Law no. 96/2015, of 17 August



Assembleia da República (Assembly of the Republic)

Law


(This is not an official translation of the law)

Governs the provision and use of public procurement electronic platforms and transposes article 29 of Directive 2014/23/EU http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32014L0023, article 22 and annex IV of Directive 2014/24/EU http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014L0024 and article 40 and annex V of Directive 2014/25/EU http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014L0025 of the European Parliament and of the Council, of 26 February 2014, repealing Decree-Law No. 143-A/2008, of 25 July.

The Assembleia da República (Assembly of the Republic) hereby decrees, under article 161 c) of the Constitution, as follows:

CHAPTER I
General Provisions

Article 1
Subject-Matter

1 - This law governs the provision and use of public procurement electronic platforms, hereinafter simply referred to as e-platforms, provided for in the Public Procurement Code (PPC), approved by Decree-Law No. 18/2008, of 29 January, establishing the requirements and conditions to be fulfilled by such platforms, as well as the obligation of interoperability with the Public Procurement Portal and other systems operated by public bodies.

2 - This law transposes article 29 of Directive 2014/23/EU, of the European Parliament and of the Council, of 26 February 2014, article 22 and annex IV of Directive 2014/24/EU, of the European Parliament and of the Council, of 26 February 2014, as well as article 40 and annex V of Directive 2014/25/EU of the European Parliament and of the Council, of 26 February 2014.

Article 2
Definitions

For the purposes of this law, the following definitions shall apply:

a) «Access», the obtaining of rights to view or edit information, on the basis of the user’s digital identification, through a terminal, of a procedure or process to which the information is related and the state or stage thereof;

b) «Managing company», the legal person that is capable to pursue, under this law, the management and operation of e-platforms;

c) «Stakeholders», all those who take an interest in procedures by following the respective entry procedures;

d) «Interoperability», the ability of e-platforms to exchange information while maintaining its meaning, or to provide services, directly and in a satisfactory manner, between the respective systems and their users, as well as to operate effectively with them;

e) «E-platform», the technological platform made up of a set of computer applications, means and services that are required for the operation of national electronic public procurement procedures, over which the referred procedures take place;

f) «Electronic certification services», the provision of qualified certificates for the purpose of the generation of qualified electronic signatures and of timestamps;

g) «Submission of tender», «submission of application» or «submission of solution», the moment on which the tenderer or applicant effectively submits the tender, application or solution, after it has been uploaded to the e-platform.

Article 3
Use of e-platforms

Communications, exchanges of data and of information processed through e-platforms on the terms set out in PPC, as well as the respective archive, shall comply with rules, requirements and technical specifications provided for in this law.

Article 4
List of e-platforms

The up-to-date list of licensed e-platforms and of the respective managing companies shall be published at the websites of the Instituto dos Mercados Públicos, do Imobiliário e da Construção, I. P. (IMPIC, I. P. - the Institute of Public Markets, Real Estate and Construction) and of the Gabinete Nacional de Segurança (GNS - the National Security Office), as well as in the Public Procurement Portal.

Article 5
Freedom of choice of e-platforms

1 - Contracting bodies shall acquire e-platform services according to contract formation procedures laid down in PPC, among e-platforms included in the list referred to in the preceding article.

2 - Economic operators are free to choose the public procurement e-platform that they intend to use, for the purpose of the participation in public contract formation procedures, among e-platforms licensed by IMPIC, I. P. 

Article 6
Freedom of choice of electronic certification providers and services

1 - Contracting bodies and economic operators are free to choose the electronic certification providers and services that they intend to use in the scope of public contract formation procedures.

2 - Managing companies must guarantee the applicability of the provision established in the preceding paragraph.

CHAPTER II
Licensing, monitoring and supervisory body, accrediting body and security auditors

SECTION I
Licensing, monitoring and supervisory body and accrediting body

Article 7
Licensing, monitoring and supervisory body

1 - It shall be incumbent on IMPIC, I. P. to license, monitor and supervise e-platforms.

2 - IMPIC, I. P. shall in particular:

a) Assist the supervising Government member in the definition of the strategic guidelines related to electronic public procurement, including the issue of opinions and the drafting of laws in this scope;

b) Issue licenses required for the exercise of e-platform management;

c) Ensure the monitoring and follow-up of e-platform activity, namely by preparing statistical reports;

d) Ensure the supervision of platform activity.

Article 8
Accrediting body

1 - It shall be incumbent on GNS to accredit e-platforms and the respective security auditors.

2 - GNS shall, in addition to other assignments provided for herein:

a) Accredit security auditors of e-platforms;

b) Accredit, in the national brand and at a confidential degree, the members of management and supervisory bodies  of managing companies with access to their management actions and instruments, shareholders, and in case of a public limited corporation, shareholders with shareholding of no less than 10%;

c) Accredit e-platforms;

d) Draft technical standards;

e) Identify applicable international standards, namely those provided for in paragraph 3 of article 43 and paragraph 5 of article 52.

3 - Applications for accreditation provided for in point c) of the preceding paragraph shall be submitted directly to GNS or, in the alternative, to IMPIC, I. P., together with licensing applications provided for in paragraph 1 of article 14, which shall immediately forward them to GNS.

SECTION II
Human and technical resources

Article 9
Organisational structure of the managing company

1 - The organisational structure of the managing company, which shall be demonstrated to GNS, shall include, at least, the following positions and functions required for the operation of systems:

a) Security administrator, who shall take overall responsibility for implementing security policies and practises;

b) System administrator, who shall be authorized to install, set up and maintain systems, however with limited access to security settings and issues;

c) System operator, who shall be responsible for operating systems on a daily basis, and authorized to make security copies and routine operations;

d) System auditor, who shall be authorized to monitor system activity archives and event logs to be audited.

2 - The positions or functions referred to in points a), b) and d) of the preceding paragraph shall not be carried out by the same person.

3 - All those who play a role related to e-platform procedures, in particular positions defined in the preceding paragraph, shall be free from any conflict of interest that may hinder their impartiality in the performance of their tasks.

4 - The managing company shall be responsible for all services included in the scope of the e-platform it holds, as well as for human resources covered by its organisational structure, even where provided by third parties whose services it uses.

5 - The managing company shall be entitled to contract the provision of technological services and the supply of the respective components and human resources, taking overall responsibility for compliance with all requirements laid down in the present law.

6 - Contracts concluded between the managing company and any service provider shall necessarily be available in written form, laying down obligations of parties and identifying services and functions provided by the contracted party.

Article 10
Security auditors

1 - The security auditor shall be a natural or legal person, independent of the managing company, of recognised good standing, experience and attested qualifications in the area of information and information security systems, duly accredited by GNS, under point a) of paragraph 2 of article 8.

2 - The security auditor shall guarantee that its staff members do not act in a partial or discriminatory manner, and shall be subject to the following impediments:

a) Not to carry out audits to the same e-platform for longer than three consecutive years;

b) Not to carry out audits in case of any situation which may impair its independence;

c) Not to have provided services to the managing company for the three previous years, nor to maintain with it any other contractual agreement or relation.

3 - The security auditor, before entering into a contract with the managing company, shall request a prior authorization for such purpose from GNS, which shall reach a decision within 30 days.

4 - The authorization referred to in the preceding paragraph shall depend, in particular, on the absence of any situation of impediment or incompatibility for the performance of the activity on the part of the auditor.

5 - Where it follows from the application of paragraph 2 that there are no available security auditors accredited by GNS, the latter shall guarantee that the audit is carried out.

SECTION III
Security reports

Article 11
Initial security report

1 - The security auditor, appointed by the managing company, shall be responsible for drafting the initial security report, for the purpose of obtaining e-platform accreditation.

2 - The initial security report must be drafted in compliance with ISO/IEC 20000 and 27001 standards, and must include:

a) Identification of profiles of technical staff that operate e-platforms, with the description of the respective functions;

b) Detailed technical description of the e-platform architecture and systems, with an analysis and checking of:

i. Conformity of digital certificates used and made available by e-platforms;

ii. Performance of user authentication and validation processes;

iii. Conformity of electronic signature requirements in use;

iv. Time-stamping procedures;

v. Levels of security checked in encryption and decryption processes;

vi. Procedures to recover private encryption keys;

vii. Private key escrow procedures;

viii. Control mechanisms for access to e-platforms and for operation of access logs;

ix. E-platform operability in multiple operating systems and multiple browsers;

x. Standard format of files uploaded to e-platforms;

xi. Procedures for uploading documents;

xii. Operation of security mechanisms and resources, guarantee of confidentiality and integrity of tenders, applications and solutions presented in competitive procedures;

xiii. Synchronisation of e-platform services with the network time protocol (NTP) defined on the basis of coordinated universal time (UTC);

xiv. Digital archive and preservation features, as well as e-platform interoperability features, as required under paragraph 3 of article 36.

Article 12
Annual security report

1 - In order to maintain e-platform accreditation, as well as its own accreditation, the respective security auditor shall conduct an annual e-platform audit, observing the ISO/IEC 20000 and 27001 Standards, and draft the respective annual security report, which shall be submitted to GNS by the end of February each calendar year.

2 - The annual security report shall include not only elements referred to in paragraph 2 of the preceding article, but also an analysis of formation procedures of contracts already concluded and underway, by means of random sampling, deemed to be sufficient for the drafting of an accurate report, with minimum margins for error.

3 - Where non-conformities arise from the report referred to in the preceding paragraph, the managing company is required to remedy these situations within 30 days.

4 - After the expiry of the deadline referred to in the preceding paragraph, the auditor shall conduct a new audit, in order to evaluate whether deficiencies indicated have been corrected.

5 - Where it is found from the new audit that situations identified, or some of them, have not been properly corrected, this fact shall be communicated by GNS to IMPIC, I. P., so that the latter, after carrying out the respective prior hearing, promotes the revocation of the license, without prejudice to any liability for administrative offences.

6 - Where the license is revoked, pursuant to the preceding paragraph, the managing company shall transfer to each contracting body, within 30 days, all information and documentation concerning the respective ongoing public contract formation procedure, which shall subsequently continue over a different e-platform licensed by IMPIC, I. P.

CHAPTER III
Licensing of the management and operation of e-platforms

Article 13
Management and operation licensing

1 - The management and operation of e-platforms on national territory shall be dependent on a license to be granted by IMPIC, I. P.

2 - Licenses issued by IMPIC, I. P. shall be valid for 10 years, without prejudice to the annual officious checking that general licensing requirements continue to be met and to the revocation of the license where such requirements are not complied with.

Article 14
License applications

1 - License applications for the management and operation of e-platforms shall be submitted to IMPIC, I. P., at the respective website or at the Entrepreneur's Desk, a specific form approved by the governing board being used for the purpose.

2 - Where applications show omissions or deficiencies which may be completed or corrected or where irregularities and shortcomings are found in preliminary documents which are not able to be officiously completed, applicants shall be notified, within 10 days from the date of submission of the application, to make the appropriate corrections or to present the missing documents, within a period prescribed by IMPIC, I. P., which shall not be less than 15 days nor over 30 days, failing which the application shall be rejected.

3 - To rule on the application, IMPIC, I. P. shall have 60 days from the date of the respective submission or from the reception of elements requested under the preceding paragraph or, where such elements have not been submitted, from the expiry of the period granted for the respective presentation.

4 - Where the accreditation application is submitted directly by the applicant to IMPIC, I. P., pursuant to paragraph 3 of article 8, the period for taking a decision referred to in the preceding paragraph shall begin after documents attesting accreditation of the e-platform are effectively received.

5 - The draft decision referred to in paragraph 3 shall be submitted to the applicant, for prior hearing purposes, pursuant to the Administrative Procedure Code.

