Portugal
(a) What is the NIS2 implementation status?
The decree-law has actually been placed for public consultation starting from 22 November and what we thought would be two different documents is all combined in one.
The draft decree-law, attached hereto in a machine translation into English, was placed for public consultation yesterday and it was up for discussion until 31 December 2024 . During this period of public consultation, all interested parties, citizens, etc., may suggest amendments and corrections, thus it is not guaranteed that this will be the final wording.
(b) What is the envisaged NIS2 implementation timeline?
A final wording would most likely not be available before the end of the year; with luck maybe before Christmas.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The other national cybersecurity legislation must be revised, in order to comply with the new requirements imposed by NIS2, namely law 46/2018 of August 13 (regarding the Legal Framework for Cyberspace Security) and decree-law 65/2021 of July 30 (which regulates the legal framework for cyberspace security).
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority is Centro Nacional de Cibersegurança Portugal (CNCS). CNCS adopted in the past a pedagogical approach, however, it has recently assumed a more proactive attitude and have warned that it will become stricter in applying the legal regime. Currently, it is preparing an implementation impact study regarding the NIS2 transposition, that should be presented in October of this year.
(e) What should you be doing/on the lookout for?
Clients operating in the various sectors now covered by NIS2 should begin to ensure compliance with the new rules, particularly in terms of risk management measures and stricter and more detailed information obligations, especially regarding providers of public communications networks or publicly available electronic communications services.
Furthermore, additional care must be taken with the rules that have already been laid down, as regulators are expected to take a closer look at the application of cybersecurity law.
As very high-level preliminary analysis, we highlight the following:
- the decree-law excludes from its scope public entities in the fields of national security, public security, defence and intelligence services;
- the Portuguese National Cybersecurity Authority, which was the single point of contact under NIS1, has naturally its attributions and powers as the national cybersecurity authority reinforced, and ‘sectoral’ and ‘special’ supervisory authorities have been created to oversee specific sectors of the economy.
Contact
Margarida Roda Santos E: mrodasantos@eversheds-sutherland.net
Paulo Sampaio Neves E: psampaioneves@eversheds-sutherland.net
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page