Portugal, as a Member State of the European Union, is subject to the EU data protection regulation, notably Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
The GDPR is complemented by Law No. 58/2019, of 8 August 2019, implementing the Regulation in the national legal order (Implementation Law)2 and repealing the former Portuguese data protection Law No. 67/98, of 26 October 1998. The Implementation Law further amended and republished Law No. 43/2004, of 18 August 2004, on the organisation and operation of the Portuguese data protection supervisory authority, the National Data Protection Commission (CNPD).
Cybersecurity, on the other hand, is regulated by Law No. 46/2018, of 13 August, which approved the legal regime for the security of cyberspace (Cybersecurity Law) and transposed into the national order Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of networks and information systems throughout the Union.
The Cybersecurity Law has been recently regulated under Decree-Law No. 65/2021, of 30 July, which defines the obligations regarding cybersecurity certification pursuant to Regulation (EU) 2019/881 of the European Parliament, of 17 April 2019.
Although the Portuguese reality, particularly with regard to the implementation of the GDPR, may still be characterised by the significant data exposures by companies, the lack of adequate security measures implemented to mitigate the existing risks and the disrespect for the Privacy by Design principle, the topics of personal data and cybersecurity, attention to privacy and cybersecurity issues continued to gain prominence in 2022 and 2023. In fact, these past few years have been prolific and intense in political debates and judicial decisions, clearly revealing a much bigger sensitivity at all levels of society to these topics.
The year in review
Last year was marked by increased activity of the CNPD compared to the previous year, with 2,688 cases, 1,649 decisions, and 8,310 requests. The authority further applied 71 fines, of which 59 for spam practices, in an aggregate amount of €4.8 million, and issued 57 corrective measures and 269 warnings.
Additionally, the CNPD issued guidance on the (1) incompatibility between the role of the data protection officer and information officers, (2) availability of personal data processed within the scope of administrative procedures; (3) access to personal data held by a public entity as processor; and (4) publication on the internet of the minutes of meetings of collegial bodies.
Cyberattacks, on the other hand, continue in rising trend, with confidentiality breaches affecting in large Portuguese companies and institutions. Given this trend, the National Centre for Cybersecurity (CNCS) and the CNPD continue to play an active role in helping companies protect themselves from these attacks, with the CNPD issuing new guidelines on organisational and security measures applicable to data processing, and the CNCS focusing on raising awareness among the population through the dissemination of best practices, publication of guides, the launching of campaigns in the media and carrying out training sessions.
i Privacy and data protection legislation and standards
The Portuguese Constitution contains specific norms on the protection of privacy and personal data and the confidentiality of communications, namely in Articles 26 and 34.
However, the key provision of the Portuguese legal system in the field of personal data protection is Article 35, which stipulates in particular that every citizen has the right to know what is recorded in electronic records concerning him or her, the purpose for which the information is intended, and may demand that this information be corrected and updated.
On a legal level, the protection of personal data is primarily regulated by the GDPR, which is occasionally derogated by the Implementation Law, but only in matters where the European regulation allows it, such as in the extension of the personal data protection regime to certain data of deceased persons.
In addition to the Implementation Law, privacy and data protection are also governed in Portugal by several regulations passed before the GDPR came into force, of which we highlight:
- Law No. 41/2004, of 18 August,3 which transposed Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector into the Portuguese legal order, applicable to personal data processing in the context of networks and electronic communication services available to the public, complementing the general data protection legislation;
- Law No. 46/2018, of 13 August, which approved the legal regime for the security of cyberspace and transposed into the national order Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of networks and information systems throughout the Union
- Law No. 109/2009, of 15 September, setting out the substantive and procedural criminal framework for cybercrime and the collection of electronic evidence, implementing into Portuguese law Council Framework Decision 2005/222/JHA of 24 February 2005, on attacks against information systems, and adapting into national law the Convention on Cybercrime of the Council of Europe; and
- Decree-Law No. 65/2021, of 30 July, regulating Law No. 46/2018, of 13 August 2018, on the legal regime for cyberspace security and defining the obligations regarding cybersecurity certification pursuant to Regulation (EU) 2019/881 of the European Parliament, of 17 April 2019.
