PORTUGAL: Security and Digital Resilience Strategies in Supreme Audit Institutions

Supreme Audit Institutions (SAIs) increasingly rely on evidence in digital formats – electronic documents, registries and databases – which have a direct impact on credibility and authenticity of audits (Stoykova, 2021). In parallel, CERT-EU reports show an increase in cyber-attacks, (CERT-EU, 2025) reinforcing the urgency of cybersecurity measures. Without robust controls, SAIs with jurisdictional powers – bearing in mind their specificities in terms of autonomy and legal frameworks – cannot guarantee reliable digital evidence, undermining their constitutional mission (Teodoro, 2025).

Framework

SAIs within the European Union are bound by European standards, such as Directive (EU) 2022/2555, known as NIS 2, which obliges essential public entities to implement risk management policies in Information Technology, including multi-factor authentication, network segmentation and systematic use of strong encryption.

Concurrently, the General Data Protection Regulation (GDPR) imposes appropriate technical and organizational measures, highlighting encryption (article 32) and the need for accountability. For SAIs, this means ensuring confidentiality, integrity and traceability of personal data processed in audits.

International standards complement this framework: ISO/IEC 27000 establish information security management good practices, while INTOSAI has published GUID 5100 (2019) and the Cybersecurity and Data Protection Audit Guideline (2022), aligning audit practices with NIST SP 800-53. The INTOSAI Journal highlights critical areas such as supply chains, incidents, personal data, continuous monitoring and IoT (Teodoro, 2025)

Risks

Several SAIs continue to operate with systems dependent on encryption protocols and algorithms that are now considered fragile, perpetuating known vulnerabilities, which increases the probability of successful attacks. Leading cybersecurity authorities already recommend urgent migration to modern and tested algorithms.

Beyond the immediate risks, new attack vectors require a review of current practices. The development of advanced attack techniques, including AI-based techniques such as image prompt stenography, is already beginning to exploit side channels in next-generation cryptographic implementations (Omoseebi, Owen & Ibrahim, 2025), motivating a need for constant updating of systems.

Recommendations

Among current internationally recognized practices, the Zero Trust digital architecture model stands out by breaking with the paradigm of the trusted perimeter by assuming that no user or device is intrinsically trustworthy (Rose et al., 2020; ENISA, 2020).

In the field of logging, the "secure logging" technique is pointed out by ENISA as essential to ensure integrity and traceability by linking each entry cryptographically to the previous one (Schneier & Kelsey, 1999). These practices can be complemented by decentralized solutions such as blockchain and smart contracts, which add integrity and transparency to the public sector (Zhu & Zhou, 2022; Lorenzetto & Morbini, 2023).

As for future measures, the transition to Post-Quantum Cryptography (PQC) is a strategic priority. In 2024, the European Commission published a roadmap that guides Member States in the adoption of algorithms resistant to quantum attacks (European Commission, 2025) in line with the standardization process conducted by NIST (2022). The NIS Cooperation Group's Roadmap for the Transition to Post-Quantum Cryptography (2025) defines crypto asset inventories, dependency mapping, and risk analysis as first steps.

Finally, SAIs should ensure continuous training of human resources and active participation in European processes, which can strengthen their role in defining international guidelines.

Conclusion

By adopting cryptographic agility practices, replacing obsolete algorithms, and strengthening access and key management, SAIs can mitigate immediate risks while preparing for the post-quantum era. These proposals are based on international guidelines aligned with the acquis communautaire.

References

1. CERT-EU. (2025). Threat intelligence publications 2025. https://cert.europa.eu/publications/threat-intelligence/2025
2. Directive (EU) 2022/2555 of the European Parliament and of the Council. (2022). Measures to ensure a high common level of cybersecurity across the Union (NIS Directive2). Official Journal of the European Union, L 333, 80–152.
3. European Commission. (2024). Commission Recommendation (EU) 2024/1101: Coordinated implementation roadmap for the transition to post-quantum cryptography. Official Journal of the European Union. EUR-Lex - 32024H1101 - EN - EUR-Lex
4. European Commission. (2025). EU reinforces its cybersecurity with post quantum cryptography [Press release]. European Digital Strategy.
5. European Cybersecurity Certification Group (ECCG). (2025). Agreed Cryptographic Mechanisms (Version 2.0). The European Cybersecurity Certification Group | Shaping Europe’s digital future
6. European Parliament & Council. (2016). Regulation (EU) 2016/679 of 27 April 2016 (GDPR). Official Journal of the European Union, L 119, 1–88.
7. (2020). Artificial Intelligence Cybersecurity Challenges. ENISA. https://www.enisa.europa.eu/publications/artificial-intelligence-cybersecurity-challenges
8. (2019). GUID 5100: Guidance on Audit of Information Systems. International Organization of Supreme Audit Institutions.
9. (2022). Cybersecurity and Data Protection Audit Guideline. International Organization of Supreme Audit Institutions.
10. ISO/IEC. (2018). ISO/IEC 27000:2018 – Information technology – Security techniques – Information security management systems – Overview and vocabulary. International Organization for Standardization. https://www.iso.org/standard/73906.html
11. Lorenzetto, A. M., & Morbini, F. K. (2023). The notion of smart contracts, possible problems and their use by the public administration. ESMAT Journal, 15(25), 93–108.
12. (2020). Security and privacy controls for information systems and organizations (NIST Special Publication 800-53, Rev. 5, incl. updates as of Dec. 10, 2020). U.S. Department of Commerce. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
13. (2022). Post-quantum cryptography: PQC standardization process. National Institute of Standards and Technology.
14. NIS Cooperation Group, PQC Workstream. (2025). A coordinated implementation roadmap for the transition to post-quantum cryptography (Part 1, Version 1.1). European Commission. NIST. (2023). Advanced Encryption Standard (AES): FIPS 197 (update). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.FIPS.197-upd1
15. (2020a). Zero Trust Architecture (SP 800-207). National Institute of Standards and Technology.
16. (2006). Guide to computer security log management (SP 800-92). National Institute of Standards and Technology.
17. (2020b). Recommendation for Key Management – Part 1: General (SP 800-57, Rev. 5). National Institute of Standards and Technology.
18. Omoseebi, A., Owen, J., & Ibrahim, I. (2025). ML-assisted side-channel analysis on PQC algorithms.
19. Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero Trust Architecture (NIST SP 800-207).
20. Schneier, B., & Kelsey, J. (1999). Secure audit logs to support computer forensics. ACM Transactions on Information and System Security, 2(2), 159–176. https://doi.org/10.1145/317087.317089
21. Stoykova, R. A. (2021). Digital evidence: Unaddressed threats to fairness and the presumption of innocence. Computer Law & Security Review, 40, https://doi.org/10.1016/j.clsr.2021.105506
22. Teodoro, T. O. (2025). Strengthening public sector cybersecurity audits: Leveraging NIST standards for Supreme Audit Institutions. INTOSAI Journal, 50(2).
23. Zhu, Y., & Zhou, M. (2022). Blockchain-based secure logging scheme with public verifiability. Journal of Information Security and Applications, 31. https://doi.org/10.3934/jisa.2023036

By: 

Rui Gonçalo Ferreira de Almeida Santos

Beatriz Maria Fernandes Vaz