with the essential cybersecurity requirements set out in Annex I. Prior to applying the CE marking, a conformity assessment procedure, harmonised by the Regulation, must be conducted.

Conformity Assessments Procedure

The conformity assessment of products with digital elements, which are not listed as important or critical products with digital elements in this Regulation, can be carried out by the manufacturers themselves, according to the procedure laid down in Decision No 768/2008/EC.

However, due to the high impact of products with digital elements classified as “important”, they are subject to different procedures:

• For Important Class I Products: Manufacturers can assess these products themselves, provided that they adhere to harmonised standards, common specifications or comply with a European cybersecurity certification. If the manufacturer chooses not to apply the above security measures, it must undergo a third-party conformity assessment.
• For Important Class II Products: The conformity assessment must always involve a third party.

For critical products with digital elements, and in accordance with their importance for society, it is mandatory that they have a certification under the European Cybersecurity Certification Scheme with a minimum level of “substantial”. If this condition is not met, critical products are subject to the conformity assessment defined for Class II important products.

Assessment of the Cybersecurity Risks

Manufacturers of products with digital elements must carry out and document an assessment of the cybersecurity risks of the product, and demonstrate that it complies with the essential cybersecurity requirements listed in Annex I. This assessment shall be integrated into the technical documentation of the product.

Reporting Obligations

The Regulation mandates that manufacturers of products with digital elements must report to both the designated Computer Security Incident Response Team (CSIRT) and ENISA, via a single platform to be established by the latter authority. The reporting comprises a notification on (i) actively exploited vulnerabilities in their products and (ii) serious incidents impacting the security of these products.

The law also sets out different obligations for the different actors in the supply chain (ie, manufacturers, importers and distributors) to ensure that the essential requirements for cybersecurity are met from the manufacturing stage onwards. This aligns with the primary aim of the Cyber Resilience Act, which is to establish essential cybersecurity requirements for the design, development, and manufacture of products with digital elements, as well as their monitoring once they are available on the market.

The Cybersecurity Act (Regulation (EU) 2019/881) establishes the “European cybersecurity certification framework” and provides a harmonised standard for cybersecurity certification across the EU. The European Commission has adopted an implementing act for the voluntary European Common Criteria-based cybersecurity certification scheme (EUCC) (Commission Implementing Regulation (EU) 2024/482, of 31 January 2024).

Portugal has designated the CNCS as the National Cybersecurity Certification Authority (ANCC), responsible for implementing a national cybersecurity certification framework. In this context, the CNCS has developed the EC QNRCS certification, based on European schemes.

The EC QNRCS certification scheme has been designed for central and local administration organisations, operators of critical infrastructure, essential and important service providers, digital service providers, and other private and non-governmental organisations, whether for profit or not. The CNCS manages and supervises this national certification scheme in co-operation with the Portuguese Quality Institute (IPQ) and the Portuguese Accreditation Institute (IPAC).

The cornerstone of data protection in the EU, and consequently in Portugal, is the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR).

One of the main principles of the GDPR is the  integrity and confidentiality principle, established in Article 5(1)(f), which provides that personal data “shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)”.

This principle is materialised by Article 32 (security of processing) and Articles 33 and 34, which relate to notification and communication obligations in the event of a personal data breach.

In light of this legal framework, Controllers and Processors are required to adopt “appropriate” technical and organisational measures to ensure a level of security that is appropriate to the potential risks. The adjective “appropriate” allows for a risk-based approach regarding the controls that should be implemented, taking into account the state of the art. For this purpose, the Article lists some controls that represent the professional consensus on security controls for processing, such as encryption and pseudonimisation. When assessing the adequacy of the technical and operational measures to be implemented, the Controller or Processor concerned may take into consideration the cost of implementation, the risks associated with the processing activities and their severity for the rights and freedoms of data subjects.

However, it is mandatory that Controllers and Processors have in place adequate mechanisms for detecting personal data breaches, which corresponds to a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (see Article 4(12)).

When the Controller becomes aware of such a breach, it must consider the obligation to notify the supervisory authority without undue delay where there is a foreseeable risk to the rights and freedoms of natural persons. If the Controller or the supervisory authority subsequently concludes that there is a high risk to the rights of data subjects, it is obliged to communicate the personal data breach to the data subjects without undue delay and in accordance with the provisions of Article 34.

