On April 3, the cybersecurity legal framework transposing Directive (EU) 2022/2555 (NIS2) entered into force, as approved by Decree-Law No. 125/2025 (available at https://dre.pt).
This legislation significantly broadens the scope of entities covered by the new framework, reinforcing obligations related to risk management and incident reporting, and consolidating the role of the Centro Nacional de Cibersegurança (CNCS) - Portuguese National Cybersecurity Centre (CNSC) as the national competent authority. It also establishes a stringent sanctions regime, with fines of up to €10 million or 2% of annual turnover.
Particular emphasis is placed on the enhanced responsibilities of administrative and management bodies, which are tasked with approving, overseeing and ensuring the implementation of cybersecurity measures, and may be held liable in cases of non-compliance.
In this context, organisations must carefully assess the scope of application, determining whether they fall within the regime, directly or indirectly, and, where applicable, ensure their registration with the CNCS.
Compliance requires a structured process of analysis and implementation, including the mapping of applicable obligations, an assessment of current compliance levels across legal, procedural and technological dimensions, and the definition of measures aligned with the organisation’s risk profile, operational dependencies and governance model.
Early preparation is essential to ensure a smooth transition and to mitigate regulatory risk.
