Cyber security framework and legislation addressing cyber crime in Portugal

You are currently viewing Cyber security framework and legislation addressing cyber crime in Portugal

Cyber security is very critical for nations to not only prevent their critical assets but also for citizens to trust ICT systems with their transactions. Having a legislative structure builds confidence of public in system. Portugal has instituted Cyber security Law (Law No. 46/ 2018). The law requires Public Administration, Critical Infrastructure Operators, Essential Service Operators, Digital Service Providers and any other entities that use information networks and systems to comply with security requirements.  The law subjects Portuguese citizens for the offence committed in Portuguese territory or that committed on IT system in Portuguese territory regardless of territory from where the offence is committed. Portugal has also instituted Cyber crime Law (Law no. 109/ 2009) under which following is a criminal offense.

“A cyber attack may potentially compromise millions of users. Recent history shows data breaches hitting multinational companies, in attacks which were both expensive and hard to forget. “

  1. Hacking: Unauthorized access to a system or a part of it.
  2. Denial of Service attacks: Unauthorized access with the objective to disrupt services
  3. Phishing: Actions with intention of deception is an offense and punishable.
  4. Infection of IT system (ransomware, malware, spyware, worms, trojans etc.): Infection of IT system with malwares is considered sabotage, and is punishable under cyber crime law.
  5. Possession or use of hardware, software or other tools used to commit cyber crime (e.g. hacking tools) is foreseen in Cyber crime law as a criminal offense.
  6. Identity threat or Identity fraud with the intention or action to deceive is considered as IT Falsehood.
  7. Electronic theft (copying or dissemination) of software, confidential information or IPR is a punishable offence.
  8. Unlawful interception of data with commercial/ illegal intentions that may amount to loss to originator or intended recipient of data.
  9. Failure by an organization to implement cyber security measures is not a criminal offense, but under the Cyber security Law, the Portuguese supervisory authority may fine organizations that fail to implement security measures.

In come cases where offences has other intent (offences) such as terrorism, the penalties get even severe. The cases may include other offenses that are applicable under Electronic Commerce Law, Electronic Communication Law, General Data Protection Regulation (GDPR) etc.

With the desire to be a true game changer for cyber security resilience and cooperation in Europe, the European Parliament and Council of the European Union adopted the Directive on Security of Network and Information Systems (NIS Directive) in 2016 – the first EU horizontal legislation addressing cyber security challenges. The directive includes designation of at least one national competent authority, the setting-up of computer-security incident response teams (CSIRTs), the adoption of national cyber security strategies and the identification of providers of essential services.

Some organizations depending on the importance of infrastructure they house are classified as Critical Infrastructure. These organisations are required to put in place stringent security of systems and networks as per NIS Directive. Public organizations not complying with regulation of critical infrastructure may be levied a fine.  Additionally, organization are required to take measures to monitor, detect, prevent or mitigate incidents. Further, regulator might direct organisations to establish following measures:

  •  A permanent point of contact
  •  A map of all technical and organizational measures
  •  Evaluation exercises and drills

Organization who provide electronic services must retain one year’s worth of electronic transaction/ records and device deployment details. Digital providers who are into public service must also comply by ISO27001 standards. These organizations are also required to notify incidents to CNCS. In case, incidence is related to personal data, it must be reported to CNPD. Cyber insurances are also available these days in the Portuguese insurance market to cover liabilities arising out of impact to ICT assets.

Implementing security measures is costly affair for an organisation and can be a drain for small enterprises. Further some specific services are given relaxation based on  the nature of work. Following are excluded from the application of cyber security Law:

  1. Micro and small enterprises
  2. Undertaking providing public communications networks or publicly available electronic communications
  3. Trust service providers
  4. Information networks directly related to command and control of General Staff of Armed Forces
  5. Networks and information system that process classified information.

Further Readings

Leave a Reply