NIS2 Country Guide

NIS2 Portugal: Regime Jurídico da Cibersegurança (Decree-Law 125/2025)

Discover how Portugal has transposed the NIS2 Directive through the new Regime Jurídico da Cibersegurança (RJC), approved by Decree-Law 125/2025, what it means for essential, important and relevant public entities, and how the National Cybersecurity Centre (CNCS) will supervise compliance from 2026 onwards.

Get Ready Checklist Get Consultation
Portugal NIS2 law adopted: 2025 Law in force from: 3 April 2026 National authority: CNCS

Introduction: NIS2 Directive & the Portuguese context

Portugal previously had a fragmented cybersecurity framework, with obligations scattered across sectoral laws and soft-law guidance from the National Cybersecurity Centre (CNCS). The original NIS Directive (NIS1) was only partially reflected in national legislation, covering a limited set of operators of essential services.

The new Regime Jurídico da Cibersegurança (RJC), approved by Decree-Law 125/2025, changes this landscape completely. It transposes Directive (EU) 2022/2555 (NIS2) into Portuguese law and creates one of the most demanding cybersecurity regimes in the EU, with broad scope, strict obligations and reinforced powers for CNCS and sectoral authorities.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Portugal

After several delays and draft bills, Portugal has finally transposed NIS2 through Decree-Law 125/2025 of 4 December, which approves the Regime Jurídico da Cibersegurança (RJC) and explicitly implements Directive (EU) 2022/2555 into national law.

The decree-law was published in the Diário da República on 4 December 2025 and enters into force 120 days after publication, on 3 April 2026. Some provisions will only produce full effects up to 24 months after entry into force, giving entities a limited implementation window.

The RJC is built on previous political steps, including Law 59/2025 of 22 October 2025, which authorised the Government to transpose NIS2 and design the new cybersecurity regime for Portugal.

Status

NIS2 is now formally transposed in Portugal. Decree-Law 125/2025 has been published and will apply from 3 April 2026, following a long period of legislative work and EU infringement pressure for late transposition.

Legal structure

The RJC is a horizontal cybersecurity law that: defines essential and important entities, introduces a special category of relevant public entities (Groups A and B), sets security and incident-reporting obligations, and establishes supervisory and sanctioning powers for CNCS and sectoral authorities.

Supervisory model

Portugal combines a central authority (CNCS) with sectoral cybersecurity authorities such as ANACOM for electronic communications and postal services, coordinated within a national cybersecurity governance framework.

NIS2 Portugal: what you need to know about compliance

The Portuguese RJC mirrors the NIS2 architecture of essential entities and important entities, and adds a third group of relevant public entities. Estimates suggest that several thousand organisations (potentially up to 9,000) will fall within scope once the regime is fully operational.

Who is in scope?

  • Essential entities: medium and large organisations in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Important entities: medium and large organisations in Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Relevant public entities: selected public bodies split into Group A (most critical) and Group B, including central government and key public-service providers.
  • Size-independent entities: providers such as DNS service operators, TLD registries, trust-service providers and major cloud/data-centre operators, regardless of company size.

Core obligations

  • Implement cybersecurity risk-management measures aligned with NIS2 Article 21 and national minimum security measures defined by CNCS.
  • Maintain policies, procedures and asset inventories covering networks, systems, data and critical services.
  • Detect, handle and report significant incidents and certain cyber threats following a 24h / 72h / 30-day reporting ladder via an electronic platform.
  • Manage supply-chain cybersecurity risk, including contractual security and incident-notification obligations for critical suppliers.
  • Ensure management bodies approve cybersecurity strategies, oversee implementation and receive regular training.

Classification & onboarding

CNCS will operate a national electronic platform through which entities identify themselves, submit required information and are classified as essential, important or relevant public entities. The RJC provides for staged implementation, with deadlines running from the date the regime starts producing effects for each category.

Important: even before 3 April 2026, CNCS is already running a NIS2 roadmap and awareness programme to prepare entities, including training sessions across Portugal and its autonomous regions.

Competent authorities & CSIRTs

Portugal’s NIS2 regime is centred on the Centro Nacional de Cibersegurança (CNCS) as national authority, with sectoral regulators taking on specialised roles and ANACOM designated as cybersecurity authority for communications and postal services.

Role Authority Notes
National cybersecurity authority & Single Point of Contact Centro Nacional de Cibersegurança (CNCS) Leads implementation of the RJC, supervises many essential and important entities, operates the national incident-reporting platform and represents Portugal in EU NIS2 cooperation fora.
National CSIRT CNCS (national CSIRT function) Receives incident notifications, issues alerts and guidance, and coordinates the technical response to significant cybersecurity incidents at national level.
Sectoral cybersecurity authority (communications & postal) ANACOM Designated as the sectoral cybersecurity authority for electronic communications and postal services, working closely with CNCS on supervision and incident management in these sectors.
Other sectoral authorities Various regulators (e.g. energy, finance, health, transport) Take on NIS2-related oversight in their sectors under the RJC, including inspections, incident follow-up and enforcement in coordination with CNCS.

