Portugal Has Its Own NIS2 Law Now. Are You Ready?
Portugal transposed the EU NIS2 Directive into national law through Decreto-Lei 125/2025, published in late 2025. Like the NIS2 Directive itself, the Portuguese transposition establishes cybersecurity obligations for essential and important entities operating in Portugal.
The Portuguese implementation follows the NIS2 framework closely but includes national-level specifics: the designated national authority (CNCS - Centro Nacional de Cibersegurança), sector-specific supervisory arrangements, and national registration requirements that go beyond what the Directive itself mandates.
For Portuguese organisations that were already working toward NIS2 compliance based on the EU Directive text, the national transposition changes some timelines and adds administrative requirements. For organisations that had not yet started, the national law removes any ambiguity about whether and when obligations apply.
This post covers what the Portuguese transposition requires, how it differs from the base Directive, and what practical steps Portuguese organisations must take now.
Who Is Covered Under the Portuguese Transposition
The Portuguese NIS2 transposition covers the same sectors as the EU Directive, with the essential/important entity classification:
Essential entities (stricter obligations, proactive supervision):
- Energy (electricity, oil, gas, district heating and cooling, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Healthcare (hospitals, laboratories, pharmaceutical manufacturers, medical device manufacturers)
- Water supply and wastewater
- Digital infrastructure (IXPs, DNS providers, TLD registries, cloud, data centres, CDNs, electronic communications networks)
- ICT service management (MSPs and MSSPs)
- Public administration (central and regional government)
- Space
Important entities (lighter touch, reactive supervision):
- Postal and courier services
- Waste management
- Chemicals, food
- Manufacturing of critical products
- Digital providers (online marketplaces, search engines, social networks)
- Research organisations
Organisations with fewer than 50 employees and annual turnover below EUR 10 million are generally exempt, unless they provide critical services. Size thresholds are calculated at the group level for organisations that are part of a larger group.
Key Obligations Under the Portuguese Transposition
For entities within scope, Decreto-Lei 125/2025 imposes the following core obligations:
Registration with CNCS. Entities must register with the Centro Nacional de Cibersegurança within 3 months of becoming in-scope. CNCS may also proactively identify and notify entities that should register.
Risk management measures. Article 21-equivalent requirements in the Portuguese transposition mandate technical and organisational measures proportionate to the risk. These include policies on risk analysis, information security incident handling, business continuity, supply chain security, access control and authentication, and cryptography.
Incident notification. Significant incidents must be reported to CNCS within 24 hours (initial alert), 72 hours (more detailed notification), and 30 days (final report). The definition of 'significant' follows the ENISA thresholds.
Supply chain due diligence. Entities must assess and address cybersecurity risks in their supply chains, particularly for direct suppliers and service providers.
The NIS2 compliance readiness assessment from ROOTKey allows Portuguese organisations to self-assess their current state against these requirements in under 15 minutes. Start your assessment today.
What the Portuguese Transposition Adds Beyond the Base Directive
Portugal's national implementation includes several elements beyond the minimum Directive requirements:
National cybersecurity strategy alignment. Entities must align their security practices with CNCS's national framework guidance, which goes beyond the generic risk management requirements of Article 21.
Sector-specific guidance. CNCS has issued or is preparing sector-specific technical guidance for the most critical sectors (energy, banking, healthcare, digital infrastructure). Entities in these sectors should monitor CNCS publications for sector-specific requirements.
Audit and supervisory powers. CNCS has powers to conduct on-site inspections, request documentation, and mandate third-party audits for essential entities. For important entities, supervision is primarily complaint-driven and reactive.
Penalties. Essential entities face fines up to EUR 10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to EUR 7 million or 1.4% of global annual turnover.
For a comprehensive view of what NIS2 compliance looks like across jurisdictions, see our guide to what NIS2's first audit deadline means for European organisations.
Recevez nos analyses sur la cyber-résilience par e-mail
Des conseils pratiques et prêts pour l'audit sur l'intégrité des données, la conformité et la continuité - dès leur publication.





