Public Administration entities, operators of critical infrastructure and essential services without security plans against cyberattacks and who do not take sufficient measures to prevent and mitigate these risks can be sentenced to fines up to €50,000 according to a report by Diário de Notícias.

This includes entities ranging from energy to communications through transport and which are required to report incidents and risks associated with computer attacks to the National Cybersecurity Center (CNCS), under penalty of being sanctioned.

According to the newspaper, these rules have been in the law since 2018, but it was only in July last year that the regulation of the “Legal Regime for Cyberspace Security” was published, defining “obligations in terms of cybersecurity certification” to be complied with from 2022.