Regulation 21/2019 from Bank of Portugal – Reporting of Severe Cyber Security Incidents28 November, 2019
Regulation 21/2019 was published on 25 November in the Supplement of Bank of Portugal (BdP) Official Bulletin no. 11/2019, which regulates the reporting of severe cyber security incidents on entities supervised by the BdP and significant credit institutions based in Portugal supervised by the European Central Bank (ECB), entering into force on 08 January 2020.
The BdP Instruction clarified that cyber security incidents are information security events that are likely to compromise business operations and/or threaten information security, including events that have an adverse effect on the security of systems, applications or networks, compromise the information they process, store or share or violate information security policies and use of systems, applications or networks.
Therefore, the purpose of the Instruction is to streamline the entire reporting process so that all the information reaches the ECB and the National Cybersecurity Center (CNCS) as quickly as possible, depending on the scope and nature of the incident.