Cyber security developments in Portugal

October 2018  |  EXPERT BRIEFING  |  RISK MANAGEMENT

financierworldwide.com

 

When it comes to new sets of regulations and a demand for the law to catch up with reality, cyber security is a hot topic.

The technological revolution brought by the worldwide web has transformed people’s lives in many ways. There has certainly been a tremendous change in the way that people communicate – letters and phone calls replaced by emails, and, more recently, social media. That has facilitated the way in which people connect across the world. The way in which people research information has also changed dramatically, with search engines now being the primary source, rather than libraries and books in general.

How people shop has also changed. These days, many consumers will say that they would rather shop online than visit a physical store. Technology has also changed the way in which we consume financial services. There is now no need to visit your bank, just your online account. Access to healthcare has also changed over the years, with a doctors’ consultation over the internet now a reality. The list goes on and on, and the result is that a wider and wider range of branches of society have become intrinsically dependent on informatics and computer-based operations.

With this pace of disruptive innovation and cyber dependence, cyber security carries an undeniable value. A cyber attack may potentially compromise millions of users. Recent history shows data breaches hitting multinational companies, in attacks which were both expensive and hard to forget. Despite cultural, economic and geographical differences among countries, this reality and concern is universal.

With this in mind, the European Parliament and Council of the European Union adopted the Directive on Security of Network and Information Systems (NIS Directive) in 2016 – the first EU horizontal legislation addressing cyber security challenges, with a desire to be a “true game changer for cyber security resilience and cooperation in Europe”.

As is well known, a directive is a piece of European legislation that establishes a goal that all member states must achieve. However, contrary to a regulation, which is directly and immediately binding upon all EU countries from the moment it enters in force, directives leave it to each EU country to transpose its contents into their countries’ internal legal system by creating their own laws and through these reaching the goals set in the directive.

The NIS Directive is no different. Although it has been in force since August 2016, the transposition deadline was 9 May 2018. This interval was meant to give the necessary time for EU countries to discuss and arrange structures and tools to comply with the goals that were set.

So how do we define ‘cyber security’? The NIS Directive attempts to answer: “the ability of network and information systems to resist action that compromises the availability, authenticity, integrity or confidentiality of digital data or the services those systems provide”. Among others, this piece of EU legislation also proposes a definition for “network and information systems” and for “essential services”, the latter being “private businesses or public entities with an important role for the society and economy”.

The intent of the NIS Directive can be summarised as the assurance that EU countries are well-prepared to handle and respond to cyber attacks, while building cooperation at EU level. Underlying to this is the promotion of a culture of risk management and incident reporting among key economic actors.

The ways to do so as foreseen in the NIS Directive are the designation of at least one national competent authority, the setting-up of computer-security incident response teams (CSIRTs), the adoption of national cyber security strategies and the identification of providers of essential services. The aim of this identification is to signal the critical sectors in which a hypothetical cyber attack would be disruptive to an essential service.

A sign of the topical significance of this matter is the existence of the European Agency for Network and Information Security (ENISA), created with the purpose of providing counsel on the regulation of these matters.

Another symptom of the urgent need for functionality and reaction capacity among EU member states, as well as of the complexity of the directive to be used as a practical guide, is that the European Commission issued a Communication in September 2017, suggestively entitled ‘Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union’, alongside forming a cooperation group to support the member states’ implementation of the NIS Directive.

Looking at the European landscape, the vast majority of countries did indeed transpose the NIS Directive into their national law, with a curious variety in what concerns the quantum of measures, from a total of three in France, 17 in Finland and 54 in the Czech Republic. In Portugal, the NIS Directive was transposed through Law 46/2018 in 13 August 2018.

The aforementioned Portuguese law nominates CERT.PT as the national CSIRT, thus meeting one of the most obvious ‘to-do’s’ under the NIS Directive. The National Centre for Cybersecurity is established as the structure where CERT.PT will operate and as the designated point of contact for the purposes of international cooperation. The law also presents the Higher Council for the Security of the Cyberspace, a group composed of high-ranking officials of the Portuguese state who will ensure political-strategic coordination.

Portuguese law abstractly foresees security requirements for operators of essential services (OESs) and for digital services providers (DSPs) and proceedings for each to notify incidents. However, the law postpones the specification of such proceedings as well as practical security requirements until January 2019.

The law also foresees the consequences of non-compliance with the prescribed rules, which depend on the seriousness of the infringement, being that negligent behaviour can cut the amounts to half. All in all, fines can range from €500 to €25,000 for an individual and from €1500 to €50,000 for a legal entity. In line with the postponing of the specifications mentioned above, the effective control and the subsequent application of fines will only produce effects from February 2019.

Law 46/2018 echoes a deadline already determined by the NIS Directive. By 9 November 2018, OESs should be identified by the National Cyber Security Centre (NCSC). What is already known is that these should fit in one of the sectors already predefined: energy, transport, financial markets, banking, health, water and digital infrastructure. DSPs, on the other hand, have a duty, with immediate effect, to communicate their activity to the NCSC.

For now, much remains to be defined in Portuguese cyber security. Even though the NIS Directive was formally transposed by Law 46/2018, the truth is that a lot of its content is abstract and requires further specifications. The coming months promise new developments that will surely deserve close attention.

 

Ricardo Costa Macedo is a partner and Catarina Luís Farinha is a lawyer at Caiado Guerreiro, Soc. De Advogados, SP RL. Mr Macedo can be contacted on +351 213 717 000 or by email: rmacedo@caiadoguerreiro.com.

© Financier Worldwide


BY

Ricardo Costa Macedo and Catarina Luís Farinha

Caiado Guerreiro, Soc. De Advogados, SP RL


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.