Lisbon, March 19, 2026 (Lusa) – The coordinator of the National Cybersecurity Centre (CNCS) said on Thursday that the entity "never stated" the blackout of 28 April did not originate from a cyberattack, while maintaining that no evidence of such an event was found and defending the containment of misinformation during the initial response.

Speaking before the Environment and Energy Committee in parliament, José Lino Alves dos Santos, emphasised that CNCS’s position was always based on an absence of evidence rather than a categorical exclusion of scenarios, saying that the agency “never claimed it was not a cyberattack”.

He explained that, faced with an unusual event and with no clear signs in the early hours, the priority was to cross-check information with operators, international partners and industry, and no technical evidence, claims or preparatory activity pointing to a malicious origin were identified.

"The main focus was on understanding the source of the problem," he said, emphasising that, despite media pressure and the circulation of rumours about a possible cyberattack, "there is no evidence" to support that hypothesis.

The CNCS coordinator highlighted disinformation as a major threat during the incident, citing a fake news report falsely attributed to CNN that claimed the blackout was a cyberattack. This caused "significant confusion" and a massive influx of enquiries to the centre.

Consequently, the institutional response followed a two-stage communication process: first with technical communities and critical operators, and only then with the media.

“We needed a high degree of certainty before making a statement,” he said, acknowledging the tension between speed and accuracy in a crisis context.

José Lino Alves dos Santos said that the CNCS activated international cooperation mechanisms, including European incident response networks, and maintained direct contact with counterparts in Spain and France, none of whom reported any evidence of a coordinated attack.

Furthermore, an analysis of open-source information and the channels typically used by cybercriminal groups revealed no signs of preparation or claims of responsibility for the incident, reinforcing the preliminary conclusion.

On the day after the power failure, low-impact attacks were recorded against government and public administration websites, claimed by an activist group seeking to “capitalise on the hype”.

Structurally, he admitted difficulties regarding mandatory notification compliance, as only “a handful” of entities reported incidents on that day, leading the CNCS to subsequently notify around 395 organisations, 174 of which subsequently acknowledged relevant occurrences.

The episode exposed persistent challenges in the system's maturity, in a context where the increase in “digital density” broadens the attack surface and complicates uniform protection.

When asked about the disclosure policy, he called for a selective approach based on the "need to know" principle, prioritising targeted communications over generalised alerts.

"There are vulnerabilities that make no sense to disclose publicly if only two or three companies are affected," he said.

PYR/MYAL // ADB.

Lusa