About

NIS2 Portugal

NIS2 Portugal

The NIS2 Directive (EU) 2022/2555 was adopted to strengthen cybersecurity and resilience across the European Union. It replaces the original NIS1 Directive (EU) 2016/1148 of 6 July 2016 and introduces stricter cybersecurity obligations, an expanded scope, and enhanced supervisory powers to better protect critical and important entities against cyber threats. The full text of the directive is available via EUR-Lex.

Portugal did not meet the initial deadline of 17 October 2024 for transposing the NIS2 Directive into national law. Nevertheless, the national legislative process has progressed. A draft version of the Portuguese NIS2 Act has been published, and on 19 September 2025 the Assembly of the Republic approved the bill establishing a new legal framework for cybersecurity in Portugal. Following publication in the Official Gazette, an implementing decree will be adopted to define the detailed technical and procedural rules required for the practical application of the law.

This page provides a comprehensive overview of the NIS2 implementation in Portugal, including the scope of application, obligations for organisations, compliance requirements, supervisory authorities and enforcement mechanisms. It is intended to support organisations in understanding whether they fall within the scope of NIS2 and how to prepare for compliance with the forthcoming national framework.

Please note that the legal and regulatory status of NIS2 in Portugal is evolving. The content of this page will be updated as soon as new official information becomes available.

Scope – NIS2 entities in Portugal

The Portuguese NIS2 Act applies to both legal entities and natural persons (hereinafter jointly referred to as entities) that are established in Portugal and that provide products or services within the European Union.

The legislation clearly defines which public and private entities are subject to cybersecurity obligations. A distinction is made between essential entities and important entities. This classification is determined on the basis of the services provided, the size of the entity and the place of establishment.

In principle, an entity falls within the scope of the Portuguese NIS2 Act if all of the following conditions are met:

  1. The organisation provides services within a sector listed in Annex I or Annex II of the NIS2 Act;
  2. The organisation exceeds the thresholds for medium-sized enterprises; and
  3. The organisation is established in Portugal.

Criteria 1: Services provided

Annexes I and II of the Portuguese NIS2 Act define the sectors that fall within the scope of the legislation. Organisations are required to assess their activities carefully, including at sub-sector level, to determine whether the services they provide are covered. The sector classification in the Portuguese NIS2 Act corresponds to the European NIS2 Directive.

Annex I: Very critical sectors Annex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen		 Postal and courier services
Transport
• Air
• Rail
• Water
• Road		 Waste management
Banking Manufacture, production and distribution of chemicals
Financial market infrastructures Manufacture, processing and distribution of food
Healthcare Manufacture:
• Medical devices and in vitro diagnostic medical devices
• Computer products and electronic and optical products
• Electrical equipment
• Machinery, equipment and tools (n.e.c.)
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking water Digital providers
Wastewater Research
Digital infrastructure  
Management of ICT services (business-to-business)  
Space  

If an organisation provides one or more services listed in Annex I or Annex II, it may fall within the scope of the NIS2 Act.

In addition to essential and important entities, certain public entities are also subject to the Portuguese NIS2 Act. Articles 3 and 7 of the Act provide further clarification on the inclusion of public authorities.

Criteria 2: Company size

Besides the services provided, the size of the organisation is a key factor in determining whether the NIS2 obligations apply. As a general rule, medium-sized and large enterprises are subject to the NIS2 requirements.

An explanation of the applicable company size thresholds is available here.

Regardless of their size, the following entities always fall within the scope of the NIS2 Act:

  • Providers of public electronic communications networks or services;
  • Trust service providers;
  • Top-level domain name registries (TLD registries);
  • Domain Name System (DNS) service providers.

Furthermore, entities may be subject to the NIS2 Act irrespective of their size if their activities are considered crucial to society or the economy. This applies in particular where:

  • The entity provides services essential to critical societal or economic functions that cannot easily be replaced;
  • A disruption of services would significantly affect public order, public safety or public health;
  • An incident could generate systemic risks with cross-border impact; or
  • The entity is of strategic or vital importance at national or regional level, for example due to interdependencies with other sectors.

Criteria 3: Establishment in Portugal

As a general principle, the Portuguese NIS2 Act applies to entities established in Portugal. By way of exception, the following entities also fall within scope:

  • Providers of public electronic communications networks or services offering their services in Portugal;
  • DNS service providers, TLD registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines and social networking service platforms, where:
    • their main establishment is located in Portugal; or
    • their designated EU legal representative is established in Portugal.
  • Public authorities established by Portugal.

