1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
Yes – although they are closely related concepts, Portuguese law distinguishes between ‘cybersecurity', ‘data protection' and ‘cybercrime', and addresses them separately.
According to Council of Ministers Resolution 92/2019 on the Portuguese National Cybersecurity Strategy 2019–2023:
- ‘cybersecurity' "consists of a set of preventive, monitoring, detection, reaction, analysis and correction measures and actions aimed at maintaining the desired security level and guaranteeing the confidentiality, integrity, availability and non-repudiation of the information, networks and information systems in cyberspace, and the people that interact in it"; and
- ‘cybercrime' "corresponds to the facts consistent with crimes typified in the Cybercrime Law [Law 109/2009 of 15 September)] and with other criminal offences committed using technological means, in which these means are essential to the execution of the crime in question".
Data protection is addressed by Law 58/2019 of August 8, which regulates the enforcement of the EU General Data Protection Regulation (2016/679) (GDPR) in Portugal. Although not legally defined as such, ‘data protection' is understood as the "implementation of measures to protect personal and sensitive data from unauthorized public access, and to control the flow of such data" (this definition is accepted by the National Cybersecurity Centre (CNCS)).
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
At a constitutional level, Article 34 of the Portuguese Constitution recognises several fundamental rights relating to personal data protection: the right of access and rectification, and a right against the processing of certain categories of sensitive data (eg, regarding the data subject's political or religious beliefs, private life or race) without prior consent or prior legal authorisation.
The main statute addressing cybersecurity in Portugal is Law 46/2018 of 13 August, which establishes the national legal framework for cyberspace security and implements into national law the EU Network and Information Security Directive (2016/1148). This statute provides a basic framework for cybersecurity matters, establishing a set of measures for the main cyber challenges that organisations face today, and empowers the CNCS as the point of contact for international cooperation.
The following statutes are also relevant to cybersecurity in Portugal:
- Law 109/2009 of 15 September (the Cybercrime Law), implementing Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems;
- Law 53/2008 of 29 August (the National Security Framework);
- Law 5/2004 of 10 February (the Electronic Communications Law);
- Law 58/2019 of 8 August, ensuring the execution of the GDPR in Portugal;
- Law 41/2004 of 18 August (implementing Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector);
- Law 32/2008 of 17 July (implementing Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006), on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks; and
- EU Regulation 2019/881 on the European Network and Information Security Agency (ENISA) and on information and communications technology cybersecurity certification, which is directly applicable in Portugal.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Law 46/2018 applies specifically to:
- public authorities;
- critical infrastructure operators;
- essential services providers, including suppliers in the following sectors:
- financial services;
- water supply; and
- digital infrastructure;
- digital service providers; and
- any other entities using networks and information systems.
In the financial services sector, Banco de Portugal – the Portuguese central bank – recently published Notice 21/2019, regulating the reporting of cybersecurity incidents by financial sector entities under its supervision. ‘Cybersecurity incidents' are defined as any security or information event with a high probability of compromising business operations or endangering information security. Provided that they carry out activities in Portugal, banks and credit entities, investment companies, payment and digital currency services providers must report all significant or severe cybersecurity incidents to Banco de Portugal within two hours of detection of the incident. Incidents are classified as significant or severe in relation to a set of criteria which includes:
- the number or proportion of affected users;
- the economic impact;
- the reputational impact;
- the activation of crisis management mechanisms;
- internal hierarchical referral;
- any legal or regulatory infringements;
- formal notification of national or international authorities;
- systemic risk; and
- expert assessment.
Incidents must be reported through an online portal made available by Banco de Portugal at www.bportugal.net. This notice follows the earlier Notice 1/2019, which regulates the reporting of safety or operational (severe) incidents by payment service providers in the event of severe incidents, in line with the Second Payment Services Directive.
