The new Cybersecurity Legal Framework is currently under public consultation until December 31, 2024.
This Diploma is the result of the need to incorporate Directive (EU) 2022/2555 of the European Parliament and of the Council (Directive SRI 2), of December 14th 2022, which, like the preceding Directive in this area, aims to achieve three objectives:
– Require member states to ensure a high level of cybersecurity;
– Strengthen European cooperation between the authorities responsible for cybersecurity;
– Require the main operators in key sectors of our society to adopt the necessary security measures and notify the competent authorities of any incident that has a significant impact on the provision of their services.
Despite maintaining the core objectives, this new Directive also aims to standardize the cybersecurity measures in place in each Member State:
1. Establishing a minimum regulatory framework;
2. Increasing the scope of entities covered and dividing them into two sectors: (i) Critical Sector, which includes, for example, the Health sector and (ii) Other Critical Sectors, which includes, for example, companies in the food sector, related to any of the production, processing and distribution phases, and digital service providers;
3. Detailing the incident reporting rules to be respected; and
4. Intensifying the sanctioning framework, both with regard to the amounts of the fines and the attribution of liability to the individuals responsible.
The Directive in question applies to public and private entities that meet the established characteristics, and each Member State is responsible for drawing up a list of essential and important entities, as well as entities that provide domain name registration services, by April 17th 2025.
The Diploma establishing the new Legal Framework for Cybersecurity in Portugal (which is still under public consultation) stipulates that entities must self-identify as essential, important or relevant public entities, according to their group, on an electronic platform made available by the CNCS, within one month of the start of their activity or, if the entity is already active when this decree-law comes into force, within 60 days of the electronic platform being made available, and are also responsible for keeping this information duly updated.
In terms of administrative offenses, it should be noted that very strict, serious and light offenses are foreseen, with maximum limits of up to €10,000,000.00.
Since the draft law is currently in public consultation, it may still be subject to changes, particularly with regard to the obligations it sets for the entities covered, so it is important to exercise some caution in these preliminary considerations, and this publication is intended only to alert potential targets so that they can prepare themselves properly and in advance.
The new Cybersecurity Legal Framework also aims to safeguard internal and external security, national defense, the integrity of the democratic process and other sovereign functions, the operation of critical infrastructures and the provision of essential services against potential influence from third countries, so we believe that the rules that will be imposed will be treated with priority and seriousness.