A draft instruction from Banco de Portugal concerning the reporting of cyber security incidents is currently in public consultation, until August 19, (Public Consultation No. 2/2019).
The Bank of Portugal's instruction will regulate the reporting of cyber security incidents occurring in credit institutions, investment firms, payment institutions, e-money institutions and branches of credit institutions with head offices abroad.
With regard to significant credit institutions based in Portugal – which, to date, reported directly to the European Central Bank ("ECB") – the same now report directly cyber security incidents to the Bank of Portugal via BPnet, which will automatically forward them to the ECB. Additionally, this report will also be sent to the National Cybersecurity Center ("CNCS"), whenever the entity is classified as an Essential Services Operative, pursuant to Law No. 46/2018, of 13 August, which sets forth the legal regime of cyberspace security.
To learn more about this Bank of Portugal Draft Instruction, please access our News Flash here.