6 - The final decision shall be notified to the applicant, within at the most eight days, together with the invoice for the fee due, where the application is accepted by IMPIC, I. P.

7 - The payment of the fee within the deadline set out in the respective invoice, as well as the payment of any fines still due, shall be required to guarantee the effectiveness of the license.

Article 15
General licensing requirements

The granting of a licence for the provision of e-platform services shall be dependent upon the cumulative fulfilment by applicants of the following conditions:

a) The respective e-platform must be accredited by GNS, under paragraph 2c) of article 8;

b) Being of commercial good repute, pursuant to the following article;

c) Holding a minimum equity amount, under article 17;

d) Holding insurance against civil liability, or a financial guarantee or equivalent instrument that may replace it, in order to ensure liability arsing from the pursued activity, under article 18;

e) Submitting a report, using the standard form provided by IMPIC, I. P., issued by the legal representatives of the managing company, declaring on oath that the latter complies with requirements laid down in sections I and II of chapter IV.

Article 16
Commercial good repute

1 - Managing companies and respective legal representatives that have been declared bankrupt shall not be deemed to be commercially reputable, except where a final judgment has already been delivered approving the respective insolvency plan.

2 - Natural and legal persons and the respective legal representatives that have been banned from pursuing business, shall also not be deemed to be commercially reputable, for the period of time for which the ban in valid.

3 - Natural and legal persons and the respective legal representatives that have been convicted three times for the intentional commission of administrative offences provided for herein, shall also not be deemed to be commercially reputable.

4 - For the purpose of the preceding paragraph, convictions of a natural person, individually or as the legal representative of a legal person, and convictions of a legal person, of which the natural person has been legal representative, shall be taken into account.

5 - The following persons shall not be deemed to be commercially reputable:

a) Natural persons and legal representatives of legal persons in any of the situations indicated in paragraphs 1, 2 and 3;

b) Legal persons in any of the situations indicated in paragraph 3, as well as legal persons whose legal representatives are not deemed to be reputable under this article and who fail to replace the latter within at the most 30 days from the acknowledgement of the fact that determined the loss of good repute.

6 - Legal representatives of managing companies that have been sentenced by a final judgement to effective imprisonment, even where the prison sentence is suspended, for committing any of the crimes specified below, shall not be deemed to be commercially reputable:

a) Swindling, computer and communication fraud, or occupational or employment fraud;

b) Malicious bankruptcy, negligent bankruptcy, favouring creditors or disturbing auctions;

c) Document falsification or counterfeiting, where committed in the scope of e-platform management;

d) Disobedience, where committed in the scope of e-platform management;

e) Active corruption;

f) Fraud in obtaining subsidies or grants, diversion of grants, subsidies or subsidised credit, fraud in obtaining credit and offence to economic reputation;

g) Counterfeiting, imitation or illegal use of trademark, where committed in the scope of e-platform management;

h) Money laundering.

7 - Convictions referred to in paragraph 3 shall not be considered after expiry of a three-year period of full compliance with obligations resulting from the application of the last sanction.

8 - The conviction for the commission of any of the crimes provided for in article 6 shall not affect the good repute of all those whose criminal record has been cancelled, either definitively or provisionally, or regarding which IMPIC, I. P. considers, in a duly justified manner, that conditions of good repute are met, taking specifically into account the time elapsed since the commission of facts.

9 - Where IMPIC, I. P. considers that a situation of lack of reputability exists, it shall justify in a substantiated manner the factual and legal circumstances on which such judgment is based.

Article 17
Equity

1 - Managing companies shall be required to have a minimum equity amount of 50 000 Euros.

2 - The minimum equity amount provided for in the preceding paragraph shall be fully paid by the date of the licensing application and shall be a condition for maintaining the license.

Article 18
Civil liability insurance

1 - The annual minimum amount of civil liability insurance, referred to in point d) of article 15, shall be 150 000 Euros.

2 - The insurance provided for in the preceding paragraph, as well as the financial guarantee or equivalent instrument that may replace it, may be contracted in any State of the European Economic Area, under paragraphs 2 and 3 of article 13 of Decree-Law No. 92/2010, of 26 July, and where the risk lies in Portugal, minimum conditions set out in Annex I hereto, which is deemed to be an integral part hereof, shall be met.

3 - The civil liability insurance aims to cover damage to property caused to third parties, resulting from acts or omissions of companies, their representatives or collaborators.

4 - For the purpose of this article, third parties shall be deemed to mean all those who suffer damage to property, resulting from acts or omissions of managing companies, even where they have not been parties to the respective contract for use of the e-platform.

Article 19
License revocation

1 - The license for the provision of e-platform services shall be revoked:

a) Where IMPIC, I. P. demonstrates that the managing company has ceased to meet any of the general licensing requirements provided for in article 15;

b) Where the managing company terminates its activity on national territory.

2 - The draft license revocation decision on the grounds set out in point a) of the preceding paragraph shall be communicated to the managing company for prior hearing purposes.

3 - The license revocation decision shall be communicated by IMPIC, I. P. to the managing company and to GNS, and shall be published at the websites of IMPIC, I. P. and GNS as well as at the Public Procurement Portal.

4 - Having the license been revoked, under paragraph 1, the managing company shall supply IMPIC, I. P., within 15 days from the date on which the revocation took place, an electronic copy of archives concerning public contract formation procedures carried out over the respective e-platform, without prejudice to paragraph 6 of article 12.

CHAPTER IV
Duties of managing companies

Article 20
General duties

Managing company established on national territory shall:

a) Ensure compliance with general licensing requirements set out in article 15;

b) Comply with functional, technical and security requirements defined in this law;

c) Implement an information system management system based on the ISO/IEC 20000 standard, covering the whole technological infrastructure described in point e) of article 2, including the support service provided for in article 22;

d) Implement an information security management system based on the ISO/IEC 27001 standard, with the coverage provided for in the preceding paragraph;

e) Organize and archive, for at least 10 years from the respective signature, a copy of all service provision contracts concluded in the pursue of the activity;

f) Maintain an electronic complaint management system that allows the storage of information for a minimum period of five years.

Article 21
Duties towards the Instituto dos Mercados Públicos, do Imobiliário e da Construção, I. P. and the Gabinete Nacional de Segurança

1 - Managing companies established on national territory shall provide to IMPIC, I. P. and GNS access to the respective premises and to equipment and systems related to e-platform management, providing them with all information, documentation and other elements related to their activity that is requested, and shall also communicate to them, within 15 days from the respective occurrence:

a) Any change in general licensing conditions provided for in article 15;

b) The termination of activity on national territory;

c) The establishment of branches, agencies, stores, customer assistance points and other forms of commercial representation of the company related to the management of e-platforms on national territory.

2 - Managing companies established on national territory shall be also required to inform IMPIC, I. P. and GNS, within 15 days from the respective occurrence, of all changes that imply the update of the company’s identification data, as well as, in the case of companies with head offices on national territory or set up under Portuguese law, any amendments introduced in the respective articles of association.

3 - Communications and information referred to in the preceding paragraphs shall be provided through the means indicated in paragraph 1 of article 14, the provision of false statements or of false information being punishable under the law.

Article 22
Duties towards users

1 - In the scope of technical conditions for use by users, the managing company, from the beginning of the public contract formation procedure over the e-platform up to the respective conclusion, shall be required:

a) To intervene and to assist, where necessary or where requested, in the clarification of any doubts as regards the use of the e-platform by representatives of the contracting body or by parties with interest in the contracting procedure;

b) To ensure the existence of a channel of communication in order to solve specific problems that arise in the scope of the contract formation procedures;

c) To draft malfunction reports, access logs, submissions or other relevant information, where technically possible, for decision-making purposes in the scope of public contract formation procedures, where requested by the respective selection panel;

d) To keep a helpline for users, that allows at least:

i. The provision of a «707» single number telephone line;

ii. The provision of customer support services between 9:00 and 19:00, on working days;

iii.  To guarantee customer support levels in compliance with Decree-Law No. 134/2009, of 2 June, as amended by Decree-Law No. 72-A/2010, of 18 June.

2 - To comply with obligations provided for in the preceding paragraph, the managing company shall make available, at the e-platform homepage, its customer service and technical support contact details.

3 - The managing company shall also communicate to the respective users, at least 90 days in advance, of its intention to terminate the provision of e-platform management services, indicating the body to which all documentation must be submitted.

CHAPTER V
Types of services provided over e-platforms

Article 23
Remuneration for services provided

1 - Managing companies shall be remunerated by contracting bodies for the provision of the e-platform, for the support to the respective use and other advanced services, as agreed by contract between the parties, in compliance with procedures established in PPC, with full respect for competition rules established in national and European law.

2 - Managing companies shall provide any economic operator, either natural or legal person, free of charge, a minimum of three simultaneous accesses to basic services of the respective e-platform.

3 - Managing companies shall only charge economic operators for the provision of more than three accesses to basic services or for the provision of advanced services.

4 - Managing companies shall make available, at a public location of the e-platform, the price list of all services provided, with an explicit indication of its entry into force, or of the last update.

5 - The remuneration model of managing companies, for the purpose of the definition of amounts to be paid among them, taking into account the volume of procedures launched in each e-platform and the number of electronic operators participating therein through other platforms, shall be the subject of an administrative rule to be issued by the member of the Government in charge of IMPIC, I. P.

Article 24
Basic services provided to economic operators

1 - Basic services to be provided to economic operators under paragraphs 2 and 3 of the preceding article shall cover the access to all essential features, under a contract for use with the selected platform, which allow the full development of public pre-contractual procedures, in particular:

a) Access to procedures and to elements of the procedure that have been published;

b) The sending of messages through the e-platform;

c) The sending of emails to all participants at the ongoing stage of the public contract formation procedure, where such communication is required under PPC;

d) Requests for clarifications and lists of errors and omissions;

e) Submission of applications, tenders and solutions;

f) Comments in the scope of prior hearings;

g) Complaints or challenges;

h) The procurement decision;

i) The submission of qualification documents;

j) The display of all messages and warnings created by contracting bodies to which, under the law, economic operators must be granted access.

2 - Access to basic e-platform services shall be granted to economic operators registered in a platform.

3 - Services to be provided by managing companies shall meet all requirements and conditions laid down in PPC and in this law, in the scope of each of the stages of the public contract formation procedure.

4 - The managing company shall be responsible for making available the features required for compliance with provisions of PPC and of this law, as regards electronic contracting in proper conditions of safety, registration, reliability and sustainability.

5 - User interface and all communications and procedures carried out over e-platforms shall be written in Portuguese, however additional interfaces may be made available in other languages.

Article 25
Advanced services provided to economic operators

For the purpose of paragraph 3 of article 23, advanced services cover all services that, while not required for the full development of public pre-contractual procedures, pursuant to the preceding article, are optional, and may be provided over e-platforms to economic operators subject to a contract and to the payment of an amount.

Article 26
Termination of the provision of management and operation services

Where the managing company terminates the provision of the contracted services, on its own accord or further to a third party decision, agreement with contracting bodies or expiry of contracts for the provision of services, persons legally in charge shall ensure, at no additional  costs, that:

a) Information on public contracting procedures already concluded, as well as audit archives, are transferred, for the purpose of custody, to contracting bodies of each procedure, being ensured that all documents are kept readable;

b) Ongoing public contract formation procedures take their normal course until they are concluded, at no additional cost for the contracting body or for interested economic operators, applicants or tenderers.

CHAPTER VI
Functional, technical and security requirements of e-platforms

SECTION I
Functional requirements of e-platforms

Article 27
Requirements of e-platforms

Services provides over e-platforms shall fully meet all requirements and conditions laid down in PPC in the scope of each stage of contract formation procedures.

