Portugal (PT)

The National Cybersecurity Strategy Portugal was published by the government in May 2015.

The purpose of the strategy is to promote awareness, free, safe and efficient use of cyberspace; protect fundamental rights, freedom of expression, personal data and the privacy of citizens; strengthen and guarantee the security of cyberspace, of critical infrastructures and of vital national services and affirm cyberspace as a place for economic growth and innovation.

It focuses on six strategic objectives:

Obj. 1 - Structure of cyberspace security: establish politico-strategic coordination for the security and defence of cyberspace under the responsibility of central government. The strategy defines plans to consolidate the operational coordination and national authority role of the National Centre for Cybersecurity (CNCS) as the competent national authority, which must develop and implement measures that ensure the human and technological capacities of public and critical infrastructures, with a view to preventing and responding to cybersecurity incidents. Another key related goal is ensuring an understanding of threats and vulnerabilities as essential for risk analysis, as well as improving the use of of available means and resources for dealing with the risks and identifying gaps that need to be filled.

Obj. 2 - Tackling Cybercrime: Implement the Cyber Defence Policy Guidance, approved by Dispatch 13692/2013. Make cyber defence an area where it is necessary to promote synergies and encourage the dual use of its capabilities, under the scope of military operations and national cybersecurity. Develop a national incident response capability. The various CSIRTs must use a common taxonomy and automatic mechanisms for sharing operational information among themselves.

Obj. 3 - Protecting cyberspace and national infrastructures: Assess the maturity and ability of the public and private bodies that administer critical infrastructures and vital information services to ensure the security of cyberspace. Develop the ability to detect attacks on information systems, especially those belonging to public bodies and critical national infrastructures. Include cyberspace security measures in national critical infrastructures’ protection plans, following a risk management based approach.

Obj. 4 - Education, awareness and prevention: Promote information campaigns and alerts for all citizens and businesses. Raise awareness among public and private operators of the critical nature of computer security. Promote a culture of cyberspace security through campaigns and initiatives that are coordinated and developed with a common and positive approach. Improve cyberspace security training. Promote specialist training in cyberspace security by creating or enhancing the provision of multidisciplinary courses, and by changes to the existing curriculum. Promote specialist training of decision-makers and public body and critical infrastructure administrators from an awareness and prevention perspective. Establish special programmes for Small and Medium Enterprises (SME), socio-professional associations and, particularly, freelance professionals.

Obj. 5 - Research and development: Promote scientific research and development in various aspects of cyberspace security. Support national participation in international projects. Maximise synergies resulting from national participation in international forums.

Obj. 6 - Co-operation: Develop cooperation initiatives in areas linked to the security of information systems, cybercrime, cyber defence and cyber terrorism, cyber espionage and cyber diplomacy. Multilateral cooperation and collaboration. Participate in and co-operate with CSIRT forums. Participate in exercises alongside national and international actors, particularly in the context of the EU and NATO.

 

NATIONAL CYBER SECURITY STRATEGY - NIS Capacities

 

Year of adoption 2015
Updates and revisions

http://www.idn.gov.pt/publicacoes/cadernos/idncaderno_12.pdf

The strategy defines the competences of the Portuguese National Cyber Security Centre.

Implementation and monitoring

Central government is responsible for implementing the strategy.

The 2015 strategy will be reviewed within no more than three years (i.e. 2018).
Annual verifications of the strategic objectives and lines of action are planned to adapt objectives and actions to changing circumstances.

Operational capacity building

National Centre for Cybersecurity (Centro Nacional de Cibersegurança – CNCS; Portuguese and English) is the Portuguese national authority for cybersecurity in coordination with all competent authorities and implementing measures necessary to safeguard critical infrastructures and national interests from cyber threats.

