The NIS2 Directive has raised the bar for cybersecurity in the European Union, expanding the number of organisations covered and making management (administration\/directorship) directly responsible for approving and supervising risk management and incident response measures. NIS2 replaces the previous regime (NIS1) and has required Member States to transpose its rules into national law.<\/p>\n
In Portugal, this transposition was implemented by Decree-Law No. 125\/2025 of 4 December<\/strong>, which approves the new legal framework for cybersecurity and implements NIS2. The law comes into force on 3 April 2026<\/strong> (120 days after publication) and provides, among other things, for self-identification mechanisms, supervision and a robust penalty regime. Decree-Law No. 125\/2025 (Legal Framework for Cybersecurity)<\/a><\/p>\n The good news: implementing NIS2 is not about ‘buying a tool’. It is about organising governance, processes and controls \u2014 and that is entirely achievable with a well-designed plan.<\/p>\n The new regime applies to essential entities<\/strong> and important entities<\/strong>, based on sector and size criteria (in many cases, starting from “medium-sized enterprises”), as well as to certain types of digital entities regardless of size. CNCS \u2014 NIS Directive 2 (Portugal)<\/a><\/p>\n The sectors follow, in line with NIS2, two main annexes:<\/p>\n Annex I (sectors of critical importance):<\/strong> energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, space.<\/p>\n<\/li>\n Annex II (other critical sectors):<\/strong> postal services\/courier services, waste management, chemicals, food, manufacturing, digital providers, research.<\/p>\n<\/li>\n<\/ul>\n If you provide services to organisations in these sectors, you may not be directly classified as an essential\/important entity \u2014 but you may be impacted by supply chain \u2018pressure\u2019<\/strong> (contractual requirements, audits, security and reporting requirements).<\/p>\n Practical step (quick):<\/strong> conduct an “NIS2 screening” with three questions:<\/p>\n Do I operate in a sector listed in Annex I\/II?<\/p>\n<\/li>\n Am I a medium\/large company (or specific digital service provider)?<\/p>\n<\/li>\n Am I a critical supplier to an essential\/important entity?<\/p>\n<\/li>\n<\/ol>\n If you answered “yes” to at least one, proceed to formal assessment.<\/p>\n Although NIS2 imposed a transposition deadline on Member States (17 October 2024), in Portugal the new regime has its own timetable for entry into force and implementation.<\/p>\n Critical points (Portugal):<\/p>\n Effective date:<\/strong> 3 April 2026.<\/p>\n<\/li>\n Cybersecurity officer:<\/strong> essential and important entities must appoint and notify<\/strong> the CNCS, as a rule, within 20 working days<\/strong> of entry into force (reference indicated: by 4 May 2026<\/strong>).<\/p>\n<\/li>\n Permanent point of contact (24\/7):<\/strong> this must also be communicated to the CNCS within the same timeframe (indicatively by 4 May 2026<\/strong>).<\/p>\n<\/li>\n Notification of significant incidents:<\/strong> requires rapid communication \u2014 there is reference to initial notification within 24 hours<\/strong> (CNCS \u2014 Incident Notification)<\/a>, followed by further communications and a final report (including a deadline of 30 working days for the final report, after the stage indicated in the regime). European Commission \u2014 NIS2 FAQs (deadlines: 24 hours \/ 72 hours \/ 1 month)<\/a><\/p>\n<\/li>\n<\/ul>\n Furthermore, self-identification tends to be done via an electronic platform <\/strong>(to be implemented by regulation), and there are deadlines associated with the start of activity\/entry into operation of the platform.<\/p>\n NIS2 requires the implementation of measures proportionate to the risk<\/strong>, focusing on policies, continuity, supply chain, secure development<\/span>, training, encryption, access control, <\/span>asset management, and physical\/environmental security, among others. ENISA has published technical guidance which, although it does not replace Portuguese law, helps to transform obligations into controls and evidence. ENISA \u2014 Technical implementation guidance (NIS2)<\/a><\/p>\n A practical model is to organise implementation into six “blocks”:<\/p>\n Formal approval (administration\/management) of measures and risk appetite.<\/p>\n<\/li>\n Appointment of a cybersecurity officer and clear definition of authority, reporting lines and resources.<\/p>\n<\/li>\n Cybersecurity committee (or equivalent) with IT, security, operations, legal\/compliance, and management.<\/p>\n<\/li>\n<\/ul>\n Asset inventory (systems, critical services, data, suppliers).