Article 28
Provision and free access

1 - E-platforms shall be available, and may not represent a restraining factor in the access of stakeholders to public contract formation procedures.

2 - The access to e-platforms and their instruments shall be available on a permanent basis to all stakeholders, save where access limitations are justified on grounds of system maintenance or repair.

3 - The registration procedure of economic operators in e-platforms, in the free-of-charge modality, shall not exceed three working days.

4 - The maintenance of economic operator and user data shall be performed by users themselves autonomously and at no cost, except as regards the designation of economic operators, the respective tax identification number and each user’s email address.

5 - E-platform maintenance operations that limit service availability shall take place between 00h00 and 8h00, on working days, or any time on Saturdays, Sundays and national holidays, in order to reduce any constraints which may arise for users.

6 - Save in duly justified cases of urgent maintenance, maintenance operations referred to in the preceding paragraph shall be communicated to users, at each platform homepage, 72 hours in advance, and notified to IMPIC, I. P. no later than 24 hours after such operations occur.

Article 29
Non-discrimination

1 - Instruments to be used over e-platforms and provided to economic operators, namely products, applications and computer programs, as well as the respective technical specifications, shall be compatible with products in general use in the field of information and communication technologies, namely the Regulamento Nacional de Interoperabilidade Digital (RNID - the National Digital Interoperability Regulation), in order to avoid discriminatory situations.

2 - Managing companies shall not demand compliance with requirements that are unjustified, disproportionate or that in some way introduce a discrimination factor, namely for the purpose of the access to the e-platform contracting system.

3 - The e-platform shall indicate how computer programs in use may be obtained, as well as the respective controls and instructions.

4 - Applications and computer programs used over e-platforms shall be easy to install and use, together with the respective set up and use manual, allowing access by users with average skills in the fields of information and communication technologies.

Article 30
Functional requirements

1 - E-platforms shall guarantee compliance, at the very least, with the following functional requirements:

a) To be based on open standards, under RNID, that do not involve specific licensing costs for users, making available applications that enable the upload of documents to the e-platform;

b) To ensure that all messages between stakeholders, applicants, tenderers and contractors, concerning clarifications, lists of errors and omissions, comments, including documents attached thereto, are automatically displayed to all those with access to the ongoing procedure stage;

c) To guarantee the sending of emails to all participants in the ongoing stage of the public contract formation procedure, where such communication is required under PPC;

d) To guarantee that the sending of emails is registered;

e) To guarantee the record of any action performed by the various registered users;

f) To list, organize and export to XML format (Extensible Markup Language) or to a spreadsheet in ODF format (Open Document Format), at all stages of the procedure, the relevant information for management, reporting and monitoring purposes, including metadata;

g) To make available a procedure flow check and control report, according to the following article;


h) To allow the parameter setting of procedures, different  procurement criteria being applied to each lot;

i) To carry out all public contract formation procedures, under PPC;

j) To allow the aggregated download of all documents attached to messages submitted by economic operators;

k) To allow the aggregated download of all documents, including procedure documents, requests for clarification on such documents, clarifications provided on such documents,  lists of errors and omissions, comments on errors and omissions, tenders submitted by competitors, requests for clarification on tenders, clarifications provided on tenders, reports of the selection panel and of competent services of the contracting body, comments in the scope of the prior hearing and all notifications from the contracting body, per procedure;

l) To allow the use of electronic authentication and signature mechanisms with qualified certificates issued by bodies included in the Trusted-Service Status List, in particular the one stated on the citizen card;

m) To provide access to activity logs performed in the various stages of the contracting procedure, with the possibility of defining automatic notifications of events;

n) To allow bills of quantities with multiple requirements (n*m matrix) and multiple lots to be imported and to be exported to XML format or to a spreadsheet in ODF format;

o) To be provided with a «clock/timer» associated to the official Portuguese time, that counts down, according to PPC, the time left for each stage of the procedure, namely to submit clarification requests, to identify errors and omissions, to submit tenders, to assess a prior hearing, to submit qualifying documents, to accept a draft contract and to provide a security;

p) To carry out electronic monovariable and multivariable electronic reverse auctions, with one or more rounds, concealing the identification of participating competitors;

q) To allow bidirectional integration with management information systems of purchasers, via the Public Administration interoperability platform, allowing the sending of information to the public procurement platform and the sending of information in the opposite direction;

r) To guarantee that an audit may be carried out at any moment in the process;

s) To guarantee the checking of characteristics of the qualified certificate for electronic signature of documents;

t) To allow the access by the Competition Authority to data for monitoring prices presented by economic operators.

2 - Contracting bodies shall be entitled to impose additional requirements, as regards documents that support e-platform contracting procedures, in particular:

a) The availability of pre-production environment to carry out tests and initial training;

b) To allow the provision of the e-platform at sub-domain level, at the managing company domain, as defined by the contracting body;

c) To allow, via the Public Administration interoperability platform, the collection of information on purchase procedures in the scope of the National Public Procurement System, in order to monitor prices presented by economic operators, as defined by the Entidade de Serviços Partilhados da Administração Pública, I. P. (ESPAP, I. P. - the Public Administration Shared Services Body).

Article 31
Procedure flow

1 - E-platforms shall maintain the operation of a system that documents all electronically-conducted stages of the procedure, allowing, at each moment, the supply of appropriate and reliable information as required.

2 - E-platforms must provide the features required to meet this obligation, so that documents are maintained in their original format, duly stored, as well as a record of all incidents of the procedure, which may be used as evidence where a dispute arises.

3 - The system referred in paragraph 1 shall allow the identification of, among other information:

a) The body and user that accessed the elements of the procedure;

b) The exact date and time when documents were submitted;

c) The document sent, as well as the body and user that sent it; and

d) The duration of the communication.

4 - The system provided for in this article shall be kept up-to-date, including chronological information in tender documents, until the procurement act, without prejudice to article 74.

Article 32
E-platform access impediments

1 - The contracting body and the managing company shall only be held accountable for technical impediments in the access to the e-platform for which they, the system over which the platform operates or the platform itself, are responsible.

2 - In the event of technical problems in the public network or in the e-platform which prevent or make excessively time-consuming the performance of any act that under PPC must be carried out over e-platforms, the contracting body, on its own initiative or at the request of applicants and tenderers, shall take all necessary measures so that stakeholders are not jeopardised, namely extending the deadline for the performance of such acts, to the benefit of all applicants and tenderers.

3 - The managing company shall inform, through an advertisement published at the e-platform homepage, at an area of free access to all stakeholders, the period of time during which it remained inoperative.

Article 33
Information to stakeholders

E-platforms shall make available, at an area of free access to all potential stakeholders, the specifications required to carry out contract formation procedures, in particular those concerning:

a) Advertisements published in the Official Gazette or in the Official Journal of the European Union, where appropriate;

b) Documents of the procedure;

c) How applications, solutions and tenders should be submitted, as defined by the contracting body;

d) Data encryption requirements;

e) Electronic signatures required and how they should be obtained, namely through the use of citizen card certificates;

f) Time-stamps required and how they should be obtained;

g) Requirements to be met as regards files including tender, application and solution documents.

SECTION II
Technical requirements of e-platforms

Article 34
Interoperability and compatibility

1 - E-platforms shall comply with interoperability and compatibility requirements provided for in RNID.

2 - E-platforms shall be able to allow a comprehensive exchange of information, in particular between differing formats and applications or between different levels of performance, observing requirements established and updated, where justified on technological grounds, by an administrative rule issued by members of the Government in charge of IMPIC, I. P., ESPAP, I. P., and Agência para a Modernização Administrativa, I. P. (AMA, I. P. - the Agency for Administrative Modernisation), and members of the Government to which GNS is subject, namely:

a) Scripting language for web pages;

b) Level of accessibility for public pages;

c) Remote access to file systems (where appropriate);

d) Secure sending of email;

e) Graphic representation for business process specification;

f) Protocol for the guarantee of message delivery when two or more information systems of bodies of the Public Administration are integrated;

g) Security of the integrity and confidentiality of the communication when two or more information systems of bodies of the Public Administration are integrated;

h) Security of the authentication of the communication when two or more information systems of bodies of the Public Administration are integrated

i) Possibility of using WS-Addressing when exchanging information between information systems;

j) Definition of the universal standard used for all files uploaded to e-platforms;

k) Type of electronic signature which all electronically-signed documents should use.

Article 35
Interconnection with public platforms

1 - Without prejudice to the preceding paragraph, e-platforms must ensure, where required and technically possible through the interoperability platform of the Public Administration, their interconnection with:

a) The Public Procurement Portal, both at technical level and as regards compliance with synchronism standards required for the transfer of requested data between the e-platform and the referred portal;

b) The Official Gazette electronic portal, namely for the purpose of sending advertisements provided for in PPC;

c) The National Public Procurement Catalogue of ESPAP, I. P., both at technical level and as regards compliance with synchronism standards required for the transfer of requested data between the e-platform and the referred catalogue;

d) The shared solution relating to budgetary and financial resources management (GeRFiP, of ESPAP, I. P.), both at technical level and as regards compliance with synchronism standards required for the transfer of requested data between the e-platform and the referred solution;

e) The solution to be implemented by the Court of Auditors or by bodies of the National System for Internal Control of the State’s Financial Administration, in the scope of their powers in the area of audits and control of public contracts;

f) The citizen card authentication solution and the central authentication mechanism «Autenticação.Gov.pt» provided by AMA, I. P.;

g) The Protocol on Standardisation in the field of Construction Technical Information (ProNIC), managed by IMPIC, I. P.;

h) The platform to be developed by the Competition Authority.

3 - Managing companies shall not charge any amounts for the establishment of interconnections provided for in the preceding paragraphs.

Article 36
Interconnection between e-platforms

1 - Managing companies shall comply with conditions of interconnection and interoperability among them, so that economic operators are able to choose the e-platform freely, regardless of the platform used by the public body with which they wish to interact.

2 - ESPAP, I. P., shall be responsible for the e-platform interconnection system, the development and maintenance of which are ensured by Imprensa Nacional-Casa da Moeda, S. A. (INCM - the Portuguese Mint), which operates through the interoperability platform of the Public Administration.

3 - Conditions of interconnection, interoperability and financing shall be set out by administrative rule of the members of the Government in charge of AMA, I. P., ESPAP, I. P., and IMPIC, I. P., the members of the Government to which GNS is subject and those in charge of INCM, to be published with 90 days from the publication of this law.

4 - Where more advanced stages of interoperability are achieved, the obligation to provide basic services defined in article 24 shall cease.

Article 37
Exchange of information between e-platforms and the Public Procurement Portal

1 - Information transmitted by e-platforms to the Public Procurement Portal is intended, in particular, for archiving, statistical processing and information monitoring purposes, and transmitted data shall be duly codified and susceptible to be automatically processed.

2 - The codification referred to in the preceding paragraph must be perfectly synchronised with the Public Procurement Portal, so that no disturbance occurs in the scope of the correct identification of bodies and processes to which the transmitted information concerns.

3 - Conditions of interconnection of e-platforms with the Public Procurement Portal shall be defined by administrative rule of the member of the Government in charge of IMPIC, I. P.

4 - Without prejudice to the preceding paragraph, e-platforms shall provide for the possibility of groups of contracting bodies carrying out procedures, making available for this purpose fields for indicating data of each contracting body, namely the designation and identification number of the legal person, as well as other data required for the automatic export of forms, to be defined under the following article.

Article 38
Data to be transmitted to the Public Procurement Portal

E-platforms shall transmit to the Public Procurement Portal data concerning the formation and implementation of public contracts, in accordance with the arrangements to be established by administrative rule of the member of the Government in charge of IMPIC, I. P.

