National Risk Assessment and the National Strategy for the Resilience of Critical Entities

Publications

26 juin 2026, VdA

Legal Insight

The Council of Ministers Resolution No. 135/2026, of 26 June, has been published, approving the National Risk Assessment and the National Strategy for the Resilience of Critical Entities, within the framework of the implementation of Decree-Law No. 22/2025, of 19 March, which transposed Directive (EU) 2022/2557 on the identification, designation and strengthening of the resilience of critical entities.

The National Risk Assessment serves as a technical basis and analytical tool for identifying and assessing natural, accidental and deliberate threats that may affect essential services, and acts as a reference for the State in the process of identifying critical infrastructure and adopting resilience measures.

The National Strategy, applicable to the 2026-2029 quadrennium, establishes the framework, strategic objectives, policy measures and action plan to strengthen the resilience of entities that provide essential services, including in the energy, transport, banking, financial market infrastructure, health, drinking water and wastewater, digital infrastructure, public administration, space, insurance and pension funds, and food sectors.

The Strategy is based on a prevention, protection, response, mitigation and recovery approach, structured around three pillars:

Strengthening the resilience of critical entities;
Cooperation, supervision and institutional coordination; and
Research, training, communication and a culture of resilience.

Among the 42 measures envisaged, the identification and designation of critical entities stand out, along with other relevant obligations for entities designated as critical, namely the conduct of risk assessments, the preparation of resilience and security plans, the appointment of liaison officers, and the notification of incidents.

The Resolution also provides for the creation of a shared digital platform for the notification of incidents related to the resilience of critical entities and the Legal Framework for Cybersecurity, reinforcing the coordination between operational continuity, physical security and cybersecurity.

The implementation of the action plan, as a tool for monitoring the execution of the Strategy, will be assessed on a biannual basis by the Secretary-General of the Internal Security System, in collaboration with the National Council for Civil Emergency Planning, with the first assessment cycle scheduled for December 2026.