The provisions of the Portuguese Criminal Code are also subsidiarily applicable to the offences set out in the GDPR and the Implementation Law. The Criminal Code is of particular relevance in matters of unlawful surveillance and breach of privacy, establishing evidence obtained because of the violation of an individual’s privacy, home, correspondence, or telecommunications, without his or her consent, shall be prohibited, having also been recently amended by Law No. 26/2023 of 30 June, transposing into national law Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, to reinforce the protection of victims of non-consensual dissemination of intimate content.
ii Privacy and data protection legislation and standards
Obligations for data controllers are mainly those provided for in the GDPR.
The CNPD’s deliberations and opinions also set out formal requirements and standards for the approval or exemption of certain types of processing, but usually serve only as guidance in the assessment of specific cases. Although the CNPD’s positions do not have the force of law, practice shows that they are widely implemented by controllers, thus acquiring the form of positive law, as we can see through Regulation 1/2018, of 16 October.
The CNPD also requires controllers to register the contact details of their data protection officers (DPOs) and any changes thereto, through a specific form available on its website. A similar form is also available on the CNPD’s website to facilitate the notification of data breaches.
Also of particular importance, CNPD, on 10 January 2023, issued Guidelines 1/2023 on the organizational and security measures applicable to the processing of personal data, under Article 32 of the GDPR, due to the increasing number of cyberattacks that occurred both nationally and internationally in 2022.
iii Data subject rights
Data subjects’ rights are primarily contained in the GDPR. However, the Implementation Law has introduced specific aspects regarding these rights, such as:
- rights relating to personal data of deceased persons, namely the rights of access, rectification and elimination, which are exercised by whoever the deceased person has designated for that purpose or, in their absence, by the respective heirs;
- the right of data portability, provided for in Article 20 of the GDPR, which shall only cover the data provided by the respective data subjects; and
- the right to erase personal data published in an official journal which has an exceptional nature and can only be exercised pursuant to Article 17 of the GDPR in cases where this is the only way to safeguard the right to be forgotten and considering the other interests at stake.
Additionally, when personal data is processed for archiving purposes for reasons of the public interest, scientific or historical research or statistical data, the rights of access, rectification, limitation of processing and opposition provided for in Articles 15, 16, 18 and 21 of the GDPR shall not apply insofar as such rights are likely to render impossible or seriously impair the achievement of the specific purposes of the processing.
Furthermore, under Law No. 41/2004, of 18 August, costumers have the right to oppose the use of their contact details, in the context of the sale of a product or a service, for direct marketing of similar products or services, and to be informed in respect thereto when data are collected as well in each communication they receive.
Finally, the rights of access, rectification, erasure, and limitation of processing of personal data contained in criminal proceedings, court decisions or criminal records are exercised in accordance with the law on criminal procedure and other applicable legislation (Article 19 of Law No. 59/2019 of 8 August).
iv Specific regulatory areas
Privacy in the workplace is subject to specific provisions of the Labour Code, particularly Article 22, which establishes a general principle of confidentiality that protects communications of a personal nature exchanged by employees during the exercise of their functions.4 The Implementation Law also imposes specific requirements on the processing of employees’ data, establishing that employees’ images and other personal data processed through video systems or remote surveillance methods may only be used within the scope of criminal and disciplinary proceedings. These regulations are complemented by the CNPD’s guidelines on the monitoring of employees’ use of email and the internet.5
Decree-Law No. 131/2014, of 29 August, sets out the specific regime for the protection and confidentiality of genetic information, human genetic databases for healthcare and health research purposes, conditions for offering and carrying out genetic tests, and the terms under which medical genetics consultation is provided. In turn, Law No. 21/2014, of 16 April (amended by subsequent regulations), approving the legal framework for conducting clinical trials and other clinical studies in Portugal, establishes a specific regime for protection of personal data processed in connection with those trials.
Video surveillance is subject to the specific provisions of Decree-Law No. 35/2004, of 21 February, governing the provision of private security services, according to which the providers of security services shall be authorised to install video cameras and record images and sounds. Law No. 41/2004 regulates the processing of personal data within the context of publicly available electronic communications services and networks by the relevant providers, specifying and complementing the provisions of the general data protection legislation.
