Cyberattacks and Civil Liability: Who Is Responsible for the Damages?

Cyberattacks have ceased to be a hypothetical and marginal risk and have become a strategic threat to Portuguese companies. According to the Hiscox Cyber Readiness Report 2025, more than half (54%) of Portuguese SMEs suffered at least one attack in the past year — including data loss, DDoS (Distributed Denial of Service) attacks, or financial fraud.

Among the companies affected by cyberattacks, 41% experienced denial-of-service (DDoS) attacks, and around 40% incurred financial losses resulting from fraud (i.e., payment diversions through fraudulent emails). There have also been reports of cryptocurrency mining incidents, as well as loss of encrypted data.

In addition to the direct consequences of cyberattacks, there are collateral impacts related to greater difficulty in acquiring new clients and the inadvertent breach of third-party partners’ data, reported by 30% of companies.

Indeed, beyond direct losses, the repeated impact of such incidents is strategic: loss of clients, damage to brand reputation, and a substantial increase in costs associated with notifications and recovery efforts.

After a company suffers a cyberattack, with all the resulting strategic and financial consequences, the central question arises: who is liable for the damages?

Under the applicable legislation, organisations that fail to demonstrate appropriate technical and organisational measures may be held civilly liable for losses suffered by clients or partners, as well as being subject to significant fines.

The only possible ground for exemption from liability lies in proving that the attack was unforeseeable and unavoidable, and that all implemented security best practices were duly verified.

Beyond the technical response, this reality requires companies to undergo a paradigm shift: cybersecurity is no longer merely a protective measure — it has become a governance and compliance obligation.

The adoption of clear internal policies, regular audits, and incident response plans now constitute essential elements of legal and commercial defence. In a time when reputation is as valuable an asset as capital, compliance has become the new line of corporate defence. In digital litigation, prevention remains the most effective form of defence.