NIS 2 Status Portugal

NIS 2 status in Portugal

What the directive requires, how Portugal transposes it, and where CNCS and CERT.PT sit inside the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 directive is the EU layer. It binds every member state, including Portugal, with one cybersecurity floor for essential and important entities. Portugal must put that floor into Portuguese law and run a supervision regime under it.

Portugal missed the 17 October 2024 transposition deadline by more than a year. Decreto-Lei n.º 125/2025, published in the Diário da República on 4 December 2025, finally carried NIS 2 into Portuguese law. The text enters into force on 3 April 2026, 120 days after publication.

The Centro Nacional de Cibersegurança (CNCS) is the lead competent authority. CERT.PT, operated inside CNCS, is the national CSIRT. Sector regulators stay in the loop where they already held competence: ANACOM for electronic communications and Banco de Portugal and CMVM for the financial sector, where DORA acts as lex specialis.

Where the rules live
Three layers that anyone reading the Portuguese version of NIS 2 needs to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.

EU implementation

Commission Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Portugal without national transposition.

Portuguese transposition

Decreto-Lei n.º 125/2025 of 4 December 2025

The Portuguese NIS 2 transposition, published in the Diário da República. Establishes the Regime Jurídico da Cibersegurança. Enters into force on 3 April 2026. Supplementary regulation and CNCS guidance fill in the operational detail.

Three things to know
What changes for entities operating in Portugal.
Transposition

Decreto-Lei n.º 125/2025

Carries the NIS 2 obligations into Portuguese law as the new Regime Jurídico da Cibersegurança. Defines essential and important entities, the supervision powers of CNCS, incident reporting duties, and sanctions up to EUR 10 million or 2 percent of global turnover. Entry into force is 3 April 2026.

Authority

CNCS as supervisor, CERT.PT as CSIRT

CNCS runs supervision, audits and sanction proceedings, and operates the electronic registration platform. CERT.PT, integrated into CNCS, coordinates incident response as the national CSIRT. Sector regulators such as ANACOM for electronic communications and Banco de Portugal and CMVM for finance keep their competence where lex specialis applies.

Deadlines

Registration and reporting

Entities must self-identify through the CNCS electronic platform after entry into force and notify a cybersecurity officer and a permanent point of contact within twenty working days. Significant incidents follow the directive's 24-hour early warning, 72-hour notification and one-month final report cadence.

Two principles that decide every edge case
Use these before reading a Portuguese commentary on NIS 2.

Local law applies inside Portugal

Operations on Portuguese territory follow the Portuguese transposition. A German Geschäftsführer running a Portuguese subsidiary reads Decreto-Lei n.º 125/2025 for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the registration platform and the sanctions live in Portuguese law.

Portugal cannot go below the EU floor

The directive is a minimum harmonisation instrument. Portugal can go stricter, and Decreto-Lei n.º 125/2025 in places does. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.

Who does what in Portugal
Three institutions that show up in almost every NIS 2 question.
PT

CNCS

Centro Nacional de Cibersegurança. Lead competent authority under Decreto-Lei n.º 125/2025. Runs the electronic registration platform, issues guidance, conducts supervision and proposes sanctions. The national cybersecurity authority for essential and important entities.

PT

CERT.PT

The national CSIRT, operated as a service inside CNCS. Coordinates incident response involving essential entities, important entities, public administration and digital service providers, and acts as the contact point in the EU CSIRTs Network.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Portuguese entities; CNCS is.

Pitfalls
Mistakes we see when Portuguese entities first read NIS 2.

  • We have a German parent, so we follow the BSIG.

    Operations on Portuguese territory follow Decreto-Lei n.º 125/2025 and report into CNCS. The German parent reads BSIG for its German operations. The directive obligations are the same, but the procedure, the registration platform and the sanctions live in Portuguese law. A group operating in both countries runs two parallel registrations, one per supervisor.

  • There is no obligation yet because the law only enters into force in April 2026.

    Decreto-Lei n.º 125/2025 was published on 4 December 2025 and enters into force on 3 April 2026, with self-identification and cybersecurity officer notification due shortly after. Waiting until the platform opens is too late; the applicability check and internal preparation belong before entry into force, not after.

  • Our sector regulator already supervises us, so NIS 2 does not add anything.

    CNCS is the lead NIS 2 authority. ANACOM, Banco de Portugal and CMVM stay competent where they already were, in particular finance under DORA as lex specialis. Outside those carve-outs, the NIS 2 obligations and the CNCS reporting channel apply on top of any sector regime. Sector supervision does not substitute for NIS 2 registration with CNCS.

Practitioner view

Most Portuguese operators we see treated NIS 2 as a future problem until Decreto-Lei n.º 125/2025 was published in December 2025. That window has closed. CNCS supervision starts on 3 April 2026, the cybersecurity officer must be notified within twenty working days, and the management body, the administrador or gerente, is personally on the hook for risk-management approval and training under the directive.

The practical move is the same as everywhere else in the EU: confirm scope under the directive, register through the national platform (here the CNCS electronic platform), set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. CNCS sector guidance helps, but it does not substitute for the NIS 2 obligation register.

How the platform helps

We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Portuguese subsidiary using Decreto-Lei n.º 125/2025, a German parent using BSIG, and a French sister using Ordonnance n° 2024-1093. Article references switch per locale; the substantive obligations do not.

For Portuguese scope you start with the applicability check, then move to incident reporting cadence, supply chain clauses and management body sign-off. Where CNCS publishes sector guidance, we reference it; we do not duplicate it.

Sources
  • Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690
  • Decreto-Lei n.º 125/2025 of 4 December 2025 — Diário da República
  • CNCS — Centro Nacional de Cibersegurança, official site
  • CERT.PT — national CSIRT operated by CNCS
  • ANACOM — sector authority for electronic communications
  • Banco de Portugal and CMVM — sector authorities for the financial sector under DORA
Check your Portuguese scope in under five minutes
The applicability check applies the directive's size and sector test. If your Portuguese subsidiary is in scope, the next step is the CNCS electronic registration platform.
Run the applicability check