Inês Antas de Barros is quoted in Advocatus’ cybersecurity special, where she examines the impact of the new legal framework transposing the NIS2 Directive into Portuguese law, which is set to enter into force in April. She highlights the increased challenges facing Portuguese companies, particularly in the areas of corporate governance, risk management and incident reporting. According to the lawyer, the regime “applies to entities operating in the sectors listed in the legislation, particularly those of medium or large size”, while noting that “micro and small enterprises are, as a rule, excluded, unless the critical nature of their activity justifies inclusion, namely due to their involvement in a critical sector, systemic impact, cross-cutting effects or an indispensable role within essential service supply chains”.
Regarding practical obligations, Inês Antas de Barros points out that the new framework introduces “deadlines, formats and taxonomies for incidents and establishes cooperation procedures with the competent authority and the national Computer Security Incident Response Team (CSIRT)”, thereby reinforcing the accountability of management bodies. For small and medium-sized enterprises, the new regime represents a significant shift, as “SMEs, which until now were not required to comply with such demanding cybersecurity standards, are now faced with new practical challenges”.
In this context, she argues that the first step should be to “carry out a rigorous mapping of the new applicable obligations within a ‘dense and interconnected regulatory ecosystem’, identifying gaps and prioritising actions”. Compliance, however, should not be treated as a purely formal exercise. “It is essential to ensure substantive compliance, with a focus on supply chain management, continuous risk assessment processes, incident and vulnerability management, security-by-design principles, ongoing training and an organisational culture of security,” she stresses.
Inês Antas de Barros also warns against minimalist approaches to the new framework, noting that “the main risk lies in a drift towards a ‘purely formal compliance’ approach, based on checklists and disconnected from any real improvement in security levels”. Instead, she maintains that “compliance plans should be designed as strategic risk management tools, aligned with legal requirements, business objectives and operational resilience”.
Against a backdrop of heightened regulatory and reputational scrutiny, she considers that the new law may also present a strategic opportunity. “Organisations that turn the regime’s requirements into a competitive advantage will be better positioned to compete and innovate securely,” she underlines, adding that a consistent implementation “can significantly strengthen the resilience of critical sectors, improve national coordination in incident response, firmly embed cybersecurity within top-level management and increase trust in the Portuguese digital ecosystem”.
This article is available for consultation in the February print edition of Advocatus.
