Legal alert no. 70

Law no. 46/2018, August 13^th.

On August 13^th Law no. 46/2018 was published, at the Portuguese Official Gazette, establishing the legal framework of cyberspace security, transposing the Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6^th, 2016, concerning measures for a high common level of security of network and information systems across the Union.

This law applies to the Public Administration, to critical infrastructure operators, to essential services operators, to digital service providers that provide online market related services, online search engine and/or cloud computing services providers with an establishment in Portugal or, not having it, had assigned a representative established in the Portuguese territory as long as they are providing digital services, as well as any other entity that uses networks and information systems.

This law establishes that the National Cyberspace Security Strategy shall define a State framework, as well as objectives and lines of action in this matter according to the national interests. Such strategy shall be adopted by the Committee of Ministers, upon the proposal of the Prime Minister and with the consultation of Cyberspace Security National Council.

The referred law also defines the cyberspace security structure.

The following competencies were assigned to the Cyberspace Security National Council, which is the specific body for consultation of the Prime Minister on matters regarding cyberspace security:

(i)                   to ensure political-strategic coordination for the cyberspace security;

(ii)                 to verify the implementation of the National Cyberspace Security Strategy, drawing up an yearly, or whenever necessary, report of the execution evaluation, sending that report to the Assembly of the Republic by March 31^th of the subsequent year;

(iii)                to issue an opinion on matters relating to cybersecurity; and

(iv)                respond to requests from the Prime Minister or a government official in which the former delegates.

This law also regulates the Computer Security Incident Response Teams and the National Cybersecurity Center, consisting in the National Cybersecurity Authority and operating within the National Security Office.

The National Cybersecurity Center’s mission is to ensure the use of cyberspace in a free, reliable and secure manner by promoting the continuous improvement of national cybersecurity and international cooperation, in connection with all competent authorities, as well as defining and implementing measures and instruments necessary for anticipating, detecting, reacting and recovering from situations  under which, in view of the imminence or occurrence of incidents, may jeopardize the national interest, the normal functioning of the Public Administration, critical infrastructure operators, essential service operators and digital service providers, acting in coordination with the National Data Protection Commission, in the case of incidents that have given rise to the data breach.

Law no. 46/2018 also defines security and standardization requirements, incident notification requirements, security requirements and incident reporting for the Public Administration and infrastructure operators, for essential service operators and for digital service providers.

It also establishes sanctions for those who violate the provisions of this law defined as serious or very serious administrative offenses, in accordance with articles 21 et seq., being the National Cybersecurity Center responsible for supervising and applying the provided sanctions.

The serious offenses result from the failure of the obligation to notify the National Cybersecurity Center of incidents and of the activity in the digital infrastructure sector and very serious offenses result from from non-compliance with the obligation to implement security requirements and non-compliance with the issued cybersecurity instructions by the National Cybersecurity Center.

Serious administrative offenses have fines from € 1000 to € 3000 for natural persons and fines from € 3000 to € 9000 for legal persons. The very serious administrative offenses have established fines varying between € 5000 and € 25000 for natural persons and between € 5000 and € 25000 for legal persons.

Lastly, Law no. 48/2018 also sets a 150 days deadline, after the new legislation comes into force, to define the security and incident reporting requirements identified in Article (31).

This Law repealed the Resolution of the Council of Ministers no. 115/2017 of August 24^th and has entered into force on August 14^th, 2018.

Access here the full version of Law no. 46/2018.