Direct marketing communications are specifically regulated under the Law on the protection of privacy in the electronic communications (Law No. 41/2004, of 18 August), whose application has been recently clarified in the CNPD’s Guidelines No 1/2022.
v Technological innovation
Direct marketing communications are specifically regulated under the Law on the protection of privacy in the electronic communications (Law No. 41/2004, of 18 August), whose application has been recently clarified in the CNPD’s Guidelines No. 1/2022.
Artificial intelligence (AI)’s regulation in Portugal is scarce, basically coming down to the programmatic rules of the Portuguese Charter on Human Rights in the Digital Age (Law No. 27/2021, of 17 May 2021), particularly Article 9.
However, AI is not only already present in many sectors, but continues to expand in Portugal, particularly in the public sector, which is increasingly adopting AI (e.g., chatbots) to improve the quality of services provided to citizens. It may be considered that there is a favourable environment for the adoption of AI technologies since the approval, in 2019, of the National Strategy for Artificial Intelligence, aimed at promoting and mobilising society in general for education and research, for innovation and development of products and services supported by artificial intelligence technologies.
However, awareness of the risks posed by AI is growing as well, as can be seen in the report on emerging technologies (including AI) of the by the CNCS, published in May 2023, identifying several challenges posed by AI to cybersecurity.
For this reason, the CNPD is also increasing its focus on the monitoring of the development and use of new AI technologies, promoting public debate and influencing decision-making. More recently, it has taken position on the use of facial recognition technology and data analytics within the scope of simplifying procedures relating to the issue and alteration of the citizen’s card and activating certificates associated with it through facial recognition in real time,6 and in the context of the use of video surveillance by security forces operating personal data analytics management systems, without using the data analytics management system.7
Internet of things (IoT)
The Portuguese government defined general principles for the development of IoT in the Resolution of the Council of Ministers No. 29/2020, of 21 April 2020. However, the reality of IoT was not yet subject to consistent and cross-cutting regulation, but only addressed in specific contexts.
Intelligent electric energy distribution networks, a branch of IoT, which are already a reality in Portugal, as in the rest of Europe, raise serious concerns as they encompass a large collection of personal data obtained through smart metering equipment. The risk of those data’s misuse motivated the CNPD to issue specific guidelines on the processing of personal data in the context of intelligent energy networks, defining the framework under which the processing of these data may be lawful.8
The CNCS, on the other hand, seems to focus on the strategic role IoT may play in Portugal given the large size of the national maritime area. In its report on emerging technologies, dated May 2023, the CNCS considers that the use of conventional means for monitoring large geographical areas is globally expensive, as well as highly complex in the coordination of technical and human resources, and that IoT presents itself as an optimal alternative solution, as it provides monitoring with moderate costs of implementation and exploitation, and a very high level of automation.
Use of remotely piloted aircraft systems for surveillance
Remotely piloted aircraft systems (RPASs) or unmanned aerial vehicles (UAVs), also known as drones, are now widely used, including for military, security and civilian purposes. These systems are particularly sought in the context of managing critical infrastructure, civil protection, natural disasters, environmental protection, search operations and many other activities, including recreational and domestic activities.
However, despite numerous, visible positive impacts, drones also pose significant risks to the protection of privacy. Therefore, the CNPD’s restrictive approach is not surprising, approving the use of drones only in specific circumstances, notably for surveillance of forest areas within areas of priority carried out by police authorities, specifically, the National Republican Guard (GNR), for the purposes of forest protection and fire detection, and surveillance by the GNR of high-risk sports’ events aimed at preventing potential public order incidents.9
General obligations for data handlers
International data transfer and data localisation
Portuguese law fundamentally follows the GDPR’s provisions on non-domestic transfers of data, that is, transfers of data to third countries outside the European Union, according to which such transfers may only be carried out:
- to countries that, according to the EU, ensure an adequate level of protection (white-listed countries);10
- if specific safeguards are adopted (such as binding corporate rules or sets of model clauses approved by the European Commission); or
- on the grounds of one of the derogations of Article 49 of the GDPR (such as, e.g., the relevant data subjects’ consent).
There are specific situations, however. Under Law No. 59/2019 of 8 August, on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offenses or applying criminal sanctions, the transfer of data may only take place in specific circumstances such as those specifically indicated in the GDPR. Law No. 59/2019 further establishes that the transfer of data to third countries, carried out by public authorities, shall be deemed as based on the public interest in accordance with Article 49 (4) of the GDPR.
