Legal Alert | New legal framework for cybersecurity - Transposition of NIS2 Directive

Framework

On 4 December 2025, Decree-Law 125/2025, which approves the new Cybersecurity Legal Regime and transposes Directive (EU) 2022/2555 (NIS 2), was published. The directive establishes a comprehensive framework of technical, organisational and procedural measures aimed at ensuring a high common level of cybersecurity across Europe.

This law represents a profound reformulation of the Portuguese legal framework, including:

• Expanding the number of entities that will be covered by the regime;
• Reinforcing obligations concerning:

• Risk management;
• Incident reporting; 
• Supervision;

and

• Consolidating the role of the National Cybersecurity Centre (CNCS) as the national cybersecurity authority.

The legislature highlights the growing sophistication of cyber threats and their high potential impact on the functioning of the state, the economy and the lives of citizens, which justifies a more demanding regime, structurally based on instruments such as the National Cyberspace Security Strategy, the National Plan for Response to Large-Scale Cybersecurity Crises and Incidents, and the National Reference Framework for Cybersecurity.

Key Changes

NIS2 introduces a substantial number of changes and new items, among which the following stand out in the transposition now being implemented in Portugal:

• Extending the range of entities subject to cybersecurity obligations, covering more critical sectors, as well as a significant part of Public Administration;
• Proportional grading of obligations imposed depending on whether the entity is classified as essential or important;
• Inclusion of minimum cybersecurity measures, in accordance with the type of entity and the activity carried out;
• Strengthening of the incident reporting system, with stricter reporting deadlines in line with the European cooperation mechanism;
• Establishment of "sectoral" and "special" supervisory authorities (overseeing specific sectors of the economy);
• Strengthening the powers of the CNCS, granting it the ability to liaise with sectoral authorities and creating a Crisis Office composed of entities with responsibilities in internal security, defence and criminal investigation.

Scope of Application

The new regime adopts a broad and materially oriented scope, reflecting the centrality of cybersecurity in the functioning of the state, the economy and essential services. Subjection to the regime will depend on the sector of activity concerned and the type of entity.

The Decree-Law applies to private entities that operate in sectors whose continuity is considered essential for the functioning of the economy and society.

The most important sectors and activities include:

• Energy, transport, banking and financial markets, health, water and sanitation, digital infrastructure, ICT services and space;
• Other critical sectors such as postal and courier services, waste management, chemicals and manufacturing, food production and distribution, digital services and research activities;
• Higher education institutions.

The regime also applies to Public Administration (with some exceptions) and some other entities or services of a public nature, as specified in the legislation.

Next Steps

The decree-law comes into force 120 days after its publication, on a phased basis, since some obligations become applicable at different times, namely:

• Certain provisions relating to risk management measures, incident reporting and supervision will take effect only 24 months after the publication of supplementary regulations to be issued by the CNCS, as will the obligation of relevant public entities to comply with cybersecurity measures;
• Past ANACOM regulations that do not conflict with the new regime remain in force until they are replaced or repealed.

In anticipation of the implementation in Portugal of the regime resulting from this transposition of the NIS2 Directive, entities must:

• Determine the applicable regulatory framework, identifying whether they qualify as essential or important entities, by mapping the services covered;

and, if covered,

• Prepare the compulsory identification on the CNCS platform within 60 days of its availability;
• Conduct a gap assessment in light of the new minimum cybersecurity measures, given that it may be necessary to review policies, procedures, and technological architecture;
• Adapt (or implement) internal mechanisms for incident reporting; and
• Check the need to adapt contracts with critical suppliers, managed service providers, ICT infrastructures and other relevant third parties.

The Cybersecurity and Technology teams at Morais Leitão will continue to closely monitor these developments. For more information, contact us.