Cybersecurity - Portugal

Decree-Law no. 125/2025 establishes the new Regime Jurídico da Cibersegurança transposing Directive (EU) 2022/2555 (NIS2), replacing the earlier 2018 cybersecurity regime. It was preceded by enabling Law no. 59/2025 of 22 October 2025, which authorised the Government to legislate.

The Centro Nacional de Cibersegurança (CNCS) is the national cybersecurity authority, supervisor and EU single point of contact, managing the central registry and supervisory audits/inspections; CERT.PT operates as the national CSIRT that receives and handles incident notifications.

Essential and important entities must submit an early notification of a significant incident within 24 hours of becoming aware, an update/notification within 72 hours, and a final report within one month, with affected users informed without undue delay.

Beyond critical infrastructure already covered, the regime extends to NIS2 sectors including ICT service management, wastewater and waste management, space, manufacturing, postal services, chemicals, food production/distribution, digital service providers, and research.

The decree-law enters into force 120 days after publication (around 3 April 2026), with a 12-month grace period before fines apply for entities that have adopted internal adaptation procedures.

Administrative fines reach up to EUR 10 million or 2% of total worldwide annual turnover for essential entities, and up to EUR 7 million or 1.4% of turnover for important entities, whichever is higher.