SECTION III
Security requirements for e-platforms

Article 39
Security implementation and management

1 - In the performance of their activity, managing companies shall implement an information security management system based on the ISO/IEC 27001 Standard.

2 - For the purpose of the preceding paragraph, managing companies shall supply GNS with documents attesting in particular:

a) The performance of a thorough assessment of risks that identifies the scope of the application of the system and points to the impact on the activity in case the guarantee of information is violated;

b) The identification of threats and vulnerabilities of the e-platform, and the drafting of a document on risk analysis which includes a list of countermeasures to avoid such threats, and corrective measures to be taken in case the threat materialises, as well as a prioritised list of improvements to be introduced;

c) The written identification of residual risks.

3 - Managing companies shall select the appropriate security controls on the basis of the risk assessment provided for in point a) of the preceding paragraph, and in the ISO/IEC 27002 Standard, for the following security areas:

a) Risk evaluation, being adopted for this purpose the ISO/IEC 27005 Standard or another equivalent risk evaluation methodology;

b) Physical and environmental security;

c) Human resources security;

d) Management of communications and operations;

e) Standard measures for access control;

f) Purchase, development and maintenance of information systems;

g) Management of incidents in the scope of information security;

h) Measures to correct and mitigate violation of information systems likely to cause the destruction, accidental loss, alteration, disclosure or non-authorized access to personal data to be processed;

i) Conformity;

j) Security of computer networks, being recommended for this purpose the ISO/IEC 27033 Standard.

4 - The application of these standards may be confined solely to parts of the organization that are relevant to the activity of e-platforms.

Article 40
Management of users, access profiles and privileges

1 - E-platforms shall use profiles with different privileges, including, at the least, the following:

a) Security administrator;

b) System administrator;

c) System operator;

d) System auditor.

2 - The e-platform shall be capable of associating and allocating users to profiles defined in the preceding paragraph.

3 - The e-platform shall guarantee that users are not associated to multiple profiles, according to the following criterion:

a) Users with the «security administrator» profile shall not be authorized to use the «system auditor» profile;

b) Users with the «system administrator» profile shall not be authorized to use the «security administrator» or the «system auditor» profiles.

Article 41
Systems and operations

1 - The managing company shall ensure that the e-platform is reliable, namely that:

a) Operation and security procedures are defined;

b) The e-platform has been designed and developed so that the system failure risk is minimum;

c) The e-platform is protected from virus and malicious software, so as to ensure the integrity of systems and information included therein.

2 - E-platforms shall ensure that information for all users, except during maintenance periods, in compliance with paragraphs 5 and 6 of article 28.

3 - E-platforms shall implement solutions so as to inhibit and minimize the effects of dedicated denial of service attacks.

4 - The connection to the e-platform to the public network shall be ensured, at least, by two physically independent sources.

5 - The various systems that make up the e-platform shall be expeditiously updated and patched, as new vulnerabilities are found to exist.

6 - All e-platform services shall be synchronized with NTP (Network Time Protocol) defined according to UTC (Universal Time Coordinated), and two time sources shall be used, one of which being the Portuguese legal time.

7 - In case of disaster, e-platforms shall provide the necessary means to continue operations, using alternative systems and ensuring the backup required to guarantee the integrity and possibility of recovery of information.

8- The managing company shall specify in its policy the maximum period of time acceptable to restore services.

Article 42
Application security

1 - The managing company must guarantee that the system is duly protected against vulnerabilities and attacks, guarding in particular against:

a) Injection flaws such as structured query language (SQL) queries, lightweight directory access protocol (LDAP) queries, XML path language (XPath) queries, operating system (OS) commands or program arguments;

b) XSS (Cross-Site Scripting).

2 - The system shall ensure strong authentication and session management, which requires, at least, that:

a) Credentials are always protected when stored using hashing or encryption;

b) Credentials cannot be guessed or overwritten through weak account management functions, such as account creation, change password, recover password, weak session identifiers (IDs);

c) Session IDs and sessions data are not exposed in the uniform resource locator (URL);

d) Session IDs are not vulnerable to session fixation attacks;

e) Session IDs timeout, which ensures that users log out;

f) Passwords, session IDs, and other credentials are sent only over TLS (transport layer security).

3 - The system shall be provided with proper security configuration, which requires, at least, that:

a) All software elements are updated, to the extent required to mitigate any vulnerabilities, including the OS, web/application server, database management system (DBMS), applications, and all code libraries;

b) OS and web/application server unnecessary services are disabled, removed, or not installed;

c) Default account passwords are changed or disabled.

4 - The system shall limit URL access based on the user access levels and permissions, which requires, at least, that:

a) Where external security mechanisms are used to provide authentication and authorisation checks for page access, they need to be properly configured for every page;

b) Where code level protection is used, code level protection needs to be in place for every required page.

5 - The system shall use sufficient transport layer protection, and for this purpose, all of the following measures or measures of at least equal strength shall be in place:

a) The system requires the most current version of the hypertext transfer protocol secure (HTTPS) to access any sensitive resource using certificates that are valid, not expired, not revoked, and match all domains used by the site;

b) The system sets the “secure” flag on all sensitive cookies;

c) The server configures the TLS provider to only support encryption algorithms in line with best practices;

d) Users shall be informed that they must enable TLS support in their browser.

6 - The system guards against invalidated redirects and forwards.

Article 43
Data integrity

1 - E-platforms shall not share OS hardware and resources, nor any data, in particular access and encryption credentials, with any other application or system.

2 - Each successful transaction that involves the modification of the information contents of the e-platform shall require that the database (DB) is switched from an integrity status to another integrity status.

3 - It shall be ensured that all critical e-platform data are safe and authentic, strong keys and algorithms being used for this purpose, according to international standards.

4 - Critical data shall be deemed to include, at least, all settings related to security, user profiles, data concerning procedure and tender documents, as well as the respective backups.

Article 44
Network security

1 - The internet connection to the e-platform shall be protected by a firewall.

2 - All traffic to the e-platform shall be inspected and registered.

3 - The firewall rules shall deny all traffic that is not needed for the secure use and administration of the system.

4 - The e-platform shall be hosted on an adequately protected production network segment that is separated from segments used to host non-production systems such as development or testing environments.

5 - The local area network (LAN) shall comply, at least, with the following security measures:

a) Layer 2 access list/port switch security;

b) Unnecessary/unused ports shall be disabled;

c) DMZ (demilitarized zone) shall be located on a dedicated virtual local area network (VLAN)/LAN;

d) No L2 trunking enabled on unnecessary ports.

Article 45
Processing of personal data and free movement

The processing by e-platforms of information that includes personal data, shall require the previous notification of Comissão Nacional de Proteção de Dados (the National Data Protection Commission), under the Law on the Protection of Personal Data.

Article 46
Physical security

Without prejudice to security controls that have been identified and implemented, on the basis of requirements laid down in the ISO/IEC 27001 standard, systems that make up the e-platform shall be duly protected in a safe area, with restricted access controlled by access control systems, and within that area, at least, installed in a secured rack.

Article 47
Identification and authentication

1 - The e-platform shall ensure the existence of an individual account per user and that authentication data are unique.

2 - Where the user logs re unique.

2 - Where the user logs out, the e-platform shall require its authentication data to log in again.

3 - The e-platform shall ensure that the user is able to define its own passwords or access codes, to manage its authentication certificates and timestamps, and to process safely its authentication, namely though the citizen card or the digital mobile key.

4 - Where authentication data are created by the e-platform or an external system, the e-platform shall guarantee that for the first use the user is required to define new authentication data, except where it is carried out via interconnection with mechanisms referred in paragraph 1 f) of article 35.

5 - Where the maximum number of authentication attempts is exceeded, the e-platform shall block the user account, which shall be notified, through reliable means, of the procedure established for unblocking purposes.

6 - The platform shall allow user access with an authentication method based on user name and password, according to paragraph 3, and shall alert users to the level of security associated to this authentication method.

Article 48
Access control

1 - E-platforms shall ensure the ability to control and limit access to the various resources, identifying users by associating the profile to the respective permissions and restrictions.

2 - For this purpose, managing companies of platforms shall guarantee the correct and reliable identification of users and of the economic operator through the verification process.

3 - The process of identity verification starts upon request from the economic operator, being incumbent on the managing company to provide a provisional and free authentication certificate within 24 hours, and to guarantee the conclusion of the process with the delivery of the full authentication certificate within at the most 30 days.

4 - The process of identity verification shall not be required for procedures of formation of contracts concluded under framework agreements.

5 - Platforms shall be required to have mechanism to guarantee the control of profiles and restricted access to tender documents for procedures that require a high level of protection and the checking of users whose access is allowed.

6 - Applications shall run with the lowest set of privileges that they require for this purpose.

Article 49
Management of cryptographic keys

1 - Strong standard algorithms and strong keys shall be used for the encryption of data.

2 - Passwords shall be hashed with a strong standard algorithm and an appropriate ‘salt’ shall be used.

3 - All keys and passwords shall be protected from unauthorised access.

4 - Where asymmetric keys are issued by the e-platform, and for confidentiality purposes, such keys must undergo key escrow mechanisms and procedures, with multi-personal control.

Article 50
Access logs

1 - Access logs shall indicate data of the source machine, the destination machine, date and hour of the event and files accessed, where appropriate.

2 - The e-platform shall:

a) Provide a user-friendly interface that allows the analysis of audit logs, with the ability to make searches on the basis at least of the date and hour of the event, the type of event and the identity of the user/process;

b) To ensure the security of log data, as well as sufficient space to store such data;

c) To ensure that log data may not be automatically rewritten;

d) To ensure that the reading of access logs is denied to any user, except those who are expressly authorized for the purpose, holding the system auditor profile;

e) To generate alarms, namely by email and SMS (short message service), where any security violation is found.

3 - At the very least, where a user with security administrator or system administrator profile exceeds the maximum number of authentication attempts, the referred alarm shall be generated for users with the security administrator profile.

4 - Audit archives and access logs shall be stored for a five-year period.

5 - E-platforms shall be required to register, at least, the following contents:

a) Server log-on and log-off;

b) Successful or failed attempts to change the OS security parameters;

c) Successful or failed attempts to create, modify or erase system accounts;

d) Switching applications and systems used by the e-platform on and off;

e) Successful or failed attempts to start and end sessions;

f) Successful or failed attempts to consult data;

g) Successful or failed attempts to change settings;

h) Successful or failed attempts to modify data;

i) Successful or failed attempts to create, modify or erase information on permissions;

j) Successful or failed attempts to access facilities where  e-platform systems are hosted;

k) Backup copies, recovery copies or data files;

l) Software and hardware changes or updates;

m) System maintenance.

Article 51
Archive

1 - E-platforms shall ensure that they are able to generate archives in the appropriate software.

2 - E-platforms shall ensure that archives are saved and processed so that they may be used as evidence.

3 - Access logs and all documentation related to public contract formation procedures shall be archived.

4 - E-platforms shall ensure the maintenance and archive of logs for the use and access to documents uploaded thereto.

5 - Audit archives shall be recorded preferably in UTF-8 (unicode transformation format) encoding and exportable text.

6 - Archives shall be stored and organized sequentially, on a daily basis, being signed electronically and bearing the timestamp issued by a certifying body providing time stamping services.

7 - The e-platform shall ensure, at technological level, that the destruction of an archive shall only take place with the express written authorization of the system administrator, the security administrator and the system auditor.

Article 52
Backup and recovery copies

1 - The e-platform shall include an information backup function associated to electronic procurement procedures.

2 - Data stored in the backup copy shall be sufficient to recreate the system status.

3 - A user with a profile with sufficient privileges shall be able to invoke the backup function.

4 - Backups shall be protected against changes where digital signature mechanisms are used.