Finally, when assessing the scope of the Portuguese NIS2 Act, it should be noted that entities that do not qualify as NIS2 entities themselves may nevertheless be indirectly affected. This is the case where an entity:

  • is formally designated by the competent authority as an essential or important entity; or
  • forms part of the supply chain of an essential or important entity subject to NIS2 obligations.

What does this mean for my organisation?

If your organisation qualifies as an essential entity, important entity or relevant public entity under the Portuguese NIS2 Act,
this results in a set of concrete legal obligations. These obligations relate to registration, cybersecurity risk management,
incident reporting, governance and cooperation with the competent authorities.

Registration requirements (Article 35)

In Portugal, all entities falling within the scope of the NIS2 legislation are required to register. At the time of writing,
the NIS2 Directive has not yet been fully transposed into national law and no registration platform is currently available.

The Centro Nacional de Cibersegurança (CNCS) will make available both a registration platform and a
self-assessment tool enabling organisations to determine whether they qualify as an essential or important entity.

Once the platform is operational, entities will be required to provide at least the following information:

  • Name of the organisation;
  • Tax identification number;
  • Registered address and current contact details, including email addresses and telephone numbers;
  • IP address ranges;
  • Sector and sub-sector classification;
  • Overview of EU Member States in which NIS2-relevant services are provided.

Any changes to this information must be notified within 20 working days.

According to the draft legislation, entities must register no later than:

  • one month after commencing activities; or
  • 60 days after the electronic registration platform becomes available, if the entity is already active at the time the decree enters into force.

Cybersecurity risk management measures (Article 27)

Essential and important entities are required to implement appropriate technical and organisational measures
to manage cybersecurity risks and ensure the security of network and information systems.

These measures must, at a minimum, address the following areas:

  • Incident prevention, detection and response;
  • Business continuity, including backup management, disaster recovery and crisis management;
  • Supply chain security;
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure;
  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures;
  • Cyber hygiene practices and cybersecurity training;
  • Policies on cryptography and, where appropriate, encryption;
  • Personnel security, access control policies and asset management;
  • Use of multi-factor authentication or continuous authentication solutions and secure internal communications, where applicable.


Implementing Regulation (EU) 2024/2690
 further specifies these minimum measures for certain categories of digital and trust service providers.
Where applicable, these rules take precedence over national provisions.

Reporting significant cyber incidents (Articles 41–45)

Essential, important and relevant public entities must notify the national Computer Security Incident Response Team,
CERT.PT, of any significant cyber incident. Where the incident affects service delivery,
service recipients must also be informed.

An incident is considered significant if it:

  • has caused or may cause serious operational disruption or financial loss; or
  • has caused or may cause significant material or immaterial damage to other natural or legal persons.

Notifications must be submitted via the
CNCS online notification form
or by email to cert@cert.pt, in accordance with the following timeline:

  1. Early warning: without undue delay and within 24 hours of becoming aware of the incident,
    including the suspected cause and any cross-border effects;
  2. Incident report: without undue delay and within 24 hours after the significant impact has ended,
    describing mitigation measures and the impact;
  3. Final report: no later than one month after the end of the incident, including:
    • start and end date and time of the incident;
    • assessment of the impact;
    • measures taken to mitigate the incident;
    • any remaining impact at the time of reporting.
  4. If the incident is still ongoing after the deadline for submitting the final report has passed, the entity must, at the request of the competent authority, submit a weekly interim report until the final report is submitted, stating:
    • An update of the information provided in the initial notification, if applicable;
    • A brief description of the measures
      taken to resolve the incident;
    • A description of the impact at the time the significant impact ceased.

Entities may also voluntarily report cyber threats, near misses or other incidents to CERT.PT, even if they do not fall within the scope of the NIS2 Act.

Additional guidance on incident reporting is available via CERT.PT.

Responsibilities of management bodies (Article 25)

The management bodies of essential and important entities bear ultimate responsibility for compliance with the NIS2 Act.

  • Approval and oversight of cybersecurity risk management measures;
  • Participation in training to acquire sufficient knowledge to identify risks and assess cybersecurity measures;
  • Ensuring regular cybersecurity training for relevant staff.

Management bodies may be held personally liable for non-compliance with the NIS2 obligations.