In the electronic communications sector, under Regulation 303/2019 approved by the regulatory authority (ANACOM), network and service providers must notify the regulator of information security breaches or loss of integrity that causes a serious disturbance to the operation of networks and services and has a significant impact on the continuity of those operations. Significant impact is assessed in light of criteria relating to:
- the duration of the event; and
- the number of users affected (or, exceptionally, the geographic area affected).
An initial notice must be sent to ANACOM within the shortest possible timeframe (assuming that the company is in a position to anticipate a significant impact) and in any event within one hour of occurrence of the relevant security or integrity breach. The incident must also be disclosed to the public within four hours of this initial notification. Notice must also be given within four hours of cessation of the significant impact and a final report sent to ANACOM within 20 business days thereafter. Article 3-A of Law 41/2004 also imposes an obligation to notify data breaches specifically involving personal data to the Portuguese Data Protection Authority without undue delay.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data and health information are essentially covered by the GDPR and the relevant Portuguese implementing legislation; and financial information falls under the specific regulatory rules covered in question 1.3(a).
Classified information falls under a more fragmented system of rules. The government, through Council of Ministers resolutions, has historically approved instructions on national security (SEGNAC) within the broad scope of industrial, technological, administrative and research activities which include instructions pertaining to information security on classified data and documents (SEGNAC 4, approved by Council of Ministers Resolution 5/90). In addition, the Law on State Secrets (Organic Law 2/2014 of 6 August, as amended) states that all documents and information that receive this classification must be adequately protected against sabotage, espionage, leaks or any form of unauthorised disclosure. Classification as a state secret results in access restrictions, both to the relevant information and to the physical locations where it may be stored; and to a general prohibition on storing any classified information or document except in authorised premises or equipment.
The abundance of statutes on data protection has led to multiple and sometimes incoherent definitions – for instance, of ‘traffic data' – which may result in some legal uncertainty regarding this specific type of information.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
The Cybersecurity Law applies to digital service providers that have their principal establishment in Portugal or that designate a representative established in Portugal if they provide digital services in Portugal.
The Cybercrime Law (Article 15(5)) provides for extraterritorial application in the context of computer searches. A search for stored computer data may be extended, by instruction or authorisation of the competent judiciary authority, to a separate computer system, regardless of the latter's location, if in the context of the search it becomes apparent that the data which is the object of the search is stored elsewhere, but may be legitimately accessed from the original computer system.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Portugal is a party to the Budapest Convention on Cybercrime of the Council of Europe (CETS 185), a binding international instrument that serves as a guideline for any country developing national legislation against cybercrime and as a framework for international cooperation between state parties. The CNCS also works in strong cooperation with NATO, the European Commission, ENISA, the Information Sharing and Analysis Centre and the Organization for Security and Co-operation in Europe.
In addition, as an EU member state, Portugal is also part of several bilateral and multilateral agreements referring in general to criminal matters and extradition, consisting of mutual legal assistance and international cooperation. In particular, the European Union has concluded agreements on extradition and mutual legal assistance with the United States, Japan, Iceland and Norway. Considering its close relationship with the Portuguese-speaking African countries (Angola, Cape Verde, Guinea-Bissau, Mozambique and São Tomé and Príncipe), Portugal has also signed bilateral agreements referring to criminal matters and extradition with these countries.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
The penalties for crimes set out in the Cybercrime Law – such as computer-related forgery, computer sabotage and illegal access – range from fines to 10 years' imprisonment. Notably, computer-related forgery and unlawful access are punishable by up to five years' imprisonment. The most serious offence in the Cybercrime Law is aggravated computer sabotage, punishable by up to 10 years' imprisonment.
