Portugal

(a) What is the NIS2 implementation status?

On the 4th of December 2025 Decree-Law 125/2025 was published, which transposes NIS2 into national law.

(b) What is the envisaged NIS2 implementation timeline?

The law will enter into force in 03.04.2026.

Some obligations, such as appointing a cybersecurity responsible (article 31º) and a 24/7 permanent point of contact (article 32º) with the National Cybersecurity Centre (CNCS) will need to be complied in 20 workings days counting from 03.04.2026, obligation of self-qualification and register with CNCS (article 8º and 35º) will be due in 60 calendar days once the CNCS makes available the online platform that will be created for such purpose (always after 03.04.2026).

The major obligations, including implementing cybersecurity measures within the organization (article 27º) implementing cybersecurity measures regarding the supply chain (article 28º) managing residual risks / business continuity (article 29º) and the annual report obligation (article 30º) all depend on regulation that will be approved by the CNCS and will become applicable 24 months after each regulation is issued.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The other national cybersecurity legislation must be revised in order to comply with the new requirements imposed by NIS2, namely law 46/2018 of 13 August (regarding the Legal Framework for Cyberspace Security) and decree-law 65/2021 of 30 July (which regulates the legal framework for cyberspace security).

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority is National Cybersecurity Centre (CNCS) – in Portuguese “Centro Nacional de Cibersegurança Portugal”. CNCS adopted in the past a pedagogical approach. CNCS has launched free training for stakeholders from entities that will need to implement the NIS2 so that the market is aware of the law before the CNCS starts supervising it. The CNCS, how has now broader supervisory powers, has recently assumed a more proactive attitude and have warned that it will become stricter in applying the legal regime.

(e) What should you be doing/on the lookout for?

Entities operating in the various sectors now covered by NIS2 should begin to ensure compliance with the new rules, particularly in terms of risk management measures and stricter and more detailed information obligations, especially regarding providers of public communications networks or publicly available electronic communications services.

Furthermore, additional care must be taken with the rules that have already been laid down, as regulators are expected to take a closer look at the application of cybersecurity law.

As very high-level preliminary analysis, we highlight the following:

• the decree-law excludes from its scope public entities in the fields of national security, public security, defence and intelligence services;
• the Portuguese National Cybersecurity Authority, which was the single point of contact under NIS1, has naturally its attributions and powers as the national cybersecurity authority reinforced, and ‘sectoral’ and ‘special’ supervisory authorities have been created to oversee specific sectors of the economy.

Entities who are not under the scope of NIS2 should consider their role in supply chains and it is highly likely that the entities operating in the sectors covered by NIS2 will require that their supplier and service providers meet the same standards. Compliance with NIS2 for entities outside of the scope of the law can also be perceived as a market advantage over competitors.