Portugal
(a) What is the NIS2 implementation status?
The NIS2 is not yet implemented; the aim was to have an impact study on the implementation of the NIS by October. The Government disclosed on 24 October 2024 that the ministers’ council has approved the decree-law for the transposition of the NIS2 directive. The procedure of approval is closed at a Government level (this being a legislative subject reserved to the Government). It should be published in the Official Gazette in the following days.
Also noteworthy is the fact that the Government has approved a draft law proposal – this will pass through Parliament – on cybersecurity, which will soon be placed under public consultation with the Portuguese National Cybersecurity Authority which is the appointed National competent authority and single point of contact under NIS1.
(b) What is the envisaged NIS2 implementation timeline?
The transposition is expected to be completed before the deadline; however, there is no definite date. Even though Portugal has clearly missed the deadline to transpose the directive into national law, the current developments are clearly a step in the right direction.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The other national cybersecurity legislation must be revised, in order to comply with the new requirements imposed by NIS2, namely law 46/2018 of August 13 (regarding the Legal Framework for Cyberspace Security) and decree-law 65/2021 of July 30 (which regulates the legal framework for cyberspace security).
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority is Centro Nacional de Cibersegurança Portugal (CNCS). CNCS adopted in the past a pedagogical approach, however, it has recently assumed a more proactive attitude and have warned that it will become stricter in applying the legal regime. Currently, it is preparing an implementation impact study regarding the NIS2 transposition, that should be presented in October of this year.
(e) What should you be doing/on the lookout for?
Clients operating in the various sectors now covered by NIS2 should begin to ensure compliance with the new rules, particularly in terms of risk management measures and stricter and more detailed information obligations, especially regarding providers of public communications networks or publicly available electronic communications services.
Furthermore, additional care must be taken with the rules that have already been laid down, as regulators are expected to take a closer look at the application of cybersecurity law.
Contact
Margarida Roda Santos E: mrodasantos@eversheds-sutherland.net
Paulo Sampaio Neves E: psampaioneves@eversheds-sutherland.net
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page