Furthermore, certain crimes set out in the Penal Code that are often committed though computer systems, such as child pornography and swindling, are punishable by up to eight years' imprisonment.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The National Cybersecurity Centre (CNCS) is the specialised Portuguese national authority entrusted with specific powers for enforcement and organised as a single point of contact for cybersecurity matters. The CNCS carries out regulatory, supervisory and sanctioning functions in accordance with its powers, which include:
- acting as the competent national authority in the field of cybersecurity in relation to the state and operators of national critical infrastructure;
- drawing up legal benchmarks in the field of cybersecurity;
- developing national capacities for the prevention, monitoring, detection, analysis and resolution of cybersecurity incidents and cyberattacks; and
- coordinating international cooperation on cybersecurity issues jointly with the Ministry of Foreign Affairs.
The CNCS also operates with the national entities responsible for cyber espionage, cyber defence and cyber terrorism, and is responsible for informing the competent authorities of any information it may have regarding the eventual preparation and execution of crimes.
Failure to comply with the obligations laid down by the Cybersecurity Law (eg, failure to implement adequate technical and organisation measures to address security risks or failure to notify relevant cybersecurity incidents) constitutes an administrative offence (‘misdemeanour'), which may be committed by any entity falling under the scope of this statute. These include public authorities, critical infrastructure operators, essential services operators, digital services providers and any other entities that use networks and information systems. Infringements typified in the statute are punishable by fines imposed on the infringing companies.
The CNCS is responsible for conducting administrative infringement proceedings, and has the necessary powers to conduct such proceedings and impose any applicable fines. The Cybersecurity Law does not directly provide for the imposition of fines on individuals, although these may be imposed under the General Regime on Misdemeanour Offences (RGCOC) if the relevant requirements are met (notably, acting on behalf of the relevant corporate person and in breach of a duty of vigilance or control).
The Cybersecurity Law does not provide for civil penalties; although under the RGCOC (Article 18(2)). if may be possible for the CNCS to increase the amount of any fine applied in order to indirectly effect a partial clawback if the economic benefit derived from the infringement exceeds the maximum fine amounts.
The Cybersecurity Law does not expressly provide for extraterritorial application.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Private parties may have a right of action resulting from cybersecurity violations, which will normally arise from breach of contract, although claims based on tort grounds may also arise. Relief will consist mainly of compensation for damages suffered (injunctive relief is likely to be unfeasible, as it may prove too difficult to demonstrate ex ante that an information breach or cybersecurity incident may be imminent if the defendant does not adopt specific technical or organisational measures).
As for the possibility to bring claims directly against individuals such as company directors or employees (other than in the context of cybercrime offences), this is likely to prove a limited option for claimants, as the relevant legal persons will remain primarily liable. According to Article 79 of the Portuguese Companies Code, directors or managers may be held directly liable vis-à-vis shareholders or third parties (eg, customers) only if they participate in the intentional or negligent infringement of the relevant legal provisions addressed at protecting those third-party interests, and if such infringement results in damages to the claimant, being limited in any case to direct damages.
2.3 What defences are available to companies in response to governmental or private enforcement?
There are no limitations on the defences available to companies in response to governmental or private enforcement. In practice, companies will seek to demonstrate prior compliance with state-of-the-art organisational and technical measures in order to show their compliance with the requisite duty of care and refute liability for any cybersecurity incidents.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
One landmark case, which is still ongoing, is the Football Leaks case, in which a Portuguese hacker attacked various public and private entities and, in one case, attempted to extort one of those entities. The case has advanced from the pre-trial hearing to the trial phase, which is expected to take place during 2020.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Two pivotal cyber events have taken place in the last year.
The first, in April 2020, was a ransomware attack against Portugal's largest energy company, during which the attackers allegedly stole and encrypted a large volume of data, while demanding a ransom of approximately €10 million which, according to public information, was not paid.
