With the entry into force of Decree-Law No. 125/2025, Portugal definitively transposed the European NIS2 Directive — and the companies concerned already have concrete obligations to fulfil.

The NIS2 Directive is a European Union law designed to enhance the cybersecurity of essential and important entities in member states. It aims to address the growing cyber threats and improve the resilience and security of critical infrastructures and digital services across the EU.

The NIS2 (Network and Information Security Directive 2) is the new European cybersecurity framework, published by the European Union on December 27, 2022, and in effect since January 16, 2023. In Portugal, it was transposed through the Decree-Law No. 125/2025, published on December 4, 2025, with effect from 3 April 2026.

The aim is to raise the level of digital protection across the European Union, harmonise requirements between countries, and ensure that organisations are prepared to respond to incidents quickly and effectively.

Compared to the previous NIS Directive of 2016, NIS2 goes much further – it covers around 10 times more entities, raises technical requirements and, for the first time, directly holds management bodies responsible for compliance with cybersecurity measures.

Is your company covered?

In Portugal, the law organises entities into three categories:

• Essential entities — critical operators with high systemic impact (energy, health, banking, digital infrastructure, among others).
• Important Entities — organisations in strategic sectors with relevant impact, but less so in the case of interruption.

• Relevant public entities — public administration bodies with specific criteria.

In general, a company is covered if operate in one of the 18 sectors defined in Annexes I and II of the Directive e classified as Medium or large company (≥ 50 employees and revenue ≥ €10 million). There are exceptions for certain critical service providers, regardless of their size.

If you have doubts about whether your organisation is included, don't wait for notification from the CNCS — get ahead of it.

What changes in practice?

The NIS2 Directive introduces a set of concrete obligations that go beyond simple paper compliance. The most relevant ones include:

• Cybersecurity risk management organisations must continuously identify, assess and mitigate risks, with documented policies and clear processes.
• Incident notification — in the event of a significant incident, essential entities have strict reporting deadlines to the CNCS. The final report must be submitted within 30 working days of the notification of the end of the impact.
• Top management accountability — this is perhaps the most disruptive point. Cybersecurity ceases to be “an IT problem”. Directors and members of management bodies are personally responsible for fulfilling obligations, and this responsibility cannot be delegated outside of the management bodies.
• 9 mandatory minimum measures — defined in Article 21 of the Directive, include access control policies, business continuity management, supply chain security, encryption, among others.
• Continuing professional development organisations must promote and ensure regular cybersecurity training for relevant teams.

What are the consequences of non-compliance?

The fines provided for in Decree-Law No. 125/2025 are significant:

• Serious infringementsUntil 10 million euros or 21% of global annual turnover, whichever is higher.

However, there is a grace period: during the first 12 months, companies that demonstrate to the CNCS that they have initiated an internal adaptation process may avoid the imposition of fines, although they will still be obliged to report incidents.

What actions should you take now?

There are immediate obligations that do not admit delay:

1. Register on the MyCiber platform (myciber.gov.pt) — the initial deadline was 4 May 2026.
2. Appointment of a cybersecurity officer.
3. Implementation of the 9 measures of Article 21.
4. Internal assessment of current compliance level.

If you haven't started this process yet, now is the time to act.

How can INFOS help

At INFOS, we closely follow our clients through this transition. To support organisations that need to understand exactly where they are — and what they need to do — we offer a rapid response service:

NIS2 Quick Diagnosis (3 days)

In just three days of work, our team conducts a focused and objective evaluation, which includes:

• Assessment of existing security policies and mechanisms
• ✅ Identification of vulnerabilities and compliance gaps
• ✅ Compliance report against the requirements of Decree-Law No. 125/2025
• ✅ Clear and prioritised recommendations for risk mitigation

The result is a concrete action plan for your organisation to increase digital resilience and be prepared for CNCS inspections – no surprises, no penalties.

Don't wait for the inspection. Get ahead of it.

NIS2 is no longer a directive that can be postponed. The obligations are real, the deadlines are already running, and personal responsibility lies with those who lead organisations.

Sources: Decree-Law No. 125/2025, CNCS (cncs.gov.pt), Directive (EU) 2022/2555 of the European Parliament and of the Council.