  • Working with operators of essential services, digital service providers and government organisations in view of their critical role in ensuring the proper functioning of society.
  • Ensuring the creation of legal benchmarks for cybersecurity.
  • Developing national capacities for preventing, monitoring, detecting, analysing and taking actions to tackle cyber incidents.
  • Contributing to the security of information and communication systems of government organisations, operators of essential services and digital service providers. 
  • Promoting the training and qualification of human resources on cybersecurity to create a community of knowledge and national culture of cybersecurity.
  • Supporting the development of technical, scientific and industrial capabilities, promoting projects for innovation and development in the area of cybersecurity.
  • Ensuring the planning of cyberspace use in critical situations within the frame of emergency civil planning under Decree-Law 73/2013.
  • Coordinating the international co-operation on cybersecurity issues, in coordination with the Ministry of Foreign Affairs.
  • Coordinating the transposition of NIS Directive (EU Directive 2016/1148) on measures to ensure a high common level of network and information security across the Union to internal legal order.

CERT.PT is tasked with responding to incidents affecting government organisations, critical infrastructures, operators of essential services, digital service providers, and the national cyberspace, including any device belonging to a network. CERT.PT is an accredited member of the Trusted Introducer.

National Network of CSIRTs (Computer Security Information Response Teams; Portuguese):

Additional capacity building: The National Centre for Cybersecurity, https://www.cncs.gov.pt/, supports requests for the development of incident reaction capability through the creation of new Computer Security Information Response Teams (CSIRT).

Legal conditions

Decree-Law Nº 69/2014 (May 9th)

The Act for National Security and the Safeguarding and Defence of Classified Material (SEGNAC 1) 1988 requires all information that is that is subject to national or civil security considerations be classified. The four-tiered classification system used is outlined in Chapter 2 of the act, SEGNAC 2 1989. Two other laws, SEGNAC 3 1994 and SEGNAC 4 1990, provide further classification requirements for information regarding industrial security, telecommunications, and computer security.

The 2015 strategy highlights the need to review and update legislation: The competent authorities must adopt the measures necessary for the development and implementation of legislation designed to ensure the criminalisation of new types of crimes – whether against or taking advantage of cyberspace – and ensure improved judicial cooperation at a national and international level.
Legislation supporting criminal investigations must be constantly updated to ensure their effective application in cyberspace.

Business and Public private partnerships

There is no defined public-private partnership for cybersecurity in Portugal, however, the National Centre for Cybersecurity is tasked with liaising with the private sector in the course of its duties.

Other capacity-building measures: research and education

http://www.idn.gov.pt/publicacoes/cadernos/idncaderno_12.pdf

Promoting the training and qualification of human resources on cybersecurity to create a community of knowledge and national culture of cybersecurity.

Supporting the development of technical, scientific and industrial capabilities, promoting projects for innovation and development in the area of cybersecurity.

Overall assessment/best practices

The national centre is easy to navigate and overall, measures are in place to educate on cybersecurity and facilitate all stakeholders. The national centre draws attention to reporting a cyber incident, making it easy to access relevant pages quickly.

Date of last analysis July 2017

 

 

Report a cyber incident to a national CERT/CSIRT

Report a cyber incident to national CERT/CSIRT

The 2015 strategy provides for cybersecurity incident report mechanisms by public bodies and critical infrastructure operators to achieve operational effectiveness and improved situational assessment.

CERT.PT - Cyber incidents can be reported to the National Centre for Cybersecurity. Procedures for incident handling are explained here:

1. Select type of cyber incident/problem e.g. malware, availability, intrusion, fraud etc.

2. Send email to cert@cert.pt with details about the incident.

3. For emergency cases, telephone: +351 210497399.

The Centre also provides onsite support (www.cncs.gov.pt/en/certpt_en/on-site-support/) for:

  • State organisations.
  • Operators of Essential Services.
  • Digital Service Providers.

Rede RCTS e organismos do Ministério da Educação e Ciência

Guidance and Updates

The Portuguese National Centre for Cybersecurity provides security alerts as well as advice on preventing cyber attacks.

Languages

Portuguese and English

Date inserted July 2017

 

Contact us for more info