There are not many cases of implementation of the GDPR’s rule of international transfer of data in Portugal. However, the CNPD recently considered that the National Statistics Institute had failed to comply with its obligations on international data transfers, by allowing personal data collected for census purposes to pass through all 200 servers of a US-based processor, without imposing additional security measures to prevent US government bodies from accessing the data.
Company policies and practices
The implementation of the GDPR has brought data protection into the spotlight.
Companies now pay much greater attention to questions of personal data, which is applied not only to relevant aspects of organisation and business, but also to questions concerning video surveillance, social networks, voice records and the development of marketing databases. However, so far no relevant governmental, business, or associative initiatives for defining and disseminating codes and standards of conduct and implementing certification processes and ‘seals’ in certain economic sectors or activities have taken place.
Discovery and disclosure
Discovery and disclosure procedures are mainly regulated under Law No. 109/2009 of 15 September, which approved the substantive and procedural criminal framework for cybercrime and the collection of electronic evidence, implemented in the national order Council Framework Decision 2005/222/JHA of 24 February 2005, on attacks against information systems, and adapted into national law the Convention on Cybercrime of the Council of Europe.
More recently, Law No. 59/2019 of 8 August has adopted the legal (general) framework on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offences or the execution of criminal sanctions, transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.
The general regime of Law No. 59/2019 is complemented by Law No. 32/2008 of 17 July governing the retention and transmission by providers of electronic communications services or networks of traffic and location data on both natural persons and legal entities, and of the related data necessary to identify the subscriber or registered user, for the purpose of the investigation, detection and prosecution of serious crime by the competent authorities. Furthermore, the principle of freedom of access to information is limited under several statutes on the grounds of personal privacy. This is the case under the Criminal Procedure Law and Law No. 46/2007, of 24 August, on access to administrative documents, which sets out the rules on secrecy.
Public and private enforcement
i Enforcement agencies
The Portuguese supervisory body in charge of enforcing the relevant privacy and personal data laws and regulations is the CNPD, an independent body that operates under the aegis of the Portuguese Parliament.
According to Law No. 43/2004, of 18 August (as amended by the Implementation Law), the CNPD’s duties and responsibilities include:
- issuing non-binding opinions on legislative and regulatory measures on the matter of protection of personal data;
- monitoring compliance with the GDPR and other legal and regulatory provisions on the protection of personal data, and correcting and sanctioning non-compliance;
- making available a list of processing activities that require the carrying out of data protection impact assessments and the criteria for determining processing activities as of high risk; and
- proposing to the European Data Protection Board draft criteria for the accreditation of codes of conduct monitoring bodies and certification.
ii Recent enforcement cases
The past year also saw an increase in the number of cases handled by CNPD, with 2,688 new cases, including consultations and decisions, in 2022.
A significant part of these cases is triggered by data subjects’ complaints lodged directly with the CNPD, and communications from other authorities (such as the Work Conditions’ Authority (ACT), the Economic and Food Safety Authority (ASAE), the Social Security, the Public Prosecutor’s Office and police authorities).
The most relevant, and recent cases, was the decision of the CNPD (Decision No. 2022/1072) that attributed five administrative offences for non-compliance with different provisions of the GDPR to the National Statistics Institute, imposing a global fine of €4.3 million. Specifically, the CNPD considered that the National Statistics Institute did not comply with the GDPR’s rules on international data transfers by allowing personal data collected for census purposes to pass through all 200 servers of a US-based processor, and failed to act diligently with regard to that processor, only making a formal verification of the processor’s compliance with its obligations, and not imposing on the latter the implementation of specific security measures to prevent US government bodies from having access to the data.
iii Private litigation
No noteworthy judicial decisions have been issued so far with regard to private litigation. However, under Portuguese civil law, any person who has suffered damage caused by unlawful actions of another party is entitled to receive compensation for the damage suffered.
This general principle is fully compatible with Article 82(1) of the GDPR on the right to compensation that establishes the right of any person who has suffered material or non-material damage as a result of an infringement of the GDPR to receive compensation from the controller or processor for the damage suffered. The controller may, nevertheless, be exempt from this liability to the extent it is not responsible for the act giving rise to the damage. In this regard, the Portuguese Civil Code essentially adopts the principles of tort liability, and thus the principles and provisions of the Civil Code will apply to determine the causal link between the controller or processor’s behaviour and the damage suffered, the standard of behaviour expected and the amount of damages to be awarded.
