August 2021

The long-awaited Decree-Law no. 65/2021 (only available in Portuguese) came into force on the 9th of August 2021, regulating the Cyberspace Security Legal Framework (Law no. 46/2018, only available in Portuguese) and defining cybersecurity certification obligations, in implementation of Regulation (EU) 2019/881 of the European Parliament and of the Council.

This Decree-Law addresses several questions that were unsolved by Law no. 46/2018, establishing, for the covered entities, demanding obligations regarding:

  • security requirements of networks and information systems; and
  • requirements for reporting incidents affecting the security of network and information systems.

Critical infrastructure operators (public or private entities operating a critical infrastructure), operators of essential services (in the energy, transport, banking and finance, health, water and digital infrastructure sectors), digital service providers (e-commerce, online search engines and cloud computing) and Public Administration entities must meet the established requirements. In particular, the security requirements applicable to digital service providers are defined by an implementing regulation of the European Commission.

Non-compliance with the established obligations is punishable as follows:

  • Very serious infringements  fines ranging, for legal persons, from €25.000 to €50.000 (in the event of failure to comply with obligations relating to security requirements)​
  • Serious infringements  fines ranging, for legal persons, from €9.000 to €3.000 (in the event of failure to comply with notification obligations)

The Decree-Law also allows the implementation of a national cybersecurity certification framework by the CNCS (National Cybersecurity Centre), which will act as the National Cybersecurity Certification Authority. The CNCS will establish the necessary provisions for the development and implementation of specific cybersecurity certification schemes for information and communication technology products, services and processes.

The requirements set out in Decree-Law 65/2021 constitute a minimum to be ensured by the entities covered, without prejudice to the rules that, depending on the nature of the entities and the sectors in which they operate, may be established by other authorities, nor provisions resulting from other legislations (as is the case of the obligations applicable to digital service providers). The CNCS may also issue complementary technical instructions regarding security requirements and incident notification.

The densification of cybersecurity obligations, which is presented in the next page of this Flash, seeks to ensure a high level of security of the networks and information systems that support the use of increasingly disruptive technologies (such as Artificial Intelligence or the Internet of Things), so that it takes place in an environment of trust. It is undeniable that the fulfilment of cybersecurity obligations will not only enable legal compliance by organisations, but will also provide them with significant reputational and behavioural benefits.
It is therefore imperative that organisations start preparing their systems and teams as soon as possible for the implementation of this new regime, becoming more resilient to the internal and external threats affecting cyberspace and avoiding the application of severe fines.