The second, in July 2020, was an alleged hack by the group Cyber Team against Ministry of Health databases, which allegedly compromised the names and passwords of multiple ministerial members of staff.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
The National Cybersecurity Centre (CNCS) has been prolific in publishing best practice guidelines (see question 4.2). The CNCS has also recently published a framework document which sets out an extensive list of best practices for organisations on the subject of cyber risk management and minimisation, and addresses several types of security measures (under the headings of "Identify", "Protect", "Detect", "Respond" and "Recover"). It has also published Technical Recommendation 01/2019, advocating the use of Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance standards as a means of strengthening security for the use of corporate email.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
The CNCS has been particularly active in issuing guidance on best practices. It has made available on its webpage a series of documents directed at both organisations and individuals describing the best practices to be followed in different scenarios, such as:
- home study;
- travelling; and
- public offices.
It has also provided guidance on the usage of various digital tools, such as:
- Google Classroom and Meet;
- Microsoft Teams;
- Moodle; and
It has further made available advice on online meetings and webinars, and precautions relating to the use of passwords.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
The Cybersecurity Law does not establish specific legal duties for corporate officers and directors with respect to proactive cyber compliance. The Companies Code (Article 64) lays out a general duty of care and loyalty to the company, assessed by objective criteria of reasonability and diligence, from which a generic duty to implement preventive cybersecurity procedures might be implied. In any case, potential claims by third parties based on a breach of a generic duty of care will depend on the circumstances reviewed in question 2.2.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
We are not aware of any special rules, regulations or guidance on proactive cyber compliance specifically applicable to listed companies.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
Provided that any applicable duties of secrecy are complied with, companies may share details of cybersecurity threats or related information with other stakeholders. From an institutional perspective, the CNCS liaises and shares information with the European Network and Information Security Agency, as a part of their ongoing cooperation. Corporate actors may also share information, at the national level, within the National Computer Security Incident Response Team (CSIRT) Network, a forum for operational information sharing on cybersecurity matters. The National CSIRT Network comprises several entities – mostly corporates, but also public entities (it includes CERT.PT, a specific incident response service managed by the CNCS) tasked with handling cybersecurity incidents and consolidating know-how on prevention and response to cyber risks.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
The Cybersecurity Law defines an ‘incident' as "an event having an actual adverse effect on network or information systems' security".
Incidents trigger a mandatory notification to the National Cybersecurity Centre (CNCS) for:
- critical infrastructure operators, if the incident has a "relevant impact on network and information systems' security";
- essential services providers, if the incident has a "relevant impact on the continuity of the services provided"; and
- digital services providers, if the incident has a "material impact on the provision of digital services".
The relevance or materiality of an incident's impact is assessed in light of several criteria, such as:
- the number of affected users;
- the duration of the incident;
- the geographic distribution; and
- in the case of digital service providers, the level of seriousness of the service disturbance and the extent of the incident's impact on social and economic activities.
Voluntary notification to the CNCS is possible for incidents "with a relevant impact on service continuity" (Article 20 of the Cybersecurity Law).
Furthermore, in the electronic communications sector, Article 3-A of Law 41/2004 imposes an obligation to notify data breaches specifically involving personal data to the Portuguese Data Protection Authority (CNPD) (and to the data subjects which have been negatively affected) without undue delay. For the purposes of this statute, "data breaches involving personal data" are security breaches leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available electronic communications services.
Also, under the GDPR (which is fully applicable in Portugal), personal data breaches must be notified by the controller to the CNPD without undue delay and, where feasible, within 72 hours of detection, unless the personal data breach is unlikely to present a risk to the rights and freedoms of data subjects.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Under the Cybersecurity Law, notifications must be sent to the CNCS and should include all information necessary to enable this authority to determine whether an incident has cross-border effects. The Cybersecurity Law refers to subsequent legislation that would regulate the notification requirements in more detail, including issues such as formats and applicable timeframes, but this implementing legislation has not yet been enacted.
The notification requirements set out in the Cybersecurity Law do not apply to electronic communications network and service providers, which must notify data breach incidents to the regulatory authority (ANACOM) (please see question 1.3(a) for details on notification content and timings), or to providers of trust services for electronic transactions (under EU Regulation 910/2014). Banking institutions under the supervision of the Portuguese central bank are also subject to specific rules on the notification of incidents to this authority (please see question 1.3(a) for details on notification content and timings).