Considerations for foreign organisations
The CNPD has historically taken a conservative approach, especially in matters involving the processing of employees’ data or the use of technologies (such as CCTV, drones or AI). Despite having a relatively limited budget and not very abundant sanctioning activity, the amounts of fines imposed in 2022 substantially exceed the global amounts of fines imposed in previous years.
It would be reasonable to anticipate that the CNPD will maintain an intense and growing activity in the inspection and sanctioning of organisations that handle personal data, though is not irrelevant the fact that new president of the CNPD, who took office in May 2023, has publicly commented on the need of focusing the CNPD towards activities more aimed at prevention and clarification than at the detection and pursuit of infractions.
Cybersecurity and data breaches
The Cybersecurity Law, approved in 2018, imposes several obligations on certain operators (public administration, critical infrastructure operators, essential service operators and digital service providers), including an obligation to notify the Portuguese supervisory authority (i.e., the CNCS) of any incidents with material impact on the continuity of the services they provide, and provide any information it requires to assess the impact of incidents together with the incident’s parameters.
The Decree-Law No. 65/2021, of 30 July, brought greater specificity, being further complemented by Regulation No. 183/2022, of 21 February.
The above regulations apply to cybersecurity regardless of the involvement of personal data. Personal data breaches are specifically regulated under the GDPR, and neither the Implementation Law nor the CNPD have established additional notification requirements or obligations.
Additionally, the Council of Ministers Resolution No. 41/2018 defined technical guidelines to the public administration. Although not applicable to the private sector, the resolution may provide some guidance as to the standards of security of networks and systems that may be considered by certain categories of controllers.
Continuing the trend of 2021 and 2022, 2023 also experienced an increase in the volume of cybersecurity incidents and cybercrimes in Portugal, according to data provided in the 2023 Risks & Conflicts Report published by CNCS’s Cybersecurity Observatory.11 Accordingly, the most common cyberthreats in 2022 were phishing (via email), smishing (via SMS), vishing (via phone), ransomware, online fraud and scams, compromising of accounts (or attempts thereof) and vulnerability exploitation. Compared to last year, there was an increase in the sophistication and impact caused by these incidents, and a significant growth in incidents with high disruptive potential as well as in cybercrime, a trend contrary to that of computer fraud crimes, whose practice decreased. 2022 was marked by a set of malicious actions that had a very disruptive effect, particularly through ransomware attacks and data disclosure. The cyberspace attacks that had the greatest impact in Portugal in 2022 were the ones against the Impresa group, Vodafone, Laboratório Germano de Sousa, Hospital Garcia de Orta, the Sonae MC group, Eletricidade dos Açores, TAP and also the Social Security platform. The CNCS report shows that the sectors most affected by cybersecurity incidents were banking, education, technology and the university education sector, as well as the transport, health and media sectors. Also, incidents with significant impact have been recorded even at the public administration level.
This year, in particular, we must emphasise the impact that the war in Ukraine has had on cyberspace, not directly in the number of incidents recorded, but rather through an increase in information gathering and cybersabotage actions, a trend that may even worsen while the war is not over.
That being said, the main national trends expected in the context of cyberspace threats are the growing ‘professionalisation’ of cybercrime, the uncertainty resulting from the war in Ukraine and also some more specific threats such as ransomware, DDoS, credential theft malware and smishing, vishing and spoofing due to the widespread use of mobiles.
For 2023 and 2024, the CNCS report details that the main challenges for the security of cyberspace of national interest are the need to mitigate the insecurity arising from a more widespread and often more fragmented cyberspace, with a larger attack surface, as a result of new technologies, not to mention the technical difficulties increased, for example, by the use of AI in cyberattacks, the increasing sophistication of attackers and the difficulty in establishing mechanisms of imputation to external threat agents.
The CNPD also reported 376 personal data breaches last year, 15 per cent more than the previous year, as well as a 57 per cent increase in ransomware attacks.