NIS2 timeline & key dates (Portugal)

17 October 2024 — EU deadline for NIS2 transposition passes; Portugal does not yet have implementing legislation in place.
28 November 2024 — European Commission launches infringement proceedings and sends letter of formal notice for failure to transpose NIS2.
7 May 2025 — Commission issues reasoned opinion to Portugal for continued failure to notify full transposition.
22 October 2025 — Law 59/2025 published, authorising the Government to transpose NIS2 and approve the RJC by decree-law.
4 December 2025 — Decree-Law 125/2025 (RJC) published in the Official Journal, formally transposing Directive (EU) 2022/2555 (NIS2).
3 April 2026 — RJC enters into force, starting the clock for implementation deadlines and future audits.
2026–2028 — Gradual rollout of obligations and supervision, with up to 24 months for some provisions to produce full effects and first audits expected from late 2026 onwards.

Sector-specific notes for Portugal

  • Energy: electricity, gas and other critical energy operators are treated as essential entities with strict incident-reporting and resilience obligations.
  • Digital infrastructure & telecom: electronic communications networks, data centres, cloud providers and key internet infrastructure are a central focus, with ANACOM playing a major supervisory role for communications and postal services.
  • Public administration: central government bodies and other relevant public entities (Groups A and B) are explicitly covered to protect critical public services and state digital infrastructure.
  • Finance & payments: banks and financial market infrastructures are in scope under both NIS2 and sectoral EU rules, requiring coordinated compliance strategies.
  • Health & critical services: hospitals and critical healthcare providers will need to significantly upgrade cybersecurity governance, technical controls and incident readiness.

Penalties for non-compliance

The RJC introduces a strong enforcement regime aligned with NIS2 ceilings, giving CNCS and sectoral authorities the power to impose significant fines and corrective measures on non-compliant entities and, in some cases, to hold management personally accountable.

  • For essential entities, fines can reach up to the higher of €10 million or 2% of total worldwide annual turnover for the most serious breaches.
  • For important entities, fines can reach up to the higher of €7 million or 1.4% of worldwide annual turnover.
  • Additional administrative fines may apply for procedural breaches, such as incomplete or late reporting and failure to cooperate with supervision.
  • Corrective measures can include mandatory remediation plans, enhanced supervision and, in serious cases, temporary restrictions on certain activities.
  • Management bodies may face specific consequences where they fail to fulfil governance and oversight duties regarding cybersecurity.

How to prepare for NIS2 in Portugal

  1. Check if you are in scope: map your organisation against NIS2 Annex I & II sectors and typical size thresholds; consider whether you may be classified as an essential, important or relevant public entity under the RJC.
  2. Follow CNCS guidance: monitor CNCS communications, the NIS2 roadmap and future technical regulations on the national cybersecurity reference framework and minimum security measures.
  3. Run a NIS2/RJC gap assessment: compare your current controls against NIS2 Article 21 and the upcoming Portuguese minimum security measures, focusing on governance, technical measures, documentation and reporting.
  4. Prepare for registration and classification: identify critical services, systems, dependencies and key contacts so you can respond quickly when the electronic platform and classification process go live.
  5. Strengthen incident detection & reporting: design monitoring, escalation and communication processes that can support 24h / 72h / 30-day reporting and integrate with GDPR and sectoral rules.
  6. Manage supply-chain risk: review contracts with key ICT and service providers, adding explicit cybersecurity, audit and incident-notification clauses.
  7. Align with recognised frameworks: build or refine your ISMS using ISO/IEC 27001, NIST CSF or similar to structure your NIS2/RJC compliance programme.
  8. Engage leadership: brief the board and senior management on their new responsibilities and ensure cybersecurity is embedded in overall risk and business strategy.
Run Eligibility Check Start Readiness Test

Official links & resources

🇵🇹 Centro Nacional de Cibersegurança (CNCS) — official website
📘 European Commission — NIS2 implementation in Portugal
📗 Decree-Law 125/2025 — Regime Jurídico da Cibersegurança (Diário da República)
📊 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Portugal

Has Portugal fully transposed NIS2?
Yes. NIS2 has been transposed through Decree-Law 125/2025, which approves the Regime Jurídico da Cibersegurança. The law is published and will enter into force on 3 April 2026, after which its obligations progressively apply.
Who is the main NIS2 authority in Portugal?
The Centro Nacional de Cibersegurança (CNCS) is the national cybersecurity authority, national CSIRT and single point of contact. Sectoral regulators such as ANACOM act as cybersecurity authorities in their domains under the RJC.
How many entities will fall under the new regime?
Legal and industry analysis suggests that several thousand entities — potentially up to around 9,000 — will be subject to the RJC as essential, important or relevant public entities once the regime is fully rolled out.
Do we need a specific certification like ISO 27001?
The RJC does not mandate a single certification, but alignment with standards like ISO/IEC 27001 is strongly recommended as an efficient way to structure and evidence compliance with NIS2 obligations in Portugal.
When should we start preparing?
Preparation should start now. Although the law only applies from 3 April 2026, implementation, cultural change and technical upgrades take time, and CNCS has already begun a national NIS2 awareness and training roadmap.
Information provided for general guidance; always consult the official Portuguese legislation, CNCS publications and legal counsel for definitive NIS2 compliance requirements in Portugal.