From Theory to Practice: How Portugal's Cybersecurity Centre Is Tackling NIS2 Compliance

From Theory to Practice- How Portugal's Cybersecurity Centre is Tackling NIS2 Compliance
Francisco Fonseca
Written by Francisco Fonseca
SVP, National Cybersecurity

In their capacity as a regulator, the Portuguese National Cybersecurity Centre (CNCS) is at the forefront of adapting to NIS2 requirements and ensuring that entities under their purview are compliant. They provide strategic oversight and support for organisations navigating the complexities of the new directive, which introduces stricter standards for risk management, incident response, and supply chain security.

As the single point of contact and national competent authority for NIS in Portugal, the CNCS oversees cybersecurity for public administration entities, critical infrastructure operators, operators of essential services, and digital service providers, while also working to raise cybersecurity awareness across society.

In this Q&A, CNCS shares valuable insights into the challenges, requirements, and best practices surrounding NIS2 compliance, providing a real-world perspective on how organisations can align with the regulation and build stronger cybersecurity frameworks.

Q: What are the main challenges organisations are encountering in the implementation of NIS2? Are there specific areas or requirements within NIS2 that raise significant concerns or doubts from organisations?

A: The transposing of NIS2 directive into the national legal framework is still ongoing, so it is not easy to identify current challenges and concerns. However, from an analytical perspective of the foundations of NIS2 and, mainly, the conceptual differences comparing with the first directive, we can state that the compliance effort by essential and important entities, especially those already covered by NIS1, will not be substantial.

NIS2 reinforces the importance of the principle of proportionality indexed to the risk of each covered entity, but this was precisely the Portuguese approach in 2018 with Law No. 46/2018, later reinforced by Decree-Law No. 65/2021. For this reason, significant methodological changes are not expected.

On the other hand, NIS2 aims to harmonise and, therefore, correct significant asymmetries between the various Member States in the values of pecuniary sanctions for non-compliance with their obligations. This approach, coupled with greater accountability of the leadership within regulated entities, aims to place cybersecurity as a top concern in the decision-making chain.

Q: In your opinion, which specific NIS2 Security requirement (Article 21) poses the greatest challenge for companies to address, and why?

A: The challenges that companies face are closely linked to the threat landscape, volatile by nature, and their degree of digital exposure to the outside world, including their supply chain. In this context, the best approach involves continuous risk assessment, where each company evaluates its risks and adopts the most effective cybersecurity controls to mitigate them.

These controls should be aligned with available cybersecurity frameworks, whether it be the National Cybersecurity Framework of CNCS or other recognized cybersecurity frameworks, such as ISO 27001 or the NIST CSF. The sector, the size of the organisation, the level of digital exposure, and trends in cyber threats will influence the risk assessment and the controls necessary to address them. The message to convey is that each case is unique, and the challenges will always be a result of the specific circumstances of each organisation.

Q: What best practices, advice, or recommendations would you offer to companies that are in the process of deploying NIS2? Do you have any suggestions for improving collaboration between companies and Supervisory Authorities to facilitate better NIS2 implementation?

A: In their continuous risk assessment, organisations should take into account the specificities of their sector and, in a participatory manner, collaborate in adopting and sharing cybersecurity best practices. A good way to achieve this objective is by participating in one or more sectoral, regional, or national cybersecurity communities, such as in Information Sharing and Analysis Centers, through which entities with common interests can cooperate in sharing information about threats, incident response, and best practices.

Q: NIS2 introduces the risk assessment of supply chain security as a new area. What do you foresee as the main challenges that companies will face in this area?

A: First, it is necessary to understand why NIS2 introduces this requirement. The incident history of recent years shows that threat actors are increasingly able to find vulnerabilities and opportunities to attack well-protected companies through their supply chains. This situation is particularly relevant when there is a higher level of interconnection between the IT infrastructures of the company and its service provider.

This issue is already addressed by large corporations that classify their suppliers into different risk levels, based on their degree of exposure and the level of interconnection between their IT infrastructures. Within the Cybersecurity Alliance, a discussion forum promoted by CNCS that brings together big corporations, this issue was identified as a priority. When it was realised that different large companies were conducting cybersecurity assessments of the same service providers, a decision was made to develop a common cybersecurity certification scheme, with assurance levels corresponding to different risk grades.

Implementing an approach like this simplifies the work of operators of essential and important services under NIS2 and establishes a standard that facilitates interoperability between providers and clients.

Q: From a national authority or regulator perspective, what do you consider to be the most significant changes introduced in NIS2 compared to the original NIS Directive?

A: The NIS2 directive results, on one hand, from the evolution of threats and the need to adapt prevention and response tools to current and future challenges—and on the other hand, from the lessons learned from the implementation of NIS1 by different Member States and the clear lack of harmonisation achieved. Major incidents such as WannaCry, or the number of attacks against pharmaceutical laboratories or delivery services during the COVID-19 pandemic, influenced a review and expansion of the scope to sectors such as research and development, food distribution, postal service providers, waste management, or the space sector, among others. In this sense, it was also decided to include central and regional public administration within its scope, although this has no significant impact in Portugal, due to the fact that we had already integrated this with Law No. 46/2018.

The need to define uniform criteria, both in identifying entities considered relevant in each sector of activity and in the set of security measures and controls that each of these entities is required to implement, was also crucial for the creation of NIS2.

NIS2 also creates new tools and formalises existing ones, aiming for better operational coordination between authorities, both nationally and across Europe. Examples of this include the designation of a national authority for the management of large-scale cybersecurity crises and incidents, the formalisation of the CyCLONE network, which has been active since 2018 in the operational coordination of the response to transnational incidents, and the creation of a coordinated vulnerability disclosure mechanism.

The management of vulnerabilities and the preventive aspects of cybersecurity are given special attention in NIS2, equipping the national cybersecurity authority with tools such as conducting remote cybersecurity tests. It’s also worth noting the increased accountability of the leadership of regulated entities for non-compliance as another decisive aspect of NIS2.

Key Takeaways

As NIS2 continues to influence the cybersecurity landscape, it is clear that while challenges remain, they are not insurmountable. The insights shared by the Portuguese National Cybersecurity Centre (CNCS) offer a roadmap for organisations striving to align with the new requirements. By fostering collaboration and adopting a proactive approach to supply chain resilience and cyber risk management, entities can successfully navigate the transition and build a stronger cybersecurity posture.

Stay ahead of the compliance curve. Dive into our playbook curated by Tim Grieveson, Senior Vice President and Global Cyber Risk Advisor. Unearth insights to not just comply but lead in the era of NIS 2, DORA, PS21/3, and emerging cyber regulations.