Insights & Media


Cybersecurity in Portugal: Trends and Compliance


by Eduardo MagraniSenior Consultant in the TMT practice area

"If cybercrime were a State, it would be the third largest economy in the world, after the United States and China, with a GDP of US$ 10 trillions" declared the Prime Minister of Albania, considering that cybercrime could profit US$ 10 trillion by 2025. The cybercrime industry represents one of the most lucrative areas of technology today and it keeps growing, as criminal organisations evolve and professionalise the development and distribution of malicious activities, such as ransomware, phishing, credential theft, among other attacks.

With significant numbers and impacts, one of the main concerns and priorities of the European Union in recent years is precisely the cybersecurity. This is reflected in the elaboration of new strategies and regulations that have been approved and discussed over the years to ensure a safer Europe, more connected, and more digital.

The first EU law on cybersecurity, the NIS Directive, which came into force in 2016, helped achieving a common level of security of the network and information systems across the EU. Complementarily, the EU Cybersecurity Act, in force since 2019, equipped Europe with a cybersecurity certification framework for products, services and processes, and strengthened the mandate of the EU Cybersecurity Agency (ENISA).

Never, however, has the scope of these rules been as broad as with the NIS 2 Directive (Directive 2022/2555), which entered into force in 2023. This new document repeals the NIS Directive (Directive 2016/1148/EC) and improves the management of the cybersecurity risks, by introducing reporting obligations in specific sectors. Its main objective is to implement measures that ensure a high level of cybersecurity, common across the Union. Thus, there is today a general agreement regarding the need for an efficient implementation of effective cybersecurity measures in each country.

In Portugal specifically, the Government has been adopting cybersecurity strategies against these threats. The country already has a national cybersecurity strategy since 2015. This strategy was revised in 2019, giving rise to the National Strategy for Cyberspace Security.

According to information from the Portuguese Government, the implementation of this strategy aims to make Portugal a safer country, through innovative, inclusive, and resilient actions, which preserve the fundamental values of the democratic rule of law and guarantee the regular functioning of institutions in the face of the digital evolution of society. In this sense, the National Cybersecurity Centre is also in charge of coordinating the preparation, monitoring the implementation and review of the Action Plan of the National Strategy for Cyberspace Security, in cooperation with all the entities responsible for cyberspace security in the country.

Regarding the numbers of cybersecurity incidents in Portugal, recent episodes have shown, more than ever, that cybersecurity should be considered as a central topic. There has been a significant increase in crimes typified in the Cybercrime Law and incidents with high disruptive potential, registered by police authorities. The number of incidents registered by CERT.PT increased by 14%, from 1781 in 2021 to 2023 in 2022. Among these incidents, there were several cyber-attacks with a high impact on infrastructure and services in Portugal. The most affected sectors by cybersecurity incidents in Portugal during 2022 were Banking (mainly phishing to customers), Education and Science, Technology and University Education, Transport and Health.

According with the information from CNCS, in recent months there has been an increase in the complexity and impact of some incidents. The cyber threats that affect more significantly the cyberspace were ransomware, cybersabotage/unavailability, phishing/smishing/vishing, online scamming, as well as distributed denial of service (DDoS) incidents and other attacks.

Many cases of phishing, smishing and vishing and online scamming are linked to techniques of manipulating individuals, which reflects a lack of culture in cybercrime prevention. Incidents of account compromise and login attempts are often the result of compromised passwords and personal data extractions that could sometimes be bypassed by implementing a dual factor authentication, among other technical and organisational measures.

Organisations should be aware and willing to invest in this area, as they need to protect their critical business assets, generate trust, and avoid financial and reputational damage, as well as ensure compliance with the existing regulations. For this reason, investment figures in cybersecurity grew by 10.7% in Portugal, reaching €300 million this year, proving to represent a priority for companies and organisations, due to the increasing risk and complexity of cyber-attacks.

good cybersecurity strategy should start with a proper mapping of existing regulations as a form of compliance and an appropriate data management and awareness programme for each business. The design of an information security programme should fundamentally address three pillars: Governance, Technology, and Culture.

Governance is linked to the leadership and accountability structures established to ensure that the policies, contracts and practices of the safety of information are implemented and managed. The technology pillar refers to the set of tools and systems used to protect information. The cultural pillar refers to the set of values, beliefs and behaviours that promote information security. These pillars unfold into different actions such as: risk identification and prevention, incident detection, response and asset recovery, among others.

It is essential today for organisations to have this adequate governance, with good risk indicators and capacity to defend against attacks, and crisis management involving the main areas of the company, with clear and well-implemented objectives and structures to ensure that they have the capacity to react competently and quickly to the new cybersecurity challenges, with adequate commitment and expertise.