Cybersecurity: Transposition of the NIS2 Directive

Introduction: Why is NIS2 so relevant for Portugal?

The increasing sophistication of cyberattacks and the digital dependency of organisations have made it essential to harmonise cybersecurity rules within the European Union. In this context, the new NIS2 Directive — one of the most significant regulatory pillars of the last decade — imposes strengthened measures for risk management, incident response and supervision.

Portugal has now taken a decisive step by transposing this regime into its national legal framework, establishing new obligations that will have a transversal impact on public and private entities.

Publication of the New Cybersecurity Legal Framework

Decree-Law No. 125/2025 of 4 December has recently been published, approving the new Cybersecurity Legal Framework and transposing Directive (EU) 2022/2555, better known as the NIS2 Directive, into Portuguese law.
NIS2 aims to ensure a high, common and coordinated level of cybersecurity across the European Union, strengthening protection against cyberattacks in sectors considered essential and critical. Portugal, like other Member States, has adapted the requirements to the specificities of its legal system.

Main Changes Introduced by the Transposition of NIS2 (Summary)

• Significant expansion of the entities covered, including essential and important sectors.

• Strengthened obligations on risk management and incident response.

• Increased supervision by the CNCS and sectoral regulators.

• Higher fines, which may reach 10 million euros or 2% of turnover.

• Phased implementation deadlines, which may extend up to 24 months after entry into force.

Expansion of the Entities Covered

The new legal framework considerably broadens the range of entities subject to its rules, including digital infrastructures, communications, energy, health, transport and financial services, among others. These now fall under categories such as:

• Essential entities

• Important entities

• Relevant public entities

Classification depends on their function, criticality and social or economic impact.

Legal Obligations Imposed on Entities

As provided in the NIS2 Directive, the new law establishes a robust set of cybersecurity compliance obligations. Among the most relevant are:

1. Risk management and security measures

Implementation of measures appropriate to the nature, size and risk profile of the entity, including internal policies, periodic assessments and vulnerability control.

2. Mandatory notification of significant incidents

This includes strict deadlines for initial reporting and submission of subsequent reports.

3. Identification on the CNCS electronic platform

Entities must register and keep their information updated.

4. Strengthened supervisory powers

The CNCS and sectoral authorities now have expanded oversight mechanisms.

5. A more severe sanctioning regime

Fines may reach €10 million or 2% of global turnover, with the possibility of additional sanctions.

Role of the CNCS and Sectoral Authorities

The National Cybersecurity Centre (CNCS) acts as the central national authority, coordinating the electronic platform and issuing implementing regulatory standards.

In parallel, a system of sectoral authorities is created — such as ANACOM in the communications sector and the Bank of Portugal or the CMVM in the financial sector — ensuring a more specialised and less centralised supervisory approach.

Entry into Force and Compliance Deadlines

The decree-law enters into force on 3 April 2026, 120 days after its publication.

Some of the more demanding obligations, particularly those concerning the adoption of full risk management measures, will only take effect after the issuance of regulatory standards by the CNCS and may benefit from phased deadlines of up to 24 months after entry into force.

Impact on the Cybersecurity Ecosystem in Portugal

Decree-Law No. 125/2025 represents a profound transformation of the national cybersecurity legal framework, aligning Portugal with the most stringent European standards and strengthening its preparedness for advanced threats.
It constitutes an essential step toward promoting a more resilient and secure digital environment.

The Importance of Supervision and Cybersecurity Culture

For the regime to achieve the expected results, it is essential that:

• the CNCS and sectoral regulators have effective supervisory capacity;

• complementary regulation is clear and issued in a timely manner;

• entities promote a security culture based on training, prevention and alignment with frameworks such as the GDPR and DORA.

Conclusion: What Should Entities Do Now?

With the transposition of NIS2, all covered entities should now begin:

• assessing their current level of cybersecurity maturity,

• planning compliance measures,

• preparing for the upcoming regulatory deadlines.

Anticipation will be crucial to avoiding legal, operational and reputational risks.

For more information or specialised assistance, click here to schedule a meeting with one of our professionals.