5 - E-platforms shall guarantee that information on critical security parameters of the e-platform is not stored in cleartext, and that it is encrypted with strong standard algorithms and strong keys, in line with international standards, key management being in place.

6 - E-platforms shall include a recovery function that is able to restore the system via the backup copy.

7 - A user with a profile with sufficient privileges shall be able to invoke the recovery function.

8 - Audit logs shall be deemed to be sensitive information, and shall be preserved in compliance with article 44.

9 - Any period of time during which audit archives are disabled shall be recorded in the respective audit archive, with the start and end dates and times.

Article 53
Information confidentiality

1 - At the various stages of the procedure, access to documents to be included in applications, solutions and tenders shall only be possible on the date established under procedure rules.

2 - Documents to be included in applications, solutions and tenders that are uploaded to e-platforms shall be encrypted using asymmetric cryptography techniques.

3 - For each procedure, e-platforms shall issue a specific and unique certificate that allows documents to be encrypted.

4 - The contracting body shall make available a specific encryption certificate in the scope of its procedure.

5 - The e-platform shall ensure that all documents that make up applications, solutions and tenders are encrypted using the certificate referred to in paragraph 3 or in the preceding paragraph.

6 - Where situations referred in paragraph 3 are concerned, certificates shall be subject to key escrow procedures when issued, with multi-personal control on the part of two of the three following functions: system administrator, security administrator and security auditor.

7 - E-platforms shall ensure key escrow and grant access thereto to the selection panel, or where it does not exist, to a duly authorized user of the contracting body, for the purpose of document decryption.

8 - The e-platform shall ensure that the access to the key referred to in the preceding paragraph takes place by automated means, the key access secret not being available to any person or body, including the managing company, except to the selection panel, or where it does not exist, a duly authorized user of the contracting body.

9 - E-platforms shall make available to stakeholders the programmes and applications that allow the use of digital certificates to encrypt documents.

10 - The encryption of documents shall not exempt stakeholders from the application on the classification of documents, referred to in paragraph 1 of article 66 of PPC, for the purpose of restricting or limiting access thereto, in order to safeguard the rights of the stakeholder.

11 - In the cases referred to in the preceding paragraph, the e-platform shall ensure that documents the classification of which has been authorized by the contracting body are only visible to the selection panel, without prejudice to paragraph 4 of article 66 of PPC.

Article 54
Electronic signatures

1 - Documents submitted over e-platforms by contracting bodies and economic operators shall be signed using qualified electronic signatures, under paragraphs 2 to 6.

2 - Document drawn up or completed by contracting bodies or economic operators shall be signed using their own qualified electronic signature certificates or those of their legal representatives.

3 - Electronic documents issued by third parties responsible for issuing, in particular, certificates and attestations, shall be signed using qualified electronic signature certificates of competent bodies or their holders, and shall not require a new signature on the part of contracting bodies or of economic operators submitting them.

4 - Documents that are electronic copies or original physical documents issued by third parties, may be signed using qualified electronic signature certificates of the contracting body or of the economic operator submitting them, attesting their conformity with the original document.

5 - In electronic documents, the contents of which may not be represented as a written declaration, including those that require computer processing to be converted into a written declaration, namely compression, decompression, aggregation and disaggregation processes, an electronic signature shall be applied to each of the electronic documents that constitute them, granting thereto the evidential value of a private signed document, under article 376 of the Civil Code and paragraph 2 of article 3 of Decree-Law No. 290-D/99, as amended and republished by Decree-Law No. 88/2009, of 9 April, otherwise the tender shall be rejected, under article 146 of the Public Procurement Code.

6 - In the case of bodies required to use electronic signatures issued by certifying bodies integrated in the State’s Electronic Certification System, the level of security required is that provided for in Decree-Law No. 116-A/2006, of 16 June, as amended and republished by Decree-Law No. 161/2012, of 31 July.

7 - Where the digital certificate does not relate the signing person to the latter’s function and power to sign, the stakeholder shall submit to the e-platform an official electronic document indicating the power of representation and the signature of the signing person.

8 - Where requested by contracting bodies or economic operators, e-platforms shall ensure, within at the most five working days, the integration of the new providers of qualified digital certificates.

9 - E-platforms shall ensure that the validation of certificates resorts to a full certification chain.

Article 55
Time stamping

1 - All documents submitted over e-platforms, as well as acts that, under PPC, must be performed within a certain period, shall be subject to the placing of time stamps issued by a certifying body that is accredited for the provision of time stamping services.

2 - For the purpose of the preceding paragraph, the following acts shall be subject to time stamping:

a) Clarifications requested by stakeholders, invited bodies or applicants;

b) Clarifications provided by the contracting body;

c) Amendments introduced by the contracting body;

d) Submission of the list of errors and omissions;

e) Acceptance or rejection of errors and omissions by the contracting body;

f) Submission of tenders, applications and solutions;

g) Notification for prior hearing;

h) Comments of the applicant or tendered in the scope of the prior hearing;

i) Procurement decision;

j) Notification of the draft contract;

k) Explicit acceptance or claim against the draft contract;

l) Submission of qualification documents;

m) Submission of document attesting the provision of security;

n) Lodging of claims and appeals;

o) Notification for hearing of affected parties.

3 - E-platforms shall save and associate to the procedure all time stamps originated by documents or transactions.

4 - Where requested by contracting bodies or economic operators, e-platforms shall ensure, within at the most five working days, the integration of new providers of time stamping services.

5 - Having expired the time period defined in the preceding paragraph, the managing company of the e-platform shall bear all time stamping-related costs.

Article 56
List of trusted electronic certification services

1 - E-platforms shall guarantee compatibility with mechanisms for validation of the qualification of qualified providers of electronic certification services, required under this law, in particular the capacity for interpretation of the Trusted-Status Services List (TSL) of all Member States and of the European Commission, according to the ETSI TS 119 612 standard, in its most recent version.

2 - Where it follows from the interpretation of TSL that the qualification of a provider of electronic certification services is not compliant, the platform shall merely supply this information, and no tender shall be automatically rejected.

Article 57
Authentication of users in the e-platform

1 - The identification of users on e-platforms shall take place through the use of a username and a password, one’s own digital certificates or certificates made available by e-platforms being also allowed, as well as one’s citizen card or the mobile digital key referred to in paragraph 1 f) of article 35.

2 - In the case of bodies required to use electronic signatures issued by certifying bodies integrated in the State’s Electronic Certification System, the level of security required is that provided for in Decree-Law No. 116-A/2006, of 16 June, as amended and republished by Decree-Law No. 161/2012, of 31 July.

3 - The validation mechanism of user certificates shall take place on the basis of the certificate and of the respective full certification chain.

4 - E-platforms shall guarantee the integration with the Professional Skills Certification System.

Article 58
Digital preservation

As regards documents in their custody, e-platforms shall:

a) Comply with archiving rules, standards and procedures in order to ensure digital preservation and interoperability;

b) Guarantee the preservation of electronic signatures used in different procedures;

c) Implement technological mechanisms for the preservation, storage, indexing and recovery of archives;

d) Ensure that information on each procedure is able to be exported in standardised formats for the purpose of preservation;

e) Provide records of access logs on the part of stakeholders, tenderers and contractors, as well as of all other users of the system;

f) Make available archives of access logs to the contracting body, where requested by the latter, and also for the purpose of external audits.

Article 59
Storage of electronic documents

Documents that integrate public procurement procedures shall be stored by e-platforms, under article 107 of PPC, together with the software and technologies that enable them to be read, until the time-limit stipulated in the law for such storage has expired, without prejudice to the duty to submit to contracting bodies all information and documentation associated to contract formation procedures concerned, in digital format.

CHAPTER VII
General rules for the functioning of e-platforms in public contract formation procedures

Article 60
Conduct of procedures over e-platforms

It is incumbent on the representative of the contracting body to conduct the public contract formation procedure, the e-platform constituting only the technological platform over which such procedure takes place.

Article 61
Notifications and communications

1 - All notifications and communications between the contracting body or the selection panel and stakeholders, tenderers or the contractor, concerning the contract formation stage and which, under PPC, must occur within a given deadline, shall be performed over the e-platform via the automatic sending of electronic messages, which shall be available for consultation in the respective exclusive area.

2 - The precise date and time of notifications and communications shall be registered, according to article 469 of PPC, and e-platform services shall hold mechanisms that enable an accurate date and time to be provided by a certifying body that supplies time stamping services.

Article 62
Provision of documents

1 - In the scope of each contract formation procedure, the e-platform shall make available procedure documents, at a free access area, in a comprehensive manner and free of charge, as from the date of publication of the advertisement.

2 - Access to other procedure documents, namely those concerning clarifications and rectifications introduced by the contracting body, its decisions to extend deadlines, lists of errors and omissions identified by stakeholders, the list of errors and omissions accepted by the contracting body and notifications and communications in the stage that precedes the submission of tenders, shall be reserved to registered stakeholders participating in the procedure.

3 - After tenders have been opened by the selection panel, or by the person in charge of the procedure where no selection panel exists, e-platforms shall ensure an exclusive access, by bodies included in the list of tenderers, to all tenders presented, to clarifications on tenders submitted by the respective tenderers, to qualification documents submitted by the contractor, as well as to all other procedural acts or formalities which took place at the stage following the submission of tenders which, under the PPC, must be published at the e-platform used by the contracting body.

4 - In case specific documents that make up the tender have been classified, under article 66 of the PPC, e-platforms shall be able to make available for consultation purposes, under paragraph 2 of article 138 of PPC, only the respective non-classified documents.

5 - The provision of documents referred to in the preceding paragraph shall take place automatically, on the basis of the identification made by the stakeholders when uploading the classified document, without prejudice to paragraph 3 of article 66 of PPC.

6 - The e-platform shall also allow the provision, at any time, of documents identified by tenderers which the body with powers to take the procurement decision deems not to be classified, under paragraph 3 of article 66 of PPC, or declassifies, under paragraph 4 of the same article.

7 - Lists, provided for in the PPC, of tenderers and applicants to public contract formation procedures shall be disclosed to all stakeholders.

Article 63
Provision of information on reference dates

1 - E-platforms shall make available to stakeholders the indication of the date and time of the deadline for submission of requests for clarification and tenders, as well as the date and time of the deadline for submission of the list, provided for in article 61 of the PPC, where errors and omissions of specifications are identified.

2 - The information to be provided shall be introduced by the contracting body and shall not depend on any automatic mechanism.

Article 64
Requirements of tender files

1 - Without prejudice to compliance with interoperability and compatibility requirements provided for in RNID, the contracting body shall be entitled to make demands on the characteristics of files that include documents making up tenders submitted to e-platforms, and for this purpose the respective specifications shall be included in the procedure programme or in the invitation.

2 - Without prejudice to the preceding paragraph, where due to the excessive volume or complexity of data to be submitted, concerning tender elements requested by the contracting body, it is not technically possible for tenderers or applicants to submit documents or files through the e-platform, the contracting body shall allow the submission of document through physical information carriers, which shall be defined in the procedure programme or, in the case of direct award, in the invitation.

3 - For the purpose of paragraph 1, the contracting body shall be entitled, in particular, to establish specifications on:

a) How files are organized, by setting the standard of the respective tree structure;

b) The number of files, according to the document or as a whole;

c) The size of files, individually, according to the document or as a whole;

d) The title of files, which may include a pre-defined section on the document it concerns, as well as the stakeholder’s order number, or the respective tax number, the tender code, as defined in annex II hereto, which is deemed to be an integral part hereof, and also codes of the procedure or other aspects to be defined;

e) How information is presented, including an index or a description and explanation of the structure and contents of files that make up the tender;

f) The format of documents;

g) The range of basic computer applications which may be used.

