ICN/ECN competences
From the National Civil Emergency Planning Council
XXX
XXX
XXX
XXX
XXX
XXX
As a result of the emergence of new threats to the security of states, in 2004 the European Council began a series of studies leading to the creation of regulations dedicated to the protection of critical infrastructures.
The culmination of this work was the publication of the Directive on the Protection of Critical Infrastructures (Directive 2008/114/EC of 8 December), a document that defines the procedures for identifying and designating European CIs and establishes the obligation for operators and government bodies to draw up security plans.
Since 2004, Portugal has recognised the importance of the initiative and, to this end, created a working group, coordinated by the then National Council for Civil Emergency Planning (CNPCE), which set out to initiate a process structured in three distinct phases:
Identification and classification of national CIs.
Analysis and assessment of the risk associated with CI dysfunction and study and dissemination of effective measures to strengthen their protection.
Implementing measures and monitoring risk.
Directive 2008/114/EC, of 8 December, was transposed into the national legal framework by Decree-Law 62/2011, of 9 May, establishing the following provisions:
The definition of procedures for the identification and designation of CI, both the responsibility of the ANPC (due to the extinction of the CNPCE);
The drawing up of safety plans for each CI. These plans, which are the responsibility of the operator, describe the critical elements of the infrastructure, the potential threats and the security measures to be adopted;
The drawing up of External Security and Protection Plans (PSPE) under the responsibility of the territorially competent security force;
The creation of a Security Liaison Officer (SLA) as the point of contact between the owner and/or operator of the CI and the Secretary General of the SSI;
The responsibility of the State to assess the threat in relation to the various CI sub-sectors;
The protection of sensitive information.
More than ten years after Decree-Law 62/2011 of 9 May came into force, with the critical infrastructures of the energy and transport sectors already in place, there was a need to review the process of identifying and protecting national critical infrastructures, correcting identified gaps, streamlining legal implementation mechanisms and adopting best practices from other European Union member states.
The new legal regime, Decree-Law no. 20/2022, of 28 April
The range of competences assigned to the CNPCE includes the following:
Identification and designation of critical infrastructures;
Approval of the criteria for identifying critical infrastructures, on a proposal from the respective sectoral organisations;
Coordination with similar organisations in other member states and/or the European Commission in the process of identifying European critical infrastructures;
Carrying out exercises and drills with national critical infrastructure operators.
The evolution of threats to infrastructures responsible for providing services essential to the functioning of states has led to the need to amend current European legislation.
The lessons learned during the period of validity of the Directive on the Protection of Critical Infrastructures (Directive 2008/114/EC of 8 December) were used as the basis for a series of projects that resulted in the publication of the Directive on the Resilience of Critical Entities (Directive 2022/2557 of 14 December).
This new standard significantly alters the paradigm underlying the protection of critical infrastructures, introducing the concept of critical entity resilience. As a whole, these entities play a central role in providing essential services that are vital to the normal functioning of life in society.
From the Secretary-General of the Internal Security System
Decree-Law no. 25/2025 of 17 March transposes into national law Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December on the resilience of critical entities.
Among other provisions, it establishes the procedures for identifying, designating and strengthening the resilience of national critical entities and those of particular European relevance, which provide essential services for the maintenance of vital societal functions or economic activities, public health and safety or the environment.
The Secretary General of the Internal Security System (SGSSI) is the national authority responsible for coordinating and supervising measures to strengthen the resilience of critical organisations in the face of incidents, risks and threats that could compromise the provision of essential services.
It is responsible for coordinating the preparation of the national risk assessment, which aims to support the identification of critical organisations and the adoption of resilience measures; and the National Strategy for the Resilience of Critical Organisations, which establishes policy measures, strategic objectives and lines of action in this area.
As part of its technical support, the SGSSI is responsible for disseminating guidelines to facilitate the preparation of critical entity resilience plans, critical infrastructure security plans and security force intervention plans, ensuring their implementation and monitoring. It is also responsible for approving the resilience plans of critical organisations in accordance with the established requirements.
It promotes the training and qualification of human resources in the area of critical entity resilience, fostering a knowledge community and a national security culture in this field. In liaison with the National Civil Emergency Planning Council and sectoral organisations, it carries out cross-cutting exercises involving national critical entities and others deemed relevant, as well as, where appropriate, those from other European Union member states.
The SGSSI is responsible for monitoring and applying the sanctions provided for, ensuring compliance with the rules and the effective implementation of resilience measures. In addition, in exercising its competences, it ensures the verification of human security records and their implementation, contributing to the security and integrity of critical organisations.
Liaising with similar entities in the European Union is an essential part of its mission, especially in the case of critical entities that use infrastructures physically linked between two or more Member States; integrate business structures associated with critical entities in other Member States; or have been identified as critical entities in one Member State and provide essential services to others. It is also the national contact point with the European Commission on the resilience of critical entities.
It ensures and keeps up-to-date the electronic platform for registering critical entities and infrastructures, which includes, among other information, their cataloguing; the list of contacts for institutional cooperation and operational coordination; the classification of resilience, security and intervention plans; the management of relevant accidents and incidents; and other data that allows for the planning and prioritisation of resilience-building measures.
The SGSSI may request the collaboration of entities it deems relevant to the realisation of these objectives, promoting a holistic, systemic and integrated approach to the resilience of critical entities.
