Portugal

(a) What is the NIS2 implementation status?

Portugal has adopted an NIS2 implementation law through Decree-Law No. 125/2025, enacted on 4 December 2025. The law transposes NIS2 into national law and applies to essential, important and public entities (Art. 3, Annex 1, Annex 2), with a sectoral scope largely aligned with the Directive (public administration partially excluded). The framework includes national cybersecurity standards such as the National Reference Framework for Cybersecurity and DNP TS 4577-1 (Art. 14, 26, 29, 34).

(b) What is the envisaged NIS2 implementation timeline?

• Entities (essential, important and relevant public entities) have to register on a designated electronic platform (Art. 35)
• Registration deadline is 30 days after publication of the relevant implementing order
• Registration obligation applies to all entities falling within the national scope

(c) What does the NIS2 mean for other national cybersecurity legislation?

The other national cybersecurity legislation must be revised in order to comply with the new requirements imposed by NIS2, namely law 46/2018 of 13 August (regarding the Legal Framework for Cyberspace Security) and decree-law 65/2021 of 30 July (which regulates the legal framework for cyberspace security).

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority is National Cybersecurity Centre (CNCS) – in Portuguese “Centro Nacional de Cibersegurança Portugal”. CNCS adopted in the past a pedagogical approach. CNCS has launched free training for stakeholders from entities that will need to implement the NIS2 so that the market is aware of the law before the CNCS starts supervising it. The CNCS, how has now broader supervisory powers, has recently assumed a more proactive attitude and have warned that it will become stricter in applying the legal regime.

(e) What should you be doing/on the lookout for?

Entities operating in the various sectors now covered by NIS2 should begin to ensure compliance with the new rules, particularly in terms of risk management measures and stricter and more detailed information obligations, especially regarding providers of public communications networks or publicly available electronic communications services.

Furthermore, additional care must be taken with the rules that have already been laid down, as regulators are expected to take a closer look at the application of cybersecurity law.

As very high-level preliminary analysis, we highlight the following:

• the decree-law excludes from its scope public entities in the fields of national security, public security, defence and intelligence services;
• the Portuguese National Cybersecurity Authority, which was the single point of contact under NIS1, has naturally its attributions and powers as the national cybersecurity authority reinforced, and ‘sectoral’ and ‘special’ supervisory authorities have been created to oversee specific sectors of the economy.

Entities who are not under the scope of NIS2 should consider their role in supply chains and it is highly likely that the entities operating in the sectors covered by NIS2 will require that their supplier and service providers meet the same standards. Compliance with NIS2 for entities outside of the scope of the law can also be perceived as a market advantage over competitors.