Software development and vulnerabilities
In software development, the legal requirements for data controllers are mainly those provided for in the GDPR. Privacy by design and default is an approach to systems and software development that requires data protection and privacy to be taken into account during the whole life cycle of the system or process. Privacy by default requires that the data controller implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed.
Additionally, the Council of Ministers Resolution No. 41/2018 defined technical guidelines for the public administration.
Finally, we highlight the new CNPD Guidelines on organisational and security measures applicable to the processing of personal data (CNPD Guideline 2023/1), which advises controllers to implement specific measures that are appropriate to the characteristics and sensitivity of the data processing carried out and the specifics of their organisation.
Digital governance and convergence with competition policy
Portugal has been developing first-line policies and innovative legal frameworks aimed at ensuring an open digital governance that favours both innovation and open competition.
Anticipating to a certain extent the European Data Governance Regulation, Decree-Law No. 68/2021, of 26 August 2021, enshrined the general principle of open data, as an integral part of the open government policies that have been adopted by the Portuguese government, in line with the recognition of the potential of digital governance oriented towards the sharing of open data to support the development of new products and services.
In addition to the implementation of an open data digital governance model, the government is also making national eIDAS infrastructure available for integration with companies, which may now incorporate authentication schemes made available by Autenticação.GOV, the Portuguese public administration authentication provider. At the same time, Portugal is developing the e-Residency (Digital Identity) project that will allow citizens, nationals or foreigners not residing in the country, to use the CMD for authentication with public services (a mechanism that is soon expected to be extended to private operators wishing to integrate their systems with the public infrastructure) as well as a national health service person identifier. All of this is evidence that government policies are increasingly leaning towards a legal framework for digital business models that allows responding to technological and social changes and safeguarding competition, while empowering citizens’ options as to the use and protection of their data.
Although the national policies are only beginning to be transposed into new legislation, the most recent legislation aimed at introducing greater balance in market relations and discipline in consumer relations is already targeting the ability of providers to prevent access to or sharing of data. Examples of this are Decree-Law No. 84/2021, of 18 October 2021, on consumer rights in the purchase of digital content and services, which transposed Directive (EU) 2019/770, and the draft law that will transpose to the national order the Directive (EU) 2019/790 on copyright and related rights in the Digital Single Market, currently in its final discussion phase.
In the coming years, privacy and cybersecurity will continue to be of central importance in the Portuguese landscape.
As a reflection of the growing concern regarding data protection in the Portuguese legal system, the CNPD approved the Multiannual Activity Plan for the 2024–2026 Triennium. This Plan is essentially based on three strategic objectives: (1) contributing to strengthening the protection of citizens’ data, ensuring greater public awareness of the CNPD’s mission and the rights of data subjects; (2) ensuring improved capacity for strategic observation of the risks and opportunities created by the acceleration of technological innovation, promoting a regulatory framework that prevents and sanctions bad practices; and (3) strengthening data protection regulation in Portugal through collaborative mechanisms and cooperation with national and international entities, promoting a culture of dialogue and transparency, and sharing information and knowledge.12
Be as it may, the CNPD is likely to maintain an intense and increasing activity in supervision and inspection, progressively managing more and more cases, reflecting the growing trend in complaints and reports of infringements, but also the increasing number of autonomous actions by the authority. Additionally, the CNPD is expected to be focusing more on the effective, not merely formal compliance of the controllers with the data protection rules and principles, particularly regarding the implementation of adequate security measures and the supervision of processors. It is not irrelevant, in this regard, that the first guidelines issued by the CNPD in 2023 relate precisely to security measures, or that the highest fine imposed by the CNPD in the last year resulted from the failure of a controller to impose the implementation of adequate security measures on its data processor.
Finally, in terms of cybersecurity, in 2022, according to the CNCS observatory, more than half of the organisations and business fabric in Portugal were the target of cyberattacks, a trend that is expected to continue. Experts consider that 2023 will see a continued re-evaluation of companies’ security architectures, namely in the reinforcement of the perimeters that have been extended with hybrid working, and an increase in ransomware and social engineering, a consequence of the economic recession context which deepens the potential for ramsomware as a service and hacker as a service tool. However, the complexity and impact of the threats and attacks are also expected to increase, particularly in the context of a cyber war, where attacks may be being promoted by non-democratic states against NATO as part of global economic and political disputes.