The National Cybersecurity Strategy Portugal was published by the government in May 2015.
The purpose of the strategy is to promote awareness, free, safe and efficient use of cyberspace; protect fundamental rights, freedom of expression, personal data and the privacy of citizens; strengthen and guarantee the security of cyberspace, of critical infrastructures and of vital national services and affirm cyberspace as a place for economic growth and innovation.
It focuses on six strategic objectives:
Obj. 1 - Structure of cyberspace security: establish politico-strategic coordination for the security and defence of cyberspace under the responsibility of central government. The strategy defines plans to consolidate the operational coordination and national authority role of the National Centre for Cybersecurity (CNCS) as the competent national authority, which must develop and implement measures that ensure the human and technological capacities of public and critical infrastructures, with a view to preventing and responding to cybersecurity incidents. Another key related goal is ensuring an understanding of threats and vulnerabilities as essential for risk analysis, as well as improving the use of of available means and resources for dealing with the risks and identifying gaps that need to be filled.
Obj. 2 - Tackling Cybercrime: Implement the Cyber Defence Policy Guidance, approved by Dispatch 13692/2013. Make cyber defence an area where it is necessary to promote synergies and encourage the dual use of its capabilities, under the scope of military operations and national cybersecurity. Develop a national incident response capability. The various CSIRTs must use a common taxonomy and automatic mechanisms for sharing operational information among themselves.
Obj. 3 - Protecting cyberspace and national infrastructures: Assess the maturity and ability of the public and private bodies that administer critical infrastructures and vital information services to ensure the security of cyberspace. Develop the ability to detect attacks on information systems, especially those belonging to public bodies and critical national infrastructures. Include cyberspace security measures in national critical infrastructures’ protection plans, following a risk management based approach.
Obj. 4 - Education, awareness and prevention: Promote information campaigns and alerts for all citizens and businesses. Raise awareness among public and private operators of the critical nature of computer security. Promote a culture of cyberspace security through campaigns and initiatives that are coordinated and developed with a common and positive approach. Improve cyberspace security training. Promote specialist training in cyberspace security by creating or enhancing the provision of multidisciplinary courses, and by changes to the existing curriculum. Promote specialist training of decision-makers and public body and critical infrastructure administrators from an awareness and prevention perspective. Establish special programmes for Small and Medium Enterprises (SME), socio-professional associations and, particularly, freelance professionals.
Obj. 5 - Research and development: Promote scientific research and development in various aspects of cyberspace security. Support national participation in international projects. Maximise synergies resulting from national participation in international forums.
Obj. 6 - Co-operation: Develop cooperation initiatives in areas linked to the security of information systems, cybercrime, cyber defence and cyber terrorism, cyber espionage and cyber diplomacy. Multilateral cooperation and collaboration. Participate in and co-operate with CSIRT forums. Participate in exercises alongside national and international actors, particularly in the context of the EU and NATO.
NATIONAL CYBER SECURITY STRATEGY - NIS Capacities
|Year of adoption||2015|
|Updates and revisions||
The strategy defines the competences of the Portuguese National Cyber Security Centre.
|Implementation and monitoring||
Central government is responsible for implementing the strategy.
The 2015 strategy will be reviewed within no more than three years (i.e. 2018).
|Operational capacity building||
National Centre for Cybersecurity (Centro Nacional de Cibersegurança – CNCS; Portuguese and English) is the Portuguese national authority for cybersecurity in coordination with all competent authorities and implementing measures necessary to safeguard critical infrastructures and national interests from cyber threats.
CERT.PT is tasked with responding to incidents affecting government organisations, critical infrastructures, operators of essential services, digital service providers, and the national cyberspace, including any device belonging to a network. CERT.PT is an accredited member of the Trusted Introducer.
National Network of CSIRTs (Computer Security Information Response Teams; Portuguese):
Additional capacity building: The National Centre for Cybersecurity, https://www.cncs.gov.pt/, supports requests for the development of incident reaction capability through the creation of new Computer Security Information Response Teams (CSIRT).
Decree-Law Nº 69/2014 (May 9th)
The Act for National Security and the Safeguarding and Defence of Classified Material (SEGNAC 1) 1988 requires all information that is that is subject to national or civil security considerations be classified. The four-tiered classification system used is outlined in Chapter 2 of the act, SEGNAC 2 1989. Two other laws, SEGNAC 3 1994 and SEGNAC 4 1990, provide further classification requirements for information regarding industrial security, telecommunications, and computer security.
The 2015 strategy highlights the need to review and update legislation: The competent authorities must adopt the measures necessary for the development and implementation of legislation designed to ensure the criminalisation of new types of crimes – whether against or taking advantage of cyberspace – and ensure improved judicial cooperation at a national and international level.
Business and Public private partnerships
There is no defined public-private partnership for cybersecurity in Portugal, however, the National Centre for Cybersecurity is tasked with liaising with the private sector in the course of its duties.
|Other capacity-building measures: research and education||
Promoting the training and qualification of human resources on cybersecurity to create a community of knowledge and national culture of cybersecurity.
Supporting the development of technical, scientific and industrial capabilities, promoting projects for innovation and development in the area of cybersecurity.
|Overall assessment/best practices||
The national centre is easy to navigate and overall, measures are in place to educate on cybersecurity and facilitate all stakeholders. The national centre draws attention to reporting a cyber incident, making it easy to access relevant pages quickly.
|Date of last analysis||July 2017|
Report a cyber incident to a national CERT/CSIRT
|Report a cyber incident to national CERT/CSIRT||
The 2015 strategy provides for cybersecurity incident report mechanisms by public bodies and critical infrastructure operators to achieve operational effectiveness and improved situational assessment.
1. Select type of cyber incident/problem e.g. malware, availability, intrusion, fraud etc.
2. Send email to email@example.com with details about the incident.
3. For emergency cases, telephone: +351 210497399.
The Centre also provides onsite support (www.cncs.gov.pt/en/certpt_en/on-site-support/) for:
|Guidance and Updates||
The Portuguese National Centre for Cybersecurity provides security alerts as well as advice on preventing cyber attacks.
Portuguese and English
|Date inserted||July 2017|