Law 46/2018 of 13 August 13 has now been published. This law approves the Legal Framework of Cybersecurity (Regime Jurídico da Segurança do Ciberespaço, referred to here by its Portuguese initials, "RJSC"), implementing Directive (EU) 2016/1148, of the European Parliament and of the Council of 6 July 2016, on measures to ensure a high common level of network and information security across the Union.
The RJSC establishes the structure for cybersecurity security and requires compliance with security requirements and notification of incidents to the National Cybersecurity Centre, whenever there is an incident having a relevant or substantial impact on networks and information systems.
The RJSC applies to:
The Public Administration Critical infrastructure operators Essential services operators Digital service providers whose registered office is located in Portugal, and provide (i) online market services, (ii) online search engine services and (iii) cloud-computing services; Any other entities that use information networks and systems. This RJSC requires these entities to comply with security requirements that entail compliance with appropriate, proportionate technical and organisational measures, and management of the risks inherent to the security of the networks and information systems they use.
With regard to digital service providers, in order to provide a security level appropriate to the risk inherent in the security of the information networks and systems they use within the context of the provision of digital services, the RJSC requires that the following factors be considered: (i) security of the systems and facilities, (ii) processing of incidents, (iii) business continuity management, (iv) monitoring and auditing of the tests conducted, and (v) compliance with international standards. With regard to the obligation of notification of incidents to the National Cybersecurity Centre, digital service providers must notify an incident only when faced with an incident having «substantial impact» and to the extent to which they have access to the information needed to assess the impact of the accident on the basis of the factors listed above. In relation to other entities covered by the RJSC, in order to determine the relevance of the impact of the incident, the number of users affected, the duration of the incident and the geographical distribution are taken into account. Over and above the parameters listed above, digital service...