The national law implementing the GDPR (Law No 58/2019) does not provide any further specifications regarding the security of processing. Nevertheless, it is worth noting that the Portuguese data protection authority (Comissão Nacional de Proteção de Dados, or CNPD) has issued guidelines (Diretriz/2023/1, CNPD, available in Portuguese here) proposing indicative security measures to be implemented by data Controllers. In terms of organisational measures, the CNPD suggests that Controllers and Processors consider implementing analysis procedures for monitoring network flows and carrying out periodic IT security audits and vulnerability assessments. With regard to technical measures, the CNPD suggests, inter alia, increasing the robustness of servers.

Given the synergies between cybersecurity and the protection of personal data, the CNCS acts in collaboration with the CNPD whenever a cybersecurity incident involves a breach of personal data.

As artificial intelligence systems are composed of digital components, they are particularly vulnerable to cyber-attacks and cybersecurity incidents. These incidents can impact not only the AI system’s performance but also its end users. For instance, a cybersecurity breach affecting the algorithm or training data of a credit scoring AI system could have severe consequences for users seeking to obtain credit.

Therefore, the Artificial Intelligence Regulation (Regulation (EU) 2024/1689) emphasises the necessity for high-risk AI systems to maintain a high level of accuracy, robustness, and cybersecurity (see Article 15). AI systems with a high risk for individuals’ rights and freedoms must be resistant to unauthorised access and equipped with adequate measures for detecting, preventing, and responding to cybersecurity incidents.

For this purpose, providers of high-risk AI systems can seek cybersecurity certification under Regulation (EU) 2019/881. In such a case, Article 43 of the AI Regulation established a presumption of compliance with the cybersecurity requirements outlined in Article 15. Additionally, the cybersecurity measures implemented by the provider must be included in the technical documentation accompanying the system.

When the AI Regulation was approved, there was not yet a final agreement from European legislative bodies on the Cyber Resilience Act. Nonetheless, the AI Regulation’s recitals mention the co-ordination between the two laws. Recitals 77 onwards of the AI Regulation are mirrored in Recital 51 and Article 12 of the Cyber Resilience Act, which presumes compliance with Article 15 of the AI Regulation when the high-risk AI system meets the essential cybersecurity requirements in Annex I of the Cyber Resilience Regulation.

Furthermore, the procedure for assessing compliance with the essential cybersecurity requirements for a product with digital elements that is simultaneously classified as a high-risk AI system will follow the provisions of Article 43 of Regulation (EU) 2024/1689. However, in the event that the application of this provision would lead to a reduction in the level of security required for critical or important products with digital elements, the conformity assessment procedure provided for in the Cyber Resilience Regulation with regard to the essential cybersecurity requirements should apply by way of derogation from this rule.

Entities operating in the healthcare sector are considered essential, especially if they fall under and meet the requirements of the NIS 2 Directive, making them subject to the cybersecurity framework for essential entities.

Their value and impact on basic societal functions make them prime targets for cyber-attacks, often aimed at compromising health data and the safety of individuals.

As such, Regulations (EU) 745/2017 and 746/2017 on medical devices and in vitro diagnostic medical devices have introduced cybersecurity concerns. These regulations ensure that devices placed on the EU market are equipped to address new technological challenges related to cybersecurity risks.

The Medical Devices Regulation (MDR) requires medical devices with electronic programmable systems and software to meet minimum cybersecurity requirements. This includes devices such as pacemakers and insulin pumps. Consequently, these requirements cover hardware, IT network characteristics and IT security measures, including protection against unauthorised access, to ensure that the software works as intended. 

According to the guidance on cybersecurity for medical devices (MDCG 2019-16 Rev.1, December 2019, available here), manufacturers must implement state-of-the-art cybersecurity measures. This guidance is intended to help manufacturers comply with the essential cybersecurity requirements outlined in Annex I of the MDR and the In Vitro Diagnostic Medical Devices Regulation.

The MDR does not define “IT security”, so the Medical Device Coordination Group document refers to the definition provided by ENISA. “IT security” is thus defined as the protection against threats to the technical infrastructure of a cyber system that could change its characteristics to perform unintended activities (Definition of Cybersecurity – Gaps and overlaps in standardisation, December 2015, available here). The same applies to the definitions of operational security and information security.

In Portugal, Decree-Law No 29/2024 ensures the national implementation of the MDR and provides that healthcare entities deploying a medical device must report to the competent authority (ie, INFARMED, I.P) all security measures implemented and their performance.

Also at the national level, Order No 8877/2017 establishes the governance model to be followed by the Shared Services of the Ministry of Health (Serviços Partilhados do Ministério da Saúde, E. P. E., or SPMS), in conjunction with the National Security Office and the CNCS. The same Order requires all health entities of the national health service to adopt a cybersecurity policy and a contingency plan for cybersecurity incidents.

Overall, the health sector is covered by the general legal framework for cybersecurity as discussed in this chapter.