LAW NO. 46/2018, OF AUGUST 13th
The Cyberspace Security Legal Framework transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 came into force. This regime provides measures for a high common level of security of networks and information1 systems across all European Union Member States.
The new legal framework requires compliance with certain security requirements and also the obligation to notify certain incidents with a relevant impact on the networks and information systems of the public administration entities, critical infrastructure operators, operators of essential services and digital service providers.
The adoption of this act is justified by the important role in society that networks and information systems assume and play in our daily lives. Such security incidents have an ever-increasing impact, frequency and breadth and may “(...) call into question the regular functioning of the society, endanger human life, cause financial losses and compromise confidentiality, the integrity and availability of information from the networks and systems of the Public Administration, the operators of essential services and the digital service providers” - explanatory memorandum
of the legislative proposal.
For the purposes of cyberspace security, the Portuguese legislator has created a Higher Council and also foresees the creation of a National Cybersecurity Center (NCSC) and an Incident Response Team (“CERT.PT”).
With regard to fines, the non-distinction between the public and private sectors is confirmed with public entities being subject to financial penalties. In fact, it should be noted that in case of very serious infringements, the law provides fines that can reach 25,000.00 euros (in the case of natural persons) and up to 50,000.00 euros (in the case of legal persons).
1According to Law no. 46/2018, networks and information systems means “any device or group of interconnected or related devices in which, one or more of them develops, in execution of a program, automated processing of computer data as well as the communications network between them and the set of computer data stored, processed, retrieved or transmitted by that or those devices with a view to their operation, use, protection and maintenance”.