<\/p>\n<\/li>\n Criticality classification (business-critical services; dependencies; single points of failure).<\/p>\n<\/li>\n Map of critical processes and RTO\/RPO (continuity).<\/p>\n<\/li>\n<\/ul>\n Risk assessment methodology (e.g. aligned with ISO 27005\/ISO 27001).<\/p>\n<\/li>\n Treatment plan with priorities: “top 10 risks”, responsible parties, deadlines, evidence.<\/p>\n<\/li>\n Third-party risk integration (critical suppliers, cloud, MSP\/MSSP).<\/p>\n<\/li>\n<\/ul>\n Vulnerability management and patching; hardening; logging and monitoring.<\/p>\n<\/li>\n MFA and access control; least privilege principles; identity management.<\/p>\n<\/li>\n Tested backups; segmentation; endpoint protection; adequate encryption.<\/p>\n<\/li>\n<\/ul>\n Playbooks (ransomware, fraud, unavailability, data leakage).<\/p>\n<\/li>\n Exercises (tabletop) with management and technical teams.<\/p>\n<\/li>\n Mechanism to quickly identify “significant incidents” and meet deadlines.<\/p>\n<\/li>\n<\/ul>\n Annual training (by role) and “cyber hygiene” campaigns.<\/p>\n<\/li>\n KPIs: correction time, MFA coverage, backup success, MTTR\/MTTD, supplier maturity.<\/p>\n<\/li>\n Internal audits and evidence ready for supervision.<\/p>\n<\/li>\n<\/ul>\n NIS2 provides for a minimum penalty framework in the EU with high fines<\/strong>, differentiating between essential and important entities (binding orders, audits, and fines up to levels such as \u20ac10 million\/2% or \u20ac7 million\/1.4%, depending on the category, in the European framework).<\/p>\n In the national framework described in the transposition law, reference is also made to fines of up to \u20ac10 million or 2% of global annual turnover<\/strong> (whichever is higher), among other consequences.<\/p>\n The key point is not the “fear of fines”: it is that, with NIS2, cybersecurity becomes a matter of management and business continuity<\/strong>, with enhanced accountability and oversight.<\/p>\n Effective implementation combines compliance + technical + operational aspects. A typical (and quick) package may include:<\/p>\n NIS2 Scope & Qualification Assessment<\/strong> (applicability, classification, and impact on the supply chain).<\/p>\n<\/li>\n Gap analysis<\/strong> in relation to the new regime and best practices (e.g. alignment with ISO 27001\/27002 and ENISA guidelines).<\/p>\n<\/li>\n 6\u201312-month roadmap<\/strong> with priorities, costs, quick wins, and evidence plan.<\/p>\n<\/li>\n Governance and documentation:<\/strong> policies, responsibility matrix, incident\/reporting process, continuity.<\/p>\n<\/li>\n Support for operationalisation:<\/strong> exercises, training, and preparation for supervision\/audits.<\/p>\n<\/li>\n<\/ul>\n How do you know if NIS2 implementation in Portugal is right for you and what does it require? The NIS2 Directive has raised the bar for cybersecurity in the European Union, expanding the number of organisations covered and making management (administration\/directorship) directly responsible for approving and supervising risk management and incident response measures. NIS2 replaces […]<\/p>\n","protected":false},"author":1,"featured_media":2714,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2718","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sem-categoria"],"_links":{"self":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/2718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/comments?post=2718"}],"version-history":[{"count":3,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/2718\/revisions"}],"predecessor-version":[{"id":2881,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/2718\/revisions\/2881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/media\/2714"}],"wp:attachment":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/media?parent=2718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/categories?post=2718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/tags?post=2718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}1) A sua organiza\u00e7\u00e3o est\u00e1 abrangida?<\/h2>\n
\n
\n
2) Initial dates and obligations that must not be missed<\/h2>\n
\n
3) O que a NIS2 exige \u201cna pr\u00e1tica\u201d: medidas de gest\u00e3o de risco<\/h2>\n
(A) Governance and responsibilities<\/h3>\n
\n
(B) Inventory and classification<\/h3>\n
\n
(C) Risk assessment and treatment plan<\/h3>\n
\n
(D) Technical and operational controls<\/h3>\n
\n
(E) Incidents and reporting<\/h3>\n
\n
(F) Culture, training and continuous improvement<\/h3>\n
\n
4) San\u00e7\u00f5es e responsabilidade da gest\u00e3o<\/h2>\n
5) Como a iCompliance.eu<\/span><\/span> pode ajudar na implementa\u00e7\u00e3o<\/h2>\n
\n
Next steps:<\/h2>\n
\n<\/a><\/div>\n\n