NIS 2 Directive transposed in Portugal: Decree-Law No. 125/2025 published

The management, direction and administration bodies of essential and important entities are responsible for approving cybersecurity risk management measures, supervising the implementation of measures and ensuring the regularity of cybersecurity training actions.

The members of the managment bodies may be held liable for action or omission, with intent or gross negligence, for the infringements provided for in the Decree-Law. The responsibility and powers necessary to fulfil the obligations of these bodies may not, as a rule, be delegated, except to one of their members.

Essential and important entities must adopt, following a systemic approach, the appropriate technical, operational and organisational measures to manage the risks to the security of networks and information systems, as well as to prevent or minimise the impact of incidents. The measures must be appropriate to the risk involved and proportionate to the entity's degree of exposure.

Essential and important entities should adopt, taking into account the defined risk matrix, cybersecurity measures, in particular in the following areas:

• Incident handling;
• Business continuity;
• Supply chain security;
• Security in the acquisition, development and maintenance of network and information systems;
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures;
• Basic cyber hygiene practices and cybersecurity training;
• Policies and procedures relating to the use of encryption and ciphering;
• Human resources security;
• Use of multi-factor authentication, among others.

Relevant public entities must comply with the cybersecurity measures established by the CNCS through regulation.

The cybersecurity measures to be adopted regarding supply chain security should consider:

• The vulnerabilities of each direct supplier and each service provider;
• The overall quality of products in terms of cybersecurity;
• The cybersecurity practices of suppliers and providers;
• Coordinated assessments of the security risks of supply chains for critical ICT products, ICT systems or ICT services;
• Decisions regarding the application of restrictions on the use, cessation of use or exclusion of information and communication technology equipment, components or services.

Essential and important entities must carry out and document a risk management analysis,with reference to all assets that ensure the continuity of the operation of the networks and information systems they use, in accordance with guidelines to be defined by the CNCS. Based on this assessment, appropriate and proportionate measures must be taken to manage the risks

Essential and important entities must prepare and maintain an annual report containing, in particular, the following elements relating to the calendar year to which it refers:

• A summary description of the main activities carried out in the field of network and information service security;
• Quarterly statistics on all incidents, indicating the number and type of incidents;
• Aggregate analysis of incidents with a significant impact;
• Recommendations for activities, measures or practices that promote the improvement of network and information system security;
• Problems identified and measures implemented following incidents;
• Any other information deemed relevant.

This report is sent to the competent cybersecurity authority, the CNCS. In the case of important entities, when requested.

Essential and important entities must appoint and notify the CNCS, within 20 working days from the start of activity or, if they have already started their activity before the entry into force of this Regime, within 20 working days from that date (i.e. by 4 May 2026), of a person responsible for cybersecurity. This officer, who is responsible for managing cybersecurity and information security, must be a member of the entity's management bodies or, alternatively, be directly subordinate to them.

The cybersecurity officer shall have at least the following duties:

• Proposing cybersecurity risk management measures, including in the supply chain.
• Informing the responsible bodies about cybersecurity risk management measures.
• Assist in the implementation of supervisory and enforcement measures.
• Promote a culture of cybersecurity by proposing training actions.
• Manage residual risk.
• Ensure the preparation of the annual report.
• Coordinate the actions of the permanent contact point, if not under your responsibility.

Similarly, essential and important entities must ensure and communicate to the CNCS, also within 20 working days from the start of activity or, if they have already started their activity before the entry into force of this Regime, within 20 working days from that date (i.e. by 4 May 2026), a permanent contact point available 24 hours a day, seven days a week.

This point of contact shall ensure, in particular:

• The flow of operational and technical information with the cybersecurity authority;
• The sharing of information with the cybersecurity authority during the activation of emergency or resilience plans related to cybersecurity;
• The implementation of procedures defined in civil protection emergency plans that impact networks and information systems; and
• The receipt of guidelines, recommendations, technical instructions and orders issued by the cybersecurity authority.

The CNCS may require relevant essential, important and public entities to:

• Obtain national, European or international cybersecurity certification attesting to compliance with the cybersecurity measures of this regime, ensuring, in all cases, a matrix of equivalence with reference certification schemes; and
• The use of ICT products, services, and processes, developed by the entity or provided by third parties, certified under national and European cybersecurity certification systems.

Essential, important and relevant public entities must notify the competent cybersecurity authority of any significant incident – which, for the purposes of this regime, corresponds to an incident that:

• Causes, or is likely to cause, serious operational disruption to services or financial loss to the entity concerned;
• Affects, or is likely to affect, other natural or legal persons, causing considerable material or immaterial damage.

When notifying the competent cybersecurity authority of a significant incident, essential, important and relevant public entities must consider the following parameters:

• Number of users affected by the service disruption;
• Total number of users of the disrupted service;
• The duration of the incident;
• The level of severity of the disruption to the functioning of the service;
• The extent of the impact on economic and social activities.

For each incident subject to mandatory notification, essential, important, public and relevant entities must submit:

• An initial notification, as soon as it is concluded that a significant incident exists or may occur, without undue delay and within 24 hours (the authority must respond within 24 hours);
• A notification of the end of the significant impact, without undue delay and within 24 hours after the end of the impact;
• A final report, within 30 working days of the date of notification of the end of the significant impact of the incident.

Essential, important and relevant public entities may also be notified by the authorities to submit an interim report.

Entities shall communicate the occurrence to the recipients of the services without undue delay when the significant incident is likely to affect them negatively.

If the incident could lead to a personal data breach, the authority must inform the CNPD.

Supervisory and sanctioning powers differ depending on the type of entity concerned.

Essential entities are subject to a more comprehensive supervisory regime, both ex ante and ex post – authorities may carry out:

• On-site inspections and remote supervision;
• Regular or targeted security audits, or ad hoc audits, in particular on the basis of the verification of a significant incident;
• Security checks;
• Requests for information, access to data and evidence necessary to assess compliance with and enforcement of cybersecurity measures, policies and procedures.

Important and relevant public entities are subject to a lighter, ex post supervision regime – authorities may carry out:

• Only on-site inspections and remote ex post supervision; and
• The remaining measures mentioned abovein relation to essential entities.

Failure to comply with the obligations set out in the New Cybersecurity Legal Regime may be sanctioned with fines of up to €10 million or 2% of annual global turnover, whichever higher, as well as ancillary sanctions or compulsory financial penalties.

Decisions or any measures adopted and enforced by the authorities are subject to appeal before the courts.

The New Cybersecurity Legal Framework will enter into force 120 days after its publication (i.e. on 3 April 2026), and the CNCS must approve the implementing regulations, in particular regarding the operation of the electronic platform, the National Reference Framework for Cybersecurity and minimum cybersecurity measures. After the approval of these regulatory standards, essencial, important, and relevant public entities will have 24 months to adopt the new regime's standards.

It is therefore essential that organisations assess the scope of application in order to identify whether they are directly or indirectly covered by this legislation. Following this assessment, the entity must self-identify with the CNCS.

In order to identify the specific next steps to be taken, organisations must map their obligations and assess, from a legal, procedural and technological point of view, their level of compliance with the new rules. Only after this assessment is it possible to identify the most appropriate measures for the organisation, taking into account the risk, the levels of dependence on third parties, the sector of activity and the entity's governance model.

Anticipation is essential so that organisations can make the most of the process and minimise the risks of non-compliance.