Cooperation with competent authorities

  • Essential, important and relevant public entities are required to cooperate with the competent authorities.
    This includes information sharing, incident reporting, participation in supervisory activities and cooperation with inspections.

How can organisations demonstrate compliance with NIS2 in Portugal?

The Centro Nacional de Cibersegurança (CNCS) has indicated that supervision of NIS2 compliance in Portugal will be more stringent than under the previous NIS Directive. Compliance may be assessed through inspections, audits and other supervisory measures carried out by CNCS itself or, where applicable, by recognised external parties.

Article 34 of the Portuguese NIS2 Act provides that CNCS may require entities to demonstrate compliance with the cybersecurity measures laid down in the Act, including by means of national or European cybersecurity certification schemes. Based on an independent conformity assessment performed by an accredited Conformity Assessment Body (CAB), an organisation may obtain a certificate that can be used to demonstrate NIS2 compliance to supervisory authorities and other stakeholders.

Within the framework of the European NIS2 Directive, Portugal has also developed its own National Cybersecurity Framework, known as the QNRCS (Quadro Nacional de Referência para a Cibersegurança) or NCF-PT (National Cybersecurity Framework – Portugal). This framework, developed by CNCS, provides organisations with a structured and risk-based approach to strengthening digital resilience and demonstrating compliance with NIS2 obligations.

The NCF-PT is a voluntary framework based on internationally recognised standards, including ISO/IEC 27001, NIST SP 800-53, COBIT 5 and the CIS Critical Security Controls. It is designed to support organisations in the five core functions of cybersecurity: identify, protect, detect, respond and recover. These functions are translated into concrete measures and subcategories applicable to both public and private entities.

In addition, organisations may use ISO/IEC 27001 certification as a means to demonstrate that they have implemented a robust Information Security Management System (ISMS) aligned with the risk management and governance requirements of NIS2. ISO/IEC 27001 is the globally recognised standard for information security and specifies requirements for establishing, implementing, maintaining and continuously improving an ISMS.

Obtaining ISO/IEC 27001 certification typically involves the following steps:

  1. Acquiring sufficient knowledge of ISO/IEC 27001, for example through training;
  2. Implementing an ISMS in accordance with the requirements of the standard;
  3. Performing internal audits to assess conformity and effectiveness;
  4. Conducting a management review and implementing corrective actions where necessary;
  5. Engaging an accredited Conformity Assessment Body to perform an external certification audit.

If you would like more information on certification, audits or conformity assessment in the context of NIS2, you can request an informative meeting with an expert here.

How to demonstrate NIS2 compliance in Portugal (high-level steps)

Demonstrating NIS2 compliance in Portugal is primarily about showing that your organisation has implemented effective cybersecurity risk management, can report significant incidents on time, and can provide evidence of governance and continuous improvement. The steps below provide a practical, high-level approach aligned with the Portuguese NIS2 Act and the role of CNCS.

  1. Confirm your scope and classification
    Verify whether your organisation qualifies as an essential entity, important entity or relevant public entity based on sector (Annex I–II), company size and establishment in Portugal. Where applicable, use the CNCS self-assessment approach once available.
  2. Document your cybersecurity risk management measures
    Implement and document technical and organisational measures (e.g., incident management, business continuity, supply chain security, access control, training and vulnerability handling). Maintain evidence such as policies, risk assessments, procedures, logs and test results.
  3. Set up incident detection and reporting workflows
    Ensure you can detect significant incidents and report them to CERT.PT within the required timelines. Prepare templates for early warnings, incident reports and final reports, and define roles and escalation paths.
  4. Strengthen governance and management accountability
    Ensure the management body approves cybersecurity measures, monitors compliance and follows relevant training obligations. Keep minutes, decisions, training records and management review outcomes as evidence.
  5. Use recognised frameworks and, where relevant, certification
    Consider using the Portuguese National Cybersecurity Framework (NCF-PT / QNRCS) and internationally recognised standards (such as ISO/IEC 27001) to structure controls and demonstrate maturity. Where requested or appropriate, use independent conformity assessment by an accredited CAB to support evidence of compliance.

If you have questions about NIS2 compliance evidence, audits or certification in Portugal, please contact us via the contact page.

Enforcement and sanctions (Articles 53 et seq.)

Under the Portuguese NIS2 Act, the competent authority may carry out inspections and other supervisory activities to verify whether entities comply with the legal cybersecurity requirements. The enforcement approach differs depending on whether an entity is classified as an essential entity, an important entity or a relevant public entity.