4 - In addition to the information referred to in the preceding paragraph, tenders may also include the following additional elements, to be registered in a specific form:

a) Declaration referring to a set of files of a different tender submitted by the same stakeholder, as described in paragraph 12 of article 68, where the procedure programme allows the submission of variants and where the stakeholder so chooses to do;

b) Explanatory note, as described in point e) of the preceding paragraph, where the procedure programme fails to address demands referred to in the preceding paragraph, but the tenderer submits  its own file structure and contents.

5 - Requirements to be included in the procedure programme shall cover one or more of the characteristics referred to in the preceding paragraphs, as well as others deemed by the contracting body to be relevant.

6 - Provisions referred to in the preceding paragraphs shall be valid for any pages that make up each file, where they apply, duly adapted.

7 - The contracting body shall be entitled to request that each document or part of a document in each file of a tender allows a sequential reading, regardless of the nature of its components.

8 - The contracting body shall be entitled to request the submission of files consisting in spreadsheets that display the information provided in other files and that include calculation formulas that show how results were achieved, or to request other types of information repetition associated to various formats.

9 - Requests referred to in the preceding paragraphs shall be included in the procedure programme.

Article 65
Date and time of submission of the application, solution or tender

1 - The deadline date and time for submitting applications, solutions or tenders shall be established by the contracting body in procedure documents.

2 - For the purpose of the determination of the date and time referred in the preceding paragraph, the moment on which the tenderer submits all documents integrating them shall be taken into account, in compliance with article 70.

3 - The e-platform shall render operational an electronic system of acknowledgement of receipt that attests that documents making up applications, solutions or tenders were successfully submitted, as well as the date and time of submission.

4 - The e-platforms shall ensure the accurate determination of the date and time when documents referred to in the preceding paragraph were transmitted, such data being registered in the tender on the moment they are received.

5 - The acknowledgement of receipt referred in paragraph 3 shall be immediately sent to the stakeholder.

6 - Where the full submission is not successful, the submission of applications, solutions or tenders shall be deemed not to have occurred, and the stakeholder shall be immediately notified of this fact.

Article 66
Components of each tender

1 - For tender uploading purposes, in the scope of a public contract formation procedure, the e-platform shall be required to include:

a) the specific file upload areas corresponding to documents that make up the tender, according to requirements established by the contracting body;

b) the specific form to be filled in, hereinafter referred to as main form, according to the model approved by the administrative rule referred to in article 38, to be submitted subsequently to the Public Procurement Portal;

c) Fields for collection of information on prices proposed by economic operators, where required by ESPAP, I. P., as provided for in point c) of paragraph 2 of article 30.

2 - The procedure programme may provide for the provision by the e-platform of forms to be filled in by tenderers, replacing any or some of the files referred to in point a) of the preceding paragraph.

3 - The indication of the value of the tender that is incumbent on each of the members of the tendering group, included in the main form, shall not replace nor has the same scope as the information required under paragraph 5 of article 60 of PPC.

4 - In addition to documents and the form referred to in paragraph 1, tenders may also include additional elements provided for in paragraph 4 of article 64, as well as any other documents deemed by tenderers to be indispensable, under paragraph 3 of article 57 of PPC.

5 - The e-platform shall make available an electronic receipt which shall be attached to the tender.

Article 67
Codification of tenders and identification of tendering companies

1 - Data in the main form referred to in paragraph 1b) of the preceding article shall be codified, where numerical data is not concerned.

2 - In accordance with the previous paragraph, it is incumbent on the tenderer to codify tenders to be submitted, as well as to present its own identification or that of each member of the tendering group, in the scope of the completion of the main form.

3 - The codification of each tender shall be required from the beginning of the respective upload and shall be performed in compliance with rules set out in annex II.

4 - The identification of tenderers referred in paragraph 2 shall take place only once, through direct input or selection out of a list provided by the e-platform, when the first tender is submitted by the tenderer or at the moment of the previous tender, where appropriate.

5 - The identification system which the e-platform provides to tenderers shall comply with requirements provided for in the Public Procurement Portal, for the purpose of the transmission of information concerning such identification from the e-platform to the Portal.

Article 68
Upload of tenders

1 - E-platforms shall allow the gradual upload, by the stakeholder, of the tender or tenders, until the deadline date and time for their submission.

2 - The upload referred to in the preceding paragraph shall take place in the area exclusively reserved to the stakeholder, concerning the ongoing procedure.

3 - For uploading purposes, e-platforms shall make available to the stakeholder the computer applications that automatically allow tender files to be encrypted and to bear an electronic signature, locally, on its own computer.

4 - Without prejudice to the following paragraph, when the stakeholder uploads to the e-platform a tender file, it must already be encrypted and signed, through the use of a qualified electronic signature.

5 - E-platforms must grant stakeholders the possibility of uploading tender files gradually, insofar as they are encrypted, allowing the permanent change of documents until the moment of submission.

6 - The main form and other forms to be completed in the scope of the procedure shall be made available to the stakeholder, through XML download, for local saving on the respective computer, paragraphs 3 and 4 applying in this case.

7 - The e-platform shall only allow the uploading of files that make up a tender after the respective code is introduced by the stakeholder, according to the codification process described in annex II.

8 - E-platforms shall ensure that the code referred to in the preceding paragraph is visible at all times to the user, where it uploads files that make up the tender.

9 - Where an identification error occurs, the stakeholder shall be able to correct, up to the deadline hour and time for submitting tenders, the code of the tender to be uploaded or already submitted.

10 - ploaded or already submitted.

10 - E-platforms must permanently provide, to each stakeholder, the list of codes of their tenders to be uploaded or already submitted.

11 - E-platforms shall block a stakeholder from uploading a tender the code of which coincides with the code of another tender it has submitted in the scope of the same procedure, regardless of whether it is under an upload stage or has already been submitted.

12 - Where the submission of variants is allowed, the tenderer shall not be required to submit files making up a specific tender that are equal to another tender submitted in the scope of the same procedure, replacing them by information described in the form to be approved by administrative rule referred in article 38, comprising a statement that identifies the tender and the files thereof which are deemed to be replicated therein.

13 - For the purpose of the preceding paragraph, the establishment of a specific tender shall allow the reference to files of a single other tender, identified through the code described in annex II.

14 - The main form may not be referred to, and in any case the e-platform shall ensure that no identification data which has already been registered is entered a second time.

15 - During the upload process, e-platforms shall ensure that stakeholders are able to replace files already uploaded by new ones, in the scope of the process of construction of each tender.

16 - E-platforms must provide interested parties with a system that enables them to indicate, when uploading their tenders, the files to be classified, which shall not be made available to tenderers under paragraph 3 of article 62.

Article 69
Encryption and classification

1 - Documents that make up the tender, application or solution shall be encrypted, and shall bear qualified electronic signatures.

2 - The encryption of documents shall not exempt stakeholders from requesting the classification of documents referred to in paragraph 1 of article 66 of PPC for the purpose of restricting or limiting access thereto, in order to safeguard the rights of the stakeholder.

3 - In the cases referred to in the preceding paragraph, the e-platform shall guarantee that documents the classification of which was authorized by the contracting body are displayed only to the selection panel, or to the person in charge in case no selection panel exists, without prejudice to paragraph 4 of article 66 of PPC.

Article 70
Submission of tenders

1 - Without prejudice to paragraph 6 of article 65, the tender shall be deemed to have been submitted, for the purpose of PPC, where the tenderer completes the submission process.

2 - In the cases referred in paragraph 5 of article 68, the moment of submission triggers the process of encryption of all files that make up the tender.

3 - The submission of a tender shall only take place after the full completion of the main form, including, where appropriate, the annex referred in point c) of paragraph 1 of article 66, which is integral part thereof.

4 - Where a tenderer submits variants, the provision in article 137 of PPC applies to each of the tenders and not to the whole, the tenderer being allowed to remove a specific tender, identified through the code described in annex II, without affecting the situation of remaining tenders.

5 - The e-platform shall be required to make available to the selection panel, or to the person in charge in case no selection panel exists, all tenders submitted by the deadline date and time set by the contracting body for display and opening, regardless of whether there are grounds to exclude tenders.

Article 71
Steps following the submission of tenders

1 - After the submission, the tenderer shall receive, for the purpose of paragraph 1 of the preceding article, an electronic receipt, with the record of the identification of the contracting body, the procedure, the lot, where appropriate, the tenderer, the tender, as well as the date and time of the respective submission.

2 - The receipt shall be made available in the area of exclusive access of the tenderer and a copy thereof shall be sent by email.

3 - The e-platform shall aggregate to the submitted tender the electronic receipt referred to in the preceding paragraphs, which becomes an indissoluble annex thereto and which, as such, shall be submitted to the procedure selection panel, under paragraph 2 of article 74.

4 - E-platforms shall ensure that tenderers are able to consult tenders submitted in the scope of the contract formation procedure, at any time after the respective decryption on the part of the procedure selection panel, or to the person in charge in case no selection panel exists, and up to six months after the conclusion of the procedure.

Article 72
Ordering of stakeholders and tenderers

1 - After tenders have been submitted, under article 70, the e-platform shall award automatically and sequentially a preliminary order number to tenderers, on the basis of the moment when the tender, or, in case variants are also submitted, the first of tenders, was submitted by each tenderer.

2 - E-platforms shall ensure the registration and sequential order of all stakeholders and tenderers that register therein, information which must be provided to contracting bodies in the scope of each procedure.

3 - The process of making available the preliminary version of the list of tenderers to the procedure selection panel, or to the person in charge in case no selection panel exists, and subsequently, the validated version for general disclosure is provided for in articles 75 and 76.

4 - Data of the list of tenderers shall be listed in the administrative rule referred to in article 38.

5 - For the purpose of the provision to participants, the display format of data referred to in the preceding paragraph shall be freely adopted by each e-platform.

Article 73
Examination of the contents of applications, solutions and tenders

1 - Electronic means used by e-platforms shall ensure that contracting bodies and other tenderers examine the content of applications, solutions and tenders, only after they have been opened by the procedure selection panel, or by the person in charge of the procedure in case no selection panel exists.

2 - The contracting body shall notify the managing company of the moment when the e-platform may publish the deadline for submitting applications, solutions and tenders, as well as the opening date and time thereof.

3 - Communications provided for in the preceding paragraph shall always take place where, due to suspension or interruption of the period for submitting applications, solutions and tenders, the respective date and time, or the opening date and time thereof, is subject to a change.

Article 74
Making tenders available to the procedure selection panel, or to the person in charge of the procedure in case no selection panel exists

1 - Tenders shall not be made available to the selection panel, or to the person in charge of the procedure in case no selection panel exists, before the expiry of the period for the respective submission.

2 - Tenders shall be made available to and opened by the procedure selection panel following an order issued by the latter to this end, through authentication by at least three of the respective members, except where no selection panel, but a person in charge, exists.

3 - The reference to tenders to be made available, referred to in paragraph 1, covers the whole of tenders submitted to the e-platform in the scope of the procedure concerned, and includes the preliminary tender-opening file described in the following article.

4 - The e-platform shall publish in advance the date and time when tenders are made available to and opened by the selection panel, or the person in charge of the procedure, in case no selection panel exists.

Article 75
Preliminary tender-opening file

1 - E-platforms shall ensure the automatic construction, for each procedure, of a preliminary tender-opening file, under the terms defined in the administrative rule referred to in article 38, which is intended to be made available exclusively to the procedure selection panel, or to the person in charge of the procedure, in case no selection panel exists.

2 - The automatic construction referred to in the preceding paragraph implies the aggregation of data entered by tenderers in the main form, concerning each tender.

3 - E-platforms shall be free to establish the display format for the preliminary tender-opening file to be made available to the procedure selection panel.

