Portugal

(a) What is the NIS2 implementation status?

NIS2 transposition draft law was placed for public consultation until 31 December 2024 and received 149 contributions which have been reviewed by the Government. Despite the Government having stated that they intended to publish the law during January 2025, it did not happen. The draft law has now been reviewed in light of the multiple contributions received from the public consultation and it was sent to the Parliament for approval on 14 February 2025.

(b) What is the envisaged NIS2 implementation timeline?

Since the draft law has been sent to the Parliament, it will now be voted its approval. It is anticipated that the authorization law will be passed, after which the Government will have 180 days to publish the final diploma.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The other national cybersecurity legislation must be revised in order to comply with the new requirements imposed by NIS2, namely law 46/2018 of 13 August (regarding the Legal Framework for Cyberspace Security) and decree-law 65/2021 of 30 July (which regulates the legal framework for cyberspace security).

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority is Centro Nacional de Cibersegurança Portugal (CNCS). CNCS adopted in the past a pedagogical approach; however, it has recently assumed a more proactive attitude and have warned that it will become stricter in applying the legal regime. According to the draft law that was publicly available for consultation – now amended however not public – the entity will most certainly have a wider range of supervision powers.

(e) What should you be doing/on the lookout for?

Entities operating in the various sectors now covered by NIS2 should begin to ensure compliance with the new rules, particularly in terms of risk management measures and stricter and more detailed information obligations, especially regarding providers of public communications networks or publicly available electronic communications services.

Furthermore, additional care must be taken with the rules that have already been laid down, as regulators are expected to take a closer look at the application of cybersecurity law.

As very high-level preliminary analysis, we highlight the following:

• the decree-law excludes from its scope public entities in the fields of national security, public security, defence and intelligence services;
• the Portuguese National Cybersecurity Authority, which was the single point of contact under NIS1, has naturally its attributions and powers as the national cybersecurity authority reinforced, and ‘sectoral’ and ‘special’ supervisory authorities have been created to oversee specific sectors of the economy.

Entities who are not under the scope of NIS2 should consider their role in supply chains and it is highly likely that the entities operating in the sectors covered by NIS2 will require that their supplier and service providers meet the same standards. Compliance with NIS2 for entities outside of the scope of the law can also be perceived as a market advantage over competitors.