Portugal’s new cybersecurity bill may impact greater China businesses

The proposed provisions of Portugal’s cybersecurity bill draft could disproportionately affect technology suppliers from specific regions, including Macau, Hong Kong, Taiwan, and mainland China, according to Bernardo Mendia, secretary general of the Portugal-China Chamber of Commerce & Industry (CCILC).

Portugal is currently holding a public consultation on the new Cybersecurity Legal Framework (NIS2), which has been extended until December 31 due to increasing vulnerabilities and a proactive government stance. This extension, which delays the deadline 22 days, aims to enhance the regulatory environment and better protect the nation’s digital assets and infrastructure.

Concerns over the cybersecurity bill draft have been voiced by Mendia.

In an interview with the Times, he said, “We would like to express the Portugal-China Chamber of Commerce and Industry’s concerns over the Portuguese government cybersecurity bill draft, noting that the provisions could unfairly restrict technology suppliers based on their country of origin, including from Macau, but also Hong Kong, Taiwan and mainland China.”

Mendia said this approach does not align with Portuguese legal traditions or the principles of an open-market economy. He urged companies and individuals to share their views during the consultation process.

Article 18 of the draft bill suggests security assessments may be influenced by a manufacturer’s region of origin, potentially distorting competition and limiting supplier diversity.

Mendia said such non-technical criteria do not enhance cybersecurity but instead create barriers to foreign investment.

“We strongly recommend removing non-technical criteria from the assessments, focusing solely on technical evidence and international standards,” Mendia added.

Mendia also highlighted the detrimental effects of protectionism on competition and innovation.

“Protectionism weakens competition, slows or arrests innovation, reduces quality, and increases prices,” he said.

He said cooperation with Macau presents a unique opportunity for both Portugal and China and should be prioritized in discussions surrounding the bill.

“Over the years and centuries, Portugal and China have shown the world the benefits of international cooperation,” he added.

Mendia expressed hope that common sense and Portuguese interests would prevail over other considerations. He called upon the Macanese business community to actively participate in the consultation process by sharing their perspectives.

António Leitão Amaro, Portugal’s Minister of the Presidency, said at a recent conference that “security in cyberspace is a priority.”

He envisions Portugal as one of the “most interesting and attractive” countries for cybersecurity investments. This vision aligns with government efforts to create a robust cybersecurity framework that prioritizes risk prevention while accommodating businesses of various sizes.

Echoing this sentiment, António Trindade, CEO of local firm CESL Asia, highlighted complexities surrounding data management and cybersecurity. He said “when you deal with big data, you have a lot of issues.” He pointed out concerns about data ownership and the implications of artificial intelligence on content generation, highlighting that growing importance of data governance as businesses and governments face escalating cyber threats.

In its letter, CCILC raised concerns about the potential discriminatory nature of the draft bill’s provisions, stating, “In our view, these provisions do not contribute to enhancing cybersecurity. On the contrary, using non-technical criteria such as suppliers’ country of origin introduces a discriminatory factor that distorts competition.”

The CCILC’s letter notes Article 18 allows for security assessments influenced by manufacturers’ nationalities, which could lead to discrimination against foreign companies. This approach risks distorting competition and limiting supplier diversity while hindering innovation and increasing costs for businesses.

The proposed NIS2 directive aims to ensure a high common level of cybersecurity across the European Union.

It expands the scope of entities covered under cybersecurity regulations and introduces measures for assessing risks associated with information technology systems. As Trindade noted, addressing these challenges is essential for Macau and similar jurisdictions navigating complex data protection landscapes.

Meanwhile, Carlos Alvares, CEO of Banco Nacional Ultramarino, remarked on Macau’s position, stating, “I don’t see any significant impact in Macau. We do not have those kind of manufacturing companies in Macau.” Noting that while global cybersecurity is critical, Macau’s specific industrial landscape may mitigate some immediate impacts from regulatory changes affecting other regions.

The urgency for enhanced cybersecurity measures in Portugal is underscored by a rising number of cyberattacks.

Reports indicate the Portuguese cybersecurity market is projected to grow at a compound annual growth rate (CAGR) of 7.7% through 2029, driven by increased digitization across industries and an expanding attack surface from Internet of Things (IoT) devices. As Trindade remarked, “We need to find solutions about how to deploy these solutions to collect data. It’s a very complex matter.”

Moreover, the shift toward cloud computing has intensified demand for robust cybersecurity solutions. As organizations migrate their operations online, they face heightened risks from cybercriminals exploiting vulnerabilities in cloud environments.

The market for cloud security in Portugal is expected to see significant growth, with estimates suggesting an annual increase of 18.7% until 2027.

Trindade said “big data and cybersecurity challenges create an urgent need for countries like Portugal to develop effective strategies that balance national security concerns with economic opportunities.”

Despite these promising developments, challenges remain. A shortage of skilled cybersecurity professionals poses a significant hurdle against increasingly sophisticated attacks. Trindade highlighted this issue, noting, “We cannot store data without risking compromising security,” emphasizing the need for qualified experts and resources to navigate these complexities.

Public-private partnerships are emerging as vital components in strengthening Portugal’s cybersecurity posture. Collaborations between government agencies and private firms are fostering innovation and enhancing incident response capabilities.

Initiatives like the Portugal Cybersecurity Cluster aim to promote cooperation among industry stakeholders, academia, and government bodies to drive economic growth within this sector. Nadia Shaw