Portugal: Risk Profile of Environmental and Cybersecurity Risks for Data Centre Companies

By Dmitriy Gasilin

Introduction:

A rising demand for data infrastructure is predicted to remain strong, especially as firms increasingly rely on big data and cloud storage in their operations. Portugal has signalled its readiness to accommodate data infrastructure projects, and last month Microsoft committed $10 billion towards establishing an AI data centre in Sines after partnering up with Start Campus and NScale. We look at two risks which are expected to remain according to industry and government data sources. These have resultantly been categorised as either ‘Category A’ or ‘Category B’ risks’ in 2026. A potential investor in data infrastructure projects should monitor these extremely closely, learning from developments in 2025 and implementing robust risk planning measures. For more details on the methodology, please refer to the ‘Table of Risk Categories’ under Annex.

Extreme weather events - Category A

From 2019-2025, the burned area caused by wildfires in Portugal has ranged from 33,451 - 278,387 ha. Frequency of wildfires reached an all-time high in 2022, when 258 wildfires were recorded. Across these 7 years, the number of wildfire events remained above 100, which is the first time it has stayed in the three digits for more than 5 consecutive years since the European Forest Fire Information System (EFFIS) released their data for Portugal in 2006 . On average, during a given summer period, Mainland Portugal experiences 15 summer days where a danger of wildfire is classed as extreme. In less than 20 years, this danger period is forecasted to rise to 30 - 40 days under a more optimistic climate scenario, and to 40 - 50 summer days under a moderately pessimistic scenario, where emissions are not expected to peak by mid-century.

Implications:

Highly populated areas of Portugal including the Coimbra District of the Centro region and the City of Porto are located in areas where the percentage of land that lies within the Wildland Urban Interface (WUI) ranges from 51-100% . A zone labelled as WUI may become risk prone to wildfires, as this category of land typically represents an intersection between urban and natural environments, where other risk factors such as extreme droughts and human activity exacerbate likelihood of wildfire ignition events . Although coastal settlements in western Centro and Norte regions of Portugal appear to experience high levels of vulnerability, investors should consider risks outside of densely populated WUI zones, since 60% of Portugal’s 10,000 km of energy transmission corridors are located in forest areas , posing a risk of significant service disruption in remote rural locations.

Indicators to monitor: 

• Wildfire incidence and frequency: regional and national data published by EFFIS

• Data on projected anomaly average mean surface temperature: climate modelling based on Mean Projections (CMIP6).

• Occurrence of extreme weather events, especially droughts and low precipitation events, as monitoring patterns of such events allows to gain an improved understanding of wildfire incidence: predictions from IMF’s European Department.

Cybersecurity - Category B

Cyber incidents, including ransomware attacks, data breaches and IT disruptions are classified as a top risk in Portugal. From a legislative stance, Portugal has a second generation national cybersecurity strategy, in comparison to Germany, Italy and France, which all have at least 3 generations of national cybersecurity strategy documents. Potential investors therefore need to monitor how future editions function to address issues raised both in national reports and in research conducted by The European Union Agency for Cybersecurity. Portugal stands 26th in the National Cyber Security Index, supported by strong ‘fulfillment percentages’ of 75%+ across the majority of areas ranging from Policy to Education. Its weaker scores of 67% on ‘Cybersecurity of Digital Enablers’ and 56% on ‘Cyber crisis management’, point to gaps in relevant official guidelines or strategies targeting these aspects of cybersecurity.

Implications

However, investors can be cautiously reassured by Portugal’s preparedness against cyber incidents. Out of enterprises surveyed in 2024, over 95% ‘Use at least one ICT security measure’ compared to the EU average of 92.76%, and nearly 63% ‘Make persons employed aware of their obligations in ICT security’ . The proportion of enterprises in Portugal that have ‘Experienced ICT security related incidents leading to some consequences’ in 2023 was relatively low at just over 12%, compared to a fifth of enterprises across the EU reporting on cyber-related incidents impacting their operations.

Between 2023-2024 Portugal experienced a jump in the number of national security incident reports in the electronic communication services industry from 30 to 82, meaning there were more annual incidents which reached the necessary threshold to have caused widespread disruption to service provision. Over 25 of these were due to an ‘Accident or natural phenomenon’, which incorporates extreme weather events among other factors. Therefore, we encourage potential investors to recognise cybersecurity and extreme weather events as connected risks, rather perceiving them to be mutually exclusive. A mitigation strategy should address security concerns originating from forest fires, floods and other environmental phenomena, especially since over a quarter of security incidents between 2015 - 2024 had an ‘Accident or natural phenomenon’ root cause. When examining geographical distribution, primarily north/ northwestern districts of Portugal including Porto, Viseu and Guarda were the most affected, having reported 10+ non-national security incidents. Investors who monitor regional or local scale events alongside national cyber incidents are positioned to deal with site-specific disruption, gaining more control over their level of vulnerability.

Indicators to monitor:

• EU level data: Annual findings from ENISA, especially reports ‘On the State of Cybersecurity in the Union’

• Global indices: National Cyber Security Index, especially Portugal’s performance in ‘Cybersecurity of Digital Enablers’ and ‘Cyber crisis management’

• National security incident report data: ANACOM’s Security Breaches or Loss of Integrity reports

Conclusion:

Portugal is in an era where uncertainty from extreme weather events can impact its ability and attractiveness to offer data infrastructure solutions. Data has shown these risks to be geographically skewed towards certain regions, although investors would be wise to consider detailed climate modelling maps when deciding the location of their operations. This is especially true considering wildfire is a natural phenomenon, which is a risk that tends to suffer from an element of unpredictability. Portugal’s strong performance in aspects of cybersecurity both on an EU level, and globally is an encouraging sign for investors. Firms report on adopting security measures and investing in staff training, which places them in an advantageous position in reference to cyber safety and expertise. It is too early to tell if the spike in security incidents in the e-comms industry is a one-off irregularity or a precedent for future alarming trends. 

Annex: