Cybersecurity. New Directive threatens PME’s budgets

The new European directive for cybersecurity substantially extends the number of entities that will have to comply with the protection rules against eventual cybers. There will be many SMEs covered, with few with financial and organizational capacity to meet the requirements, namely hiring specialized technicians to control computer services. The Director General of the National Security Office, António Gameiro Marques, advises SMEs to start preparing budgets and, if necessary, to unite in business associations to rationalize costs.

Compared to the previous directive, NIS1, the current, NIS2, not yet transposed in Portugal, increases from eight to 18 critical sectors that have to be protected from cybers. These 18 sectors are divided into essential entities and into important entities.

These are essential entities: energy; Transport; health; drinking water; wastewater; Infrastructure Financial Markets; Digital infrastructure; Public Administration; cyberspace; and Telecommunications Services Management. They are important entities: food; the chemical industry; the investigation; digital service providers; waste management; mail services; and manufacturing. In addition to these 18 critical sectors, covering thousands of SMEs, the directive extends the cybersecurity requirements to ‘relevant public entities’, dividing them into ‘group A’ and ‘group B’.

Thus, almost all public administration will also be obliged to comply with the cybersecurity requirements imposed by the Directive, including the Justice Ombudsman, the Economic and Social Council, the Technical and Administrative Services of the Presidency of the Republic, the Assembly of the Republic, the Courts and the Secretariats with the competence for the procedures, the Superior Council of the Administrative Courts and the Superior Council of the Public Prosecution Service. And also all independent organisms and administrative entities, except for Banco de Portugal, the Securities Market Commission and the insurance and pension fund supervision authority.

Anyone who does not comply with the law imposed by the EU is subject to a heavy pecuniary regime. According to the directive, essential entities will be able to pay fines up to 10 million euros or up to 2% of the global annual turnover-the amount is higher. Important entities may have to pay up to seven million euros or 1.4% of the annual business volume. A harsher approach is foreseen for organizations that repeatedly fail the obligations.

But in addition to the company, the management, management and administration bodies of the essential and important entities will also be held responsible. That is, the CEO’s, or the maximum responsible responsible, may be personally responsible for the defaults.

The directive excludes only public entities in the domains of national security, public security, defense and information services.

Being the directive approved, and will even have to be, urgently, part means from public administration, including courts and judiciary, is subject to the indiscreet looks of hackers Ethicals that can enter each of the respective computer systems without license. This espionage can detect vulnerabilities, but also defaults that will result in fines with consequences in the financial health of many SMEs. It is recalled that, according to CNCs, only about one in 10 companies in Portugal has workers directly involved in cybersecurity. On the other hand, there are more companies in Portugal than the EU average of having difficulty finding and hiring professionals with competencies in cybersecurity.

According to CNCS, between 2016 and 2023, 9509 cyberships were registered in Portugal to companies and public institutions. In the transport sector alone, between 2019 and 2023, 471 attacks were reported. Operator Vodafone and Impressa, owner of the Sic and from Expresssuffered the most serious cybership recorded in Portugal, both in 2022. In this same year TAP was a target, the attackers obtained data of about 1.5 million customers.

EDP, Garcia de Orta Hospital, CUF Hospitals, Ponta Delgada Hospital, Cofina, Lisbon City Hall, are among the known targets because the strangers, for safety reasons, and for threats of the attackers, are many more. «They are always happening, we just don’t know where even when»said a police source to Sunrise. According to the annual internal security report, last year there were about 2500 computer crimes, and almost two thousand defendants were constituted.