4 - The preliminary list of tenderers shall be deemed to be an element of the preliminary tender-opening file, as regards data that integrates it.

Article 76
Tender-opening file and list of tenderers

1 - Following the opening of tenders, the procedure selection panel, or the person in charge of the procedure in case no selection panel exists, shall check whether the preliminary tender-opening file remains valid or, on the contrary, changes are required.

2 - Where changes are required, the tender-opening file shall be completed on the e-platform by the procedure selection panel, or the person in charge of the procedure in case no selection panel exists, through an interface that safeguards the codified nature of data, required for the purpose of the sending of information referred to in paragraph 4.

3 - Following the introduction of any changes in the tender-opening file, the list of tenderers shall be published on the day after the expiry of the period for submission of tenders.

4 - Within 10 working days from tenders being made available and opened, the e-platform shall send to the Public Procurement Portal the information included in the tender-opening file.

Article 77
Electronic negotiation and auctions

1 - Provisions in this law shall apply, duly adapted, to electronic negotiation and electronic auctions, without prejudice to the following paragraph.

2 - In the course of the electronic auction, the use of electronic signatures for the submission of bids shall not be required.

3 - The e-platform shall record all bids incorrectly entered, even if they are not to be considered for the purpose of the electronic auction.

CHAPTER VIII
Supervision and penalties

Article 78
Powers of supervision

1 - IMPIC, I. P. and GNS, in the scope of their powers, shall supervise the management of e-platforms, being entitled to request the necessary collaboration or support from any public services or authorities.

2 - All bodies and respective agents using e-platforms shall report to IMPIC, I. P. and GNS any evidence of infringement of this law of which they are aware.

Article 79
Audits

1 - IMPIC, I. P. and GNS shall be entitled, at any time and without prior notice, to carry out or have carried out audits to e-platforms, drawing up substantiated reports, the copy of which shall be sent to the managing company.

2 - Audits referred to in the preceding paragraph shall not be carried out by system auditors of managing companies of the audited e-platform.

3 - Where it is found from audits provided for in paragraph 1 that any of the provisions in this law has been infringed, IMPIC, I. P. and GNS, as appropriate, shall order the managing company to remedy this situation within 30 days, at the end of which a new audit shall be ordered, for the purpose of the assessment of corrections introduced.

4 - Where it is found from the new audit that situations identified, or some of them, have not been properly corrected, and after the respective prior hearing is carried out, this fact shall be published at the Public Procurement Portal, without prejudice to any liability for administrative offences and, in particular, to the immediate revocation of the license.

5 - Bodies referred to in paragraph 1, on their own initiative or at the request of e-platform managing companies, shall also, whenever required, make recommendations, provide clarifications and issue guidelines, so as to clarify any doubts on the extent of functional requirements and other legal obligations provided for in this law.

Article 80
Official report

1 - Where staff of IMPIC, I. P. or GNS, in the exercise of their duties, acting on a complaint or on their own initiative, finds that a breach has been committed, it shall draw up or have drawn up an official report, which shall include the facts that constitute the breach, as well as the day, time, place and circumstances on which it was committed, and anything that has been investigated as regards the identification of offenders, and also in the indication, where possible, of at least one person that may testify as a witness.

2 - The official report provided for in the preceding paragraph shall be drawn up within at the most 30 days, being signed by the agent who prepared it and by witnesses, where appropriate.

3 - The official report drawn up according to the preceding paragraphs shall be relied on as regards facts witnessed by the respective authors, except where there is convincing evidence to the contrary.

Article 81
Breaches

Offences provided for in this law shall be deemed to be breaches, under the following articles.

Article 82
Very serious breaches

The following offences shall be deemed to be very serious breaches:

a) The management and operation of e-platforms by a company failing to hold a license granted by IMPIC, I. P., under paragraph 1 of article 13;

b) The violation of the security rule provided for in paragraph 3 of article 69, which prevents classified documents from being displayed to people other than members of the procedure selection panel;

c) The violation of the security rule provided for in paragraph 1 of article 73, which prevents contracting bodies and other tenderers from examining the content of tenders, applications, and solutions before the expiry of the period for their submission;

d) The violation of the security rule provided for in paragraph 1 of article 74, which prevents tenders from being made available to the selection panel before the expiry of the period for the respective submission.

Article 83
Serious breaches

The following offences shall be deemed to be serious breaches:

a) Violation of the obligation provided for in paragraph 1 of article 6, that establishes the obligation on the e-platform to ensure, at technological level, the possibility  of contracting bodies and economic operators choosing freely the electronic certification providers and services in the scope of public contract formation procedures;

b) Failure to comply with the obligation provided for in paragraph 5 of article 12, which requires that the platform managing company remedies non-conformities that are found from the new audit carried out by the security auditor;

c) Failure to comply with the obligation provided for in paragraph 6 of article 12, which determines that, where the license is revoked, pursuant to paragraph 5 of the same article, the platform managing company transfers to each contracting body, within 30 days, all information and documentation concerning the respective ongoing public contract formation procedure, which must subsequently continue over a different e-platform licensed by IMPIC, I. P.;

d) Failure to comply with the obligation, provided for in paragraph 4 of article 19, to supply to IMPIC, I. P., an electronic copy of archives concerning public contract formation procedures carried out over the respective e-platform, where the license is revoked, within 15 days from the date on which the revocation took place;

e) Failure to comply at any time with the obligation, provided for in point a) of article 20, to ensure compliance at all times with general licensing requirements set out in article 15;

f) Failure to comply with the obligation, provided for in point c) of article 20, to implement an information system management system based on the ISO/IEC 20000 standard;

g) Failure to comply with the obligation, provided for in point d) of article 20, to implement an information security management system based on the ISO/IEC 27001 standard;

h) Failure to comply with the obligation, provided for in point e) of article 20, to organize and archive a copy of all service provision contracts concluded in the pursue of the activity, for at least 10 years from the respective signature;

i) Failure to comply with the obligation, provided for in point f) of article 20, to maintain an electronic complaint management system;

j) Violation of the obligation, provided for in paragraph 1 of article 21, to provide to IMPIC, I. P. and GNS access to the respective premises and to equipment and systems related to the management of the e-platform, as well as to all information, documentation and other elements related to their activity that are requested by those bodies;

k) Failure to comply with the obligation, provided for in paragraph 1 a) of article 21, to communicate to IMPIC, I. P. and GNS any change in general licensing conditions provided for in article 15, within 15 days from the respective occurrence;

l) Failure to comply with the obligation, provided for in paragraph 1 b) of article 21, to communicate to IMPIC, I. P. and GNS the termination of the respective activity on national territory;

m) Failure to comply with the obligation, provided for in paragraph 3 of article 22, to communicate to users the intention to terminate the provision of e-platform management services, as well as to indicate the body to which all documentation must be delivered, at least 90 days in advance;

n) Failure to comply with the obligation, provided for in paragraph 2 of article 23, to make available to any economic operator, free of charge, up to three simultaneous accesses to basic services of the e-platform;

o) Failure to comply with the obligation to make available, free of charge, the access to essential features listed in points a) to j) of paragraph 1 of article 24;

p) Failure to comply with the obligation, provided for in paragraph 2 of article 24, to make available access to basic e-platform services to economic operators registered in a platform;

q) Failure to comply with the obligation, provided for in point a) of article 26, to ensure in the event of termination of activity that information provided on the e-platform concerning public contracting procedures already concluded, as well as audit archives, are transferred, for the purpose of custody, to contracting bodies of each procedure, and that all documents are kept readable;

r) Failure to comply with the obligation, provided for in point b) of article 26, to ensure in the event of termination of activity that ongoing public contract formation procedures take their normal course until they are concluded, at no additional cost for contracting bodies or for interested economic operators, applicants or tenderers;

s) Violation of the obligation, provided for in paragraph 1 of article 28, to maintain e-platforms available, without representing a restraining factor in the access of stakeholders to public contract formation procedures;

t) Failure to comply with the obligation, provided for in paragraph 2 of article 28, to make access to e-platforms and their instruments available on a permanent basis to all stakeholders, save where access limitations are justified on grounds of system maintenance or repair;

u) Failure to comply with the obligation, provided for in paragraph 1 of article 29, to use and to provide to interested economic operators, applicants or tenderers, the instruments, products, applications and computer programs, as well as the respective technical specifications, that are compatible with products in general use in the field of information and communication technologies, in order to avoid discriminatory situations;

v) Violation of the obligation, provided for in paragraph 2 of article 29, not to demand compliance, for the purpose of the access to the e-platform contracting system, with requirements that are unjustified, disproportionate or that in some way introduce a discrimination factor;

w) Failure to comply with functional requirements established in articles 27, 30, 31 and 33;

x) Failure to comply with technical requirements established in articles 34 and 35, paragraph 1 of article 36, paragraphs 1 and 2 of article 37, and article 38;

y) Failure to comply with security requirements established in articles 39 to 53, paragraphs 8 and 9 of article 54, paragraphs 3, 4 and 5 of article 55, and articles 56 to 59;

z) Failure to comply with the obligation, provided for in paragraph 3 of article 65, to render operational an electronic system of acknowledgement of receipt that attests that documents making up applications, solutions or tenders have been successfully submitted, as well as the date and time of submission;

aa) Failure to comply with the obligation, provided for in paragraph 4 of article 65, to ensure the accurate determination of the date and time when applications, solutions or tenders are transmitted, and to register such data in the tender on the moment of reception;

bb) Failure to comply with the obligation, provided for in paragraph 5 of article 65, to send the electronic acknowledgement of receipt to the stakeholder;

cc) Failure to comply with the obligation, provided for in paragraph 5 of article 66, to make available an electronic receipt, which is to be attached to the tender;

dd) Failure to comply with the obligation, provided for in paragraph 5 of article 67, to make available an identification system that complies with requirements provided for in the Public Procurement Portal, for the purpose of the transmission of the information on that identification from the e-platform to the Portal;

ee) Failure to comply with the obligation to upload tenders under the conditions provided for in paragraphs 1 to 16 of article 68;

ff) Failure to comply with the obligation to submit tenders under the conditions provided for in paragraphs 1 to 5 of article 70;

gg) Failure to comply with the obligation to ensure that tenderers receive an electronic receipt attesting the submission f the tender under the conditions provided for in paragraphs 1 to 3 of article 71;

hh) Failure to comply with the obligation to ensure that tenderers are able to consult tenders submitted under the conditions provided for in paragraph 4 of article 71;

ii) Failure to comply with the obligation, provided for in paragraph 4 of article 76, to send to the Public Procurement Portal the information included in the tender-opening file, within 10 working days from tenders being made available and opened;

jj)  Failure to comply with the obligation, provided for in paragraph 3 of article 79, which determines the correction by the managing company of malfunctions found in audits carried out by IMPIC, I. P. or GNS.