Critical infrastructure is also covered by Decree-Law 62/2011 which, among other things, sets out the need for each infrastructure identified as critical to have its own security plan, including security measures for its information systems. The National Platform for the Reduction of Catastrophe Risk also published a best practices guide in 2017 which explicitly mentions the need to "implement measures for the protection of critical information systems, mitigating the risk of eventual cyberattack occurrences".
5.3 What steps are companies legally required to take in response to cyber incidents?
Companies are legally required to notify cyber incidents to the CNCS and/or other competent regulatory authorities (please see questions 1.3(a) and 5.2). In addition, data breaches involving personal data must be notified by the data controller to the CNPD without undue delay and, where feasible, within 72 hours of detection, unless the breach is unlikely to present a risk to the rights and freedoms of the affected data subjects. In this case, notification to the CNPD is made online by means of completion of the appropriate form made available on the CNPD's website.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
Please see question 4.3.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Portugal is following the European trend, as the number of cyber-incident insurance policies on offer is increasing. Companies seem to be gradually taking on this specific kind of coverage in greater numbers.
According to Eurostat, however, Portugal is still visibly below the average in terms of the number of companies purchasing insurance against ICT ecurity incidents. While 24% of EU enterprises reported being insured, in Portugal only 10% of enterprises were insured against ICT security incidents (data from 2019). We expect these numbers to continue to increase in future, as corporate cybersecurity awareness has been growing significantly in Portugal, in tandem with an increase in the number and severity of cyberattacks targeting Portuguese companies.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The current cyber landscape is marked by an increase in cyber incidents and cybercriminal activity, driven largely by increasingly sophisticated phishing campaigns.
The Cybercrime Bureau of the Prosecutor General's Office has identified an exponential increase in cybercrime complaints since the start of the COVID-19 crisis. Most of the crimes in question fall under one of four categories:
- frauds relating to mobile payment apps;
- malware attacks through email or SMS;
- phishing campaigns; and
- extortion via email.
We anticipate that in the next 12 months, the national law transposing the European Electronic Communications Code will be approved, which is expected to bring changes to the legal framework governing cybersecurity applicable to electronic communications providers. Also, the implementation and monitoring of cybersecurity requirements for 5G networks will be a relevant issue, as the auction for the award of 5G spectrum licences in Portugal is now expected to conclude by December 2020.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
We believe that the main cyber-related challenges that companies face are as follows:
- Human factor/lack of awareness: The human factor significantly increases the vulnerability of businesses. In fact, a considerable number of cyberattacks occur through social engineering, where the attacker, after research and planning, ‘manipulates' a certain employee into giving out sensitive or confidential information. The best way to address this issue is through:
- security awareness education;
- the installation and continual updating of antivirus and other endpoint security measures on user devices; and
- penetration testing.
- Poor investment decision making: Companies face two main difficulties when it comes to cybersecurity investment:
- The available budget tends to be constrained; and
- Companies find it difficult to know what technology to use and what to protect.
- It is highly advisable for companies and their chief information security officers to identify their critical assets to ensure that implemented procedures are efficient and protect what needs to be protected. It is also recommended that investments in cybersecurity be preceded by an in-depth cost-benefit analysis, to avoid overinvestment and unnecessary systems overhaul which may not be suited to the company's specific risk profile.
- Cloud computing threats: Resort to cloud-based services has become commonplace as they afford numerous advantages, such as flexible costs and capacity and improved mobility and collaboration. However, cloud computing also implies threats, risks and vulnerabilities. In particular, companies may face data theft, ransomware attacks and malware infections that unleash a targeted attack. Adequate prevention requires that companies:
- control access to data through means of authentication and user access restrictions;
- consider cloud encryption in order to protect the data; and
- develop an incident response plan.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.