General Counsel

Jun 09, 2025

6 min. read

NIS2 directive regulations and implementation in Portugal

Share:

NIS2 directive regulations and implementation in Portugal

When the EU’s cybersecurity overhaul was announced, I remember a colleague joking that we’d need a new wall just to pin up all the new acronyms. He wasn’t far off. But beneath the surface of the NIS2 directive—formally the Directive on measures for a high common level of cybersecurity across the Union—there’s more than just bureaucracy. Especially in Portugal, the road to implementation has been layered with political nuance, sectoral shifts, and real-world urgency.

This article untangles the regulatory web around NIS2 Portugal, tracing the path from legislative design to national execution and helping organisations understand their next steps.

The state of NIS2 Portugal transposition

Portugal has opted to transpose NIS2 into national law through a new legal framework, the Regime Jurídico da Cibersegurança (RJC). This will replace the existing Cyber-Security Act (Lei 46/2018) and simultaneously incorporate elements of the CER Directive—another EU framework on the resilience of critical entities.

The government was granted legislative authority via Proposal of Law XXIV/2024, with a public consultation held between November 2024 and January 2025. Despite a setback due to a loss of government confidence in March 2025, the legislative process continues. The proposed RJC is now under inter-ministerial review, with approval expected by Q3 2025 and legal entry into force by March 1, 2026.

Before diving into sanctions or sectoral impacts, here’s a clear view of the implementation journey so far:

DateMilestoneStatus
14 Dec 2022NIS2 enters EU lawComplete
21 Nov 2024Public consultation opensComplete
31 Jan 2025Consultation closesComplete
11 Mar 2025Government loses confidence voteComplete (delayed agenda)
Q3 2025Council of Ministers approval expectedPending
Dec 2025Publication in Diário da RepúblicaPending
1 Mar 2026Law enters into forcePending
1 Sep 2026First compliance audits beginPending
Key implementation milestones for Portugal NIS2 directive

With political turbulence threatening to delay the timeline, it’s essential for Portuguese organisations not to wait until the last minute. The legal text may still be evolving, but the direction is clear.

Scope expansion and classification of entities

One of the most transformative aspects of Portugal NIS2 implementation is the dramatic increase in the number of in-scope entities. Previously, around 1,000 operators were regulated under Lei 46/2018. Under NIS2, that number may grow to 7,000–9,000 entities, including medium-sized manufacturers and municipalities with over 50,000 residents.

Organisations are now classified into two categories:

  • Entidades Essenciais (EE): entities with ≥250 employees or €50 million turnover
  • Entidades Importantes (EI): entities with ≥50 employees or €10 million turnover

Crucially, telecoms, cloud services, DNS providers, and trust service providers are regulated regardless of size.

ClassificationEmployee thresholdTurnover thresholdSector exceptions
Entidade Essencial (EE)≥ 250≥ €50 millionTelecom, cloud, DNS, trust services
Entidade Importante (EI)≥ 50≥ €10 millionSame as above
Entity classification thresholds under NIS2 Portugal

This structure reflects a more risk-based approach rather than relying solely on company size, in line with EU-wide cybersecurity policy shifts.

Sanctions and executive liability

Portuguese authorities have embedded significant enforcement mechanisms in the RJC to ensure compliance. These go beyond financial penalties and introduce personal accountability at the executive level.

The fine structure varies based on the entity type, and breaches of procedural duties (like delayed incident reporting) may trigger penalties even before a cyberattack happens.

Entity typeMax fineAdditional measures
EE€10 million or 2% of global turnoverLicence suspension, director disqualification
EI€7 million or 1.4% of turnoverPeriodic penalties, public naming
Lower-tier (procedural)€0.5–2 millionBinding corrective orders
Sanctions under NIS2 Portugal directive

Moreover, boards of directors are now on the hook. They must approve cybersecurity programs, monitor their implementation, and may be removed for repeated negligence under the Portuguese Commercial Companies Code.

Impact across industries

From digital infrastructure to public administration, the effects of the Portugal NIS2 directive will be far-reaching. What sets the Portuguese implementation apart is the granular attention paid to operational realities—think mandatory segmentation between OT and IT in manufacturing or Software Bill of Materials (SBOM) exchange in energy.