Article 84
Minor breaches

The following offences shall be deemed to be minor breaches:

a) Failure to comply with the obligation, provided for in paragraph 1 c) of article 21, to communicate to IMPIC, I. P. the establishment of branches, agencies, stores, customer assistance points and other forms of commercial representation of the company related to the management of e-platforms on national territory;

b) Failure to comply with the obligation, provided for in paragraph 2 of article 21, to inform IMPIC, I. P. and GNS, within 30 days from the respective occurrence, of all changes that imply the update of the company’s identification data, by managing companies established on national territory as well as companies with head offices on national territory or set up under Portuguese law;

c) Failure to comply with the obligation, provided for in paragraph 2 of article 21, to inform IMPIC, I. P. and GNS, within 30 days from the respective occurrence, of amendments introduced in articles of association of companies with head offices on national territory or set up under Portuguese law;

d) Failure to comply with the obligation, provided for in paragraph 1 a) of article 22, to intervene and to assist, where necessary or where requested by customers, in the clarification of any doubts as regards the use of the e-platform by representatives of the contracting body or by parties with interest in the contracting procedure;

e) Failure to comply with the obligation, provided for in paragraph 1 b) of article 22, to ensure the existence of a channel of communication between the various participants;

f) Failure to comply with the obligation, provided for in paragraph 1 c) of article 22, to provide malfunction reports, access logs, submissions or other relevant information for the purpose of making decisions that arise in the course of public contract formation procedures, where requested by the respective selection panel;

g) Failure to comply with the obligation to keep a helpline for users, under the conditions provided for in sub-points i) to iii) of paragraph 1 d) of article 22;

h) Failure to comply with the obligation, provided for in paragraph 2 of article 22, to make available customer service and technical support contact details at the e-platform homepage;

i) Failure to comply with the obligation, provided for in paragraph 4 of article 23, to make available, at a public location of the e-platform, the price list of all services provided, with an explicit indication of its entry into force;

j) Failure to comply with the obligation, provided for in paragraph 3 of article 28, to ensure that the registration procedure of economic operators in e-platforms, in the free-of-charge modality, does not exceed three working days;

k) Failure to comply with the obligation, provided for in paragraph 4 of article 28, to ensure that the maintenance of economic operator and user data is performed by users themselves autonomously and at no cost;

l) Failure to comply with the obligation, provided for in paragraph 5 of article 28, to ensure that e-platform maintenance operations that limit service availability take place between 00h00 and 8h00, on working days, or on Saturdays, Sundays and national holidays, in order to reduce any constraints which may arise for users;

m) Failure to comply with the obligation, provided for in paragraph 6 of article 28, to ensure that maintenance operations are communicated to users 72h in advance, and notified to IMPIC, I. P. no later than 24 hours after such operations occur;

n) Failure to comply with the obligation, provided for in paragraph 3 of article 29, to indicate how computer programs in use may be obtained, as well as the respective controls and instructions;

o) Failure to comply with the obligation, provided for in paragraph 4 of article 29, to use computer applications and programs together with the respective set up and use manual, allowing access by users with average skills in the fields of information and communication technologies;

p) Failure to comply with the obligation, provided for in paragraph 1 of article 61, to guarantee that notifications which, under PPC, must occur within a given deadline, are performed over the e-platform via the automatic sending of electronic messages, which shall be available for consultation in the respective exclusive area;

q) Failure to comply with the obligation, provided for in paragraph 2 of article 61, to register the precise date and time of notifications and communications, according to article 469 of PPC;

r) Failure to comply with the obligation to make available documents under the conditions provided for in paragraphs 1 to 6 of article 62;

s) Failure to comply with the obligation, provided for in paragraph 1 of article 63, to make available to stakeholders the indication of the date and time of the deadline for submission of requests for clarification and tenders, as well as the date and time of the deadline for submission of the list, provided for in article 61 of the PPC, where errors and omissions of specifications are identified;

t) Failure to comply with the obligation to include features provided for in points a) to c) of paragraph 1 of article 66, for tender uploading purposes, in the scope of a public contract formation procedure;

u) Failure to comply with the obligation to make available the features provided for in paragraphs 1 to 5 of article 72, which concern the ordering of stakeholders and tenderers;

v) Failure to comply with the obligation, provided for in paragraph 1 of article 75, to ensure the automatic construction, for each procedure, of a preliminary tender-opening file.

Article 85
Fines

Offences provided for in this law shall be liable to the following fines:

a) Between (Euro) 75 000 and (Euro) 100 000, for very serious offences referred to in article 82;

b) Between (Euro) 10 000 and (Euro) 50 000, for serious offences referred to in article 83;

c) Between (Euro) 2 500 and (Euro) 20 000, for minor offences referred to in article 84.

Article 86
Negligence and attempt

1 - Breaches in their negligent form shall be liable to half the minimum and maximum limits of fines.

2 - Breaches in their attempted form shall be liable to the fine applicable to the actual breach, although specifically mitigated.

Article 87
Admonition

1 - Where the breach is qualified as minor and the offence is a remediable deficiency, and no evidence exists that its performance has caused damages to third parties, IMPIC, I. P. shall be entitled, before launching the breach procedure, to notify the offender to remedy the deficiency.

2 - The notification shall include the description of the offence, the measures required to remedy it, the period of time granted to comply therewith, ways of attesting before IMPIC, I. P. that such compliance took place, and the warning that the failure to comply within the deadline results in the launch of the breach procedure.

3 - The preceding paragraphs shall not apply to the offender who was admonished or sanctioned for a similar offence over the past two years.

Article 88
Additrong>Article 88
Additional penalty

1 - Where managing companies are applied penalties provided for in points a) to d) of article 82, a temporary prohibition to pursue the activity provided for in this law may be applied as additional penalty.

2 - The penalty referred to in the preceding paragraph has a maximum duration of two years from the final judicial decision.

Article 89
Examination of breach proceedings and application of penalties

1 - It shall be incumbent on IMPIC, I. P. to examine breach proceedings and on the respective governing board to apply fines and the additional penalty.

2 - The application of the additional penalty shall be published in the Public Procurement Contract.

Article 90
Enforced collection of fines

Fines applied in breach proceedings in a decision which has become final shall be subject to enforced collection under a tax execution procedure, pursuant to the Administrative and Judicial Tax Procedure Code.

Article 91
Proceeds from fines

Proceeds from fines shall revert at:

a) 60% to the State;

b) 30% to IMPIC, I. P.;

c) 10% to GNS.

CHAPTER IX
Supplementary, transitional and final provisions

Article 92
Fees

1 - E-platform managing companies licensed by IMPIC, I. P. shall be subject to the payment of fees designed to cover the costs arising from the licensing management system, as well as from the monitoring and supervision of the respective activity on national territory.

2 - Fees referred to in the preceding paragraph shall constitute revenue for IMPIC, I. P. and shall be the subject of an administrative rule to be issued by members of the Government in charge of the areas of finance and economy.

3 - Fees concerning services provided by GNS as accrediting body shall constitute revenue for this service and shall be the subject of an administrative rule to be issued by members of the Government in charge of the area of finance and to which GNS is subject.

Article 93
Transitional rule

1 - GNS shall have:

a) 60d days after the entry in force of this law to publish the technical standard;

b) 60 days after the application of managing companies of platforms to conclude the accreditation process of the respective security staff;

2 - E-platform managing companies shall have:

a) 120 days after the publication of GNS’s technical standard to request the annual security audit from the security auditor accredited by GNS;

b) 30 days after the publication of GNS’s technical standard to request the accreditation of the respective security staff;

c) 30 days after provision of the annual security report according to paragraph 3 of article 12, to ensure the licensing application for the respective e-platform, under article 14;

d) 60 days after the entry in force of this law to ensure compliance with obligations arising from article 6;

e) 10 days to accept the identity check of users and economic operators, under paragraph 3 of article 48.

3 - Managing companies, within at the most 180 days from the entry into force of this law, shall be entitled to terminate contracts concluded with contracting bodies, insofar as from the application of this law justifiably result extra costs which managing companies are not able to bear under the terminated contract.

4 - The termination provided for in the preceding paragraph shall only take effect 90 days after notification of the managing company to the contracting body.

Article 94
Repealing provision

The following provisions are hereby repealed:

a) Decree-Law No. 143-A/2008, of 25 July;

b) Administrative Rule No 701-G/2008, of 29 July.

Article 95
Entry into force

This law shall take effect 60 days after its publication.

Approved on 3 July 2015.

The President of the Assembly of the Republic, Maria da Assunção A.Esteves.

Promulgated on 10 August 2015.

Let it be published.

The President of the Republic, ANÍBAL CAVACO SILVA.

Countersigned on 11 August, 2015.

The Prime Minister, Pedro Passos Coelho.


ANNEX I
Minimum conditions of civil liability insurance

(referred to in paragraph 2 of article 18)

1 - Managing companies established on national territory shall take out civil liability insurance to cover liabilities in the event of damage to property arising out of their activity.

2 - The insurance contract shall ensure, at the least, the payment of compensation for damage to property caused to third parties, resulting from actions or omissions on the part of managing companies or their legal representatives and collaborators, or from failure to comply with other obligations arising from the pursue of the activity, even where, without prejudice to the following paragraph, the following situations occur:

a) Termination of e-platform management;

b) Expiry of the e-platform management certificate, on non-revalidation grounds;

c) Cancellation of the civil liability insurance contract.

3 - The insurance policy shall expressly mention that, in the situations provided for in points of the preceding paragraph and regardless of the respective cause, the insurance covers damages occurred in the course of the contract and claimed up to one year after the date of termination of activity, license expiry or revocation or cancellation of the insurance contract.

4 - Where the license is suspended, the insurance contract expires at 24:00 of the day on which the suspension occurs.

5 - Where the insurance contract expires under the preceding paragraph, the return premium shall be transferred, at an amount proportional to the period of time that would elapse up to the expiry date.

6 - The policy holder shall communicate to the insurance company, within 48 hours, the suspension of the license.

7 - In the cases provided for in points a) and b) of paragraph 2 of this annex, the insurance contract expires at 24:00 of the day on which the event occurs, and the policy holder shall be required to report such a situation to the insurance company within 24 hours.

8 - The Instituto dos Mercados Públicos, do Imobiliário e da Construção, I. P., shall be required to inform the insurance company of the expiry of the managing company’s certificate.

9 - The insurance company may exclude:

a) Liability for damages resulting from the lack of capacity and legitimacy to enter into a contract on the part of persons that intervene in businesses with managing companies, when such facts have been intentionally kept by the former;

b) Liability for damages resulting from the impossibility to comply with contractual duties or with any legal obligations for reasons of force majeure for which the managing company is not responsible;

c) Liability for the payment of damages resulting from complaints arising or based, directly or indirectly, on the application of any bails, fees or fines, imposed by the competent authorities, as well as from other penalties of a sanctioning or fiscal nature, or other punitive payments, exemplary damages or other similar complaints.

10 - The insurance contract shall provide for the right of recourse of the insurance company in the following situations:

a) Liability for damages resulting from misconduct of the policy holder or where the action performed by the latter is qualified as crime or breach;

b) Where the liability of the policy holder results from loss or misplacement of money or of any other assets and documents in his keeping;

c) Where the liability results from facts practised by the managing company in order to obtain benefits and/or the reduction of costs of a fiscal nature, thereby causing damages to all stakeholders that were unaware of facts under consideration;

d) Where the liability result from actions or omissions practised by the policy holder, or by any person for which the latter is civilly liable, under the influence of alcohol, drugs or dementia;

e) Where the contract for provision of e-platform management services is null and void due to breach of procedural requirements.

11 - The insurance contract may provide for a deductible to be borne by the policy holder, which shall not be invoked against injured third parties.


ANNEX II
Rules for the codification of applications, tenders and solutions

(referred to in paragraph 3 d) of article 64, paragraph 3 of article 67, paragraphs 7 and 13 of article 68 and paragraph 4 of article 70)

Rules governing the codification of tenders submitted:

a) The identifying code of tenders results from the aggregation of two sub-codes, separated by a point, concerning the lot of the procedure and the tender itself, even where the procedure is not divided into lots;

b) The first sub-code takes the value 0 where there are no lots and order numbers as from 1 to identify each lot, where lots exist;

c) The second sub-code takes the value 0 for a basic tender and order numbers as from 1 to identify each variant.

In order to ensure greater clarification, four examples of tender proposals are presented below:

0.0 - The procedure is not divided into lots; basic tender;

0.2 - The procedure is not divided into lots; second variant;

3.0 - Third lot of a procedure; respective basic tender.

2.3 - Second lot of a procedure; respective third variant.