23 February 22 | Lisboa
TOL NEWS 20, CIBERSECURITY
Technical Instruction - Regulation 183/2022, of 21 February

Regulation 183/2022, of 21 February that sets up the Technical Instruction on communications between entities and the National Cybersecurity Centre.

Regulation 183/2022, of 21 February that sets up the Technical Instruction on communications between entities and the National Cybersecurity Centre.

The legal regime of cyberspace security was subject to regulation through Decree-Law 65/2021, of 30 July, which also proceeds to implement, in the national legal order, the obligations arising from Regulation (EU) 2019/881, of the European Parliament and of the Council, of 17 April 2019, allowing the implementation of a national cybersecurity certification framework.

The legal framework for cyberspace security applies to public administration entities, critical infrastructure operators, operators of essential services, digital service providers, as well as any other entities using networks and information systems, namely within the scope of voluntary incident reporting.

The legal regime for cyberspace security established the Cyberspace Security Structure, enshrining the National Cybersecurity Centre as the National Cybersecurity Authority and "CERT.PT" as the National Computer Security Incident Response Team.

Within the scope of the competence to issue Cybersecurity instructions attributed to the National Cybersecurity Centre (CNCS), a Technical Instruction was issued regarding communication and information regarding permanent contact points, security officer, inventory of assets, annual report and incident notification.

Sending and processing information

The information must be sent electronically to the email address sri@cncs.gov.pt , or via API (application programming interface) made available by the CNCS for this purpose. The entities that wish to send the information protected by a cryptographic method may protect the information using the PGP public key, associated to the email address as referred, published on the CNCS website.

Permanent contact point

The permanent contact point must be communicated to the CNCS, and the information sent must include, namely, the name of the person or persons responsible, or the available service or operational team, for ensuring the functions of permanent contact point, and indication of the main and alternative means of contact, by filling in the form attached as Annex I to the Instruction, available on the website of the National Cyber-Security Centre.

Security Officer

The indication of the person designated as the security officer should be communicated to the CNCS, and the information should contain the name of the person designated as security officer, as well as that indicated in the form attached as Annex II to the Instruction, available on the website of the National Cybersecurity Centre

Asset inventory

Asset" is understood as all the information and communication systems, equipment and other physical and logical resources considered essential, managed, or owned by the entity, which directly or indirectly support one or more services.

Equipment inventory

The entity shall carry out the inventory of its equipment in accordance with the following rules: 

  1. Physical devices and systems must be inventoried with the following information: i) Inventory number; ii) Equipment name and model; iii) Serial number; iv) Location.
  2. Devices connected to the network should have the following complementary information: i) IP address; ii) Hardware address.
  3. The responsible persons for devices and systems should be identified with, at least, the following elements: i) Name; ii) Contact; iii) Department.
  4. Physical devices and systems must be classified according to their criticality to the entity.

Inventory for applications

The entity should draw up the inventory of all its applications, identifying: 

  1. Information necessary for the inventory of an application, namely: i) Name of the software; ii) Version; iii) Manufacturer.
  2. The responsible persons for the applications with, at least, the following elements: i) Name; ii) Contact; iii) Department.
  3. The classification according to the criticality of the application for the entity;
  4. When applicable, the type of support contract in force with the supplier of the application or software platform.

For assets directly accessible through the internet

The entities must also communicate to the CNCS, for all assets directly accessible to the public through the Internet, a list with the following information:

a.         Supported service;

b.         Name of the equipment/name of the software;

c.         Model/Version;

d.         IP address, if applicable;

e.         Fully Qualified Domain Names (FQDNs), if applicable;

f.          Manufacturer,

 by completing the form attached as Annex III to the Instruction available on the Internet site of the National Cybersecurity Centre.

Annual Report

The annual report must be communicated to the CNCS containing the information referred to in paragraph 1 of Article 8 of Decree-Law 65/2021 of 30 July 2021, namely: 

i.          Identification of the entity;

ii.         Calendar year and reporting period;

iii.         Summary description of the main activities developed regarding network security and information services; 

iv.        Quarterly statistics of all incidents, indicating the number and type of incidents; 

v.         Aggregate analysis of the security incidents with relevant or substantial impact, with information on: 1. Number of users affected by the service disruption; 2. Duration of the incidents and 3. Geographical distribution with regard to the area affected by the incident, including indication of cross-border impact;

vi.        Recommendations of activities, measures or practices that promote the improvement of network and information systems security; 

vii.        Problems identified and measures implemented following the incidents;

viii.       Any other relevant information; 

ix.        Date | Security Officer | Signature of Security Officer

The Annual Report should be sent to the CNCS email address ( sri@cncs.gov.pt ).

Incident notifications

Incident notifications and additional information shall be sent via the Internet site of the National Centre for Cybersecurity (https://www.cncs.gov.pt ) under "Incident Notification", by filling in the reporting model established for that purpose, or via the API (application programming interface) made available by the CNCS for that purpose.

In cases where the entity, as a result of an incident or any other duly justified reasons of an eminently technical nature, temporarily does not have the operational capacity to ensure notification on the website of the National Cybersecurity Centre, or in cases where that website is unavailable, notification may be made, by way of exception, through: 

  1. By e-mail sent to the following address: cert@cert.pt ; 
  2. By telephone on (+351) 210 497 399; or 
  3. By phone on (+351) 910 599 284, continuously available (24 hours a day, seven days a week)

This Instruction is linked to Law 46/2018 which establishes the legal framework for cyberspace security, transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of network and information security across the Union and Decree Law 65/2021 that Regulates the Legal Framework for Cyberspace Security and defines the obligations on cybersecurity certification in implementation of Regulation (EU) 2019/881 of the European Parliament of 17 April 2019.

Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.