Below is a breakdown of how different sectors are affected:

SectorKey changesTypical new duties
ManufacturingNow regulated under NIS2Penetration testing, supplier-risk audits
Energy & UtilitiesIncludes hydrogen, LNG24/7 monitoring, CNCS board reports
HealthcareExpands from 50 to 250+ providersISO governance, quarterly backup drills
Digital InfrastructureIn scope regardless of sizeEU-based SOC, zero-trust frameworks
FinanceOverseen via DORA, not NIS2TLPT, third-party risk registers
Public SectorMinistries, metro areas ≥50kCNCS baseline, no financial fines
Sectoral impact under Portugal NIS2 implementation

What companies should know and prepare for

With enforcement on the horizon, Portuguese companies—especially new entrants to the regulated perimeter—must act swiftly. The Centro Nacional de Cibersegurança (CNCS) will soon release a self-assessment tool to help organisations determine their classification.

Key preparation steps should focus on compliance infrastructure and executive-level engagement. Early preparation not only reduces exposure but helps embed a culture of resilience.

StepDescription
Confirm statusUse CNCS self-assessment to check EE/EI classification
Prepare dataGet NIF, CAE code, and cyber contact info ready for March 2026
Gap analysisPerform Article 21 gap-check—focus on backups, MFA, supply chain
SOP draftCreate an incident response plan aligned with GDPR and NIS2 timelines
Board engagementSecure board approval of cyber program and schedule annual audit
Immediate actions for Portuguese organisations

Even before the law enters into force, this proactive approach will ease registration and prepare teams for scrutiny.

Accelerate Portugal’s NIS2 readiness with CyberUpgrade

Portugal’s Regime Jurídico da Cibersegurança (RJC) will bring up to 9,000 new entities into scope by March 1, 2026, with CNCS self-assessments opening late 2025 and first audits from September 2026. CyberUpgrade aligns its out-of-the-box workflows directly with RJC’s classification, incident-reporting and 24 h/72 h/30 day timelines—so you can start closing gaps today, not tomorrow.

Our Slack and Teams chatbot walks every team member through real-time NIS2-aligned checks keyed to your NIF and CAE codes, capturing evidence automatically in a central, regulator-ready repository. Layer in continuous vulnerability scans, penetration tests, SBOM exchanges and live monitoring, and you’ll spot threats long before they trigger fines of up to €10 million or director disqualifications.

Combine that with our EU-based CISO-as-a-Service for hands-on support—from Article 21 gap analyses and board-level policy sign-off to pre-approved incident-response playbooks—and you’ll offload 80 % of your compliance work, save over €60K annually, boost security culture, and keep your focus on growth while Portugal’s audits loom. Let CyberUpgrade turn Portugal’s NIS2 compliance complexity into your compliance advantage.

What lies ahead for cyber resilience in Portugal?

Portugal’s NIS2 journey is more than a regulatory update—it’s a societal shift toward embedding cybersecurity into the DNA of essential services. From regional governments to factories, every sector will soon bear the weight of structured accountability and real-time responsiveness.

Political delays may tweak timelines, but the direction is set. With the RJC poised to transform the national cybersecurity landscape, businesses must pivot from passive compliance to active risk management.

The question isn’t whether your organisation will be affected. It’s whether you’ll be ready when the audits begin.

Automate Your Cybersecurity and Compliance

It's like an in-house cybersecurity & compliance team for a monthly subscription! No prior cybersecurity or compliance experience needed.

Share this article

Post on Linkedin
Post on Facebook
Post on X

How useful was this post?

0 / 5. 0

General Counsel

He is regulatory compliance strategist with over a decade of experience guiding fintech and financial services firms through complex EU legislation. He specializes in operational resilience, cybersecurity frameworks, and third-party risk management. Nojus writes about emerging compliance trends and helps companies turn regulatory challenges into strategic advantages.
  • DORA compliance
  • EU regulations
  • Cybersecurity risk management
  • Non-compliance penalties
  • Third-party risk oversight
  • Incident reporting requirements
  • Financial services compliance

Explore further