Enforcement approach by entity type

Entity type Supervision approach Typical trigger
Essential entities Proactive (ex-ante) and reactive (ex-post) supervision, including regular conformity assessments. Planned oversight activities and follow-up after incidents or suspected non-compliance.
Important entities and relevant public entities Primarily reactive (ex-post) supervision. Following a significant incident or where there is evidence of suspected non-compliance.

Non-compliance with the Portuguese NIS2 Act may lead to sanctions. The applicable measures depend on the nature, severity and impact of the infringement. The Act distinguishes between administrative measures and administrative fines, and also categorises infringements as minor, serious or very serious, each with corresponding penalties.

Administrative measures

Possible administrative measures may include warnings, orders requiring specific corrective actions, and the appointment of a supervisor to monitor compliance with the NIS2 obligations.

Administrative fines (maximum levels)

Entity type Maximum fine (fixed amount) Maximum fine (turnover-based)
Essential entities Up to €10,000,000 Up to 2% of total worldwide annual turnover
Important entities Up to €7,000,000 Up to 1.4% of total worldwide annual turnover

These maximum fine levels are provided by the Portuguese NIS2 Act. The competent authority may take into account the classification of the infringement (minor, serious or very serious), the circumstances of the case and the degree of non-compliance when determining the final sanction.

Timeline

The timeline below provides an overview of the key milestones related to the implementation of the NIS2 Directive in Portugal. This section will be updated as soon as additional official deadlines and implementation details become available.

Date Milestone Relevance for Portugal
17 October 2024 Deadline for EU Member States to transpose the NIS2 Directive into national law Portugal did not meet this deadline; national transposition is still in progress.

Additional milestones, such as the entry into force of the Portuguese NIS2 Act, the adoption of implementing decrees and the opening of the CNCS registration platform, will be added once officially confirmed.

Competent authorities (Article 15 et seq.)

The implementation of the NIS2 Directive in Portugal is still evolving. Nevertheless, the national institutional framework is clear in terms of the main actors involved in supervision, incident response and policy coordination. The central role in the implementation and supervision of NIS2 lies with the Centro Nacional de Cibersegurança (CNCS), Portugal’s National Cybersecurity Centre.

In addition, Portugal’s national Computer Security Incident Response Team (CSIRT), CERT.PT, supports operational incident response and coordinates technical handling of cyber incidents. Portugal also foresees sectoral and special supervisory authorities for supervision within specific sectors, operating under the coordination of CNCS.

For an EU-level overview of the national points of contact and CSIRT details for Portugal, see the official EU status page: NIS2 Directive implementation in Portugal.

Roles and responsibilities of key authorities

Authority Role in the NIS2 framework Key responsibilities Official reference
CNCS National competent authority and coordination hub for NIS2 supervision in Portugal Supervises compliance with NIS2 obligations; coordinates national implementation; issues guidance; may require evidence of compliance and initiate inspections and audits; coordinates with sectoral authorities and national incident response structures. CNCS – NIS2 information
CERT.PT National CSIRT (incident response and operational coordination) Receives and handles incident notifications; provides technical support during incidents; coordinates response activities; supports information sharing and operational cooperation, including within EU incident response structures. CERT.PT (CNCS)
Sectoral and special supervisory authorities Sector-specific supervision under CNCS coordination Supervises NIS2 compliance within specific sectors (e.g., energy, transport, healthcare, digital infrastructure); assesses sector risks; facilitates audits and enforcement actions in coordination with CNCS. Sectoral arrangements will be confirmed in national implementing provisions once officially published.
Ministry responsible for digital affairs Policy coordination (transposition and alignment with EU frameworks) Supports policy and legislative coordination for cybersecurity and digital transformation; aligns national policy objectives with EU cybersecurity frameworks; works with CNCS and sector regulators to support implementation. Government communication on cybersecurity measures

European coordination and operational cooperation

At EU level, operational cooperation between national CSIRTs is facilitated through the CSIRTs Network, supported by the European Union Agency for Cybersecurity (ENISA). For background and cooperation context, see: <

Frequently asked questions about NIS2 in Portugal

What is NIS2 and how does it apply in Portugal?

NIS2 refers to Directive (EU) 2022/2555, which aims to strengthen cybersecurity and resilience across the European Union. In Portugal, the directive is being transposed into national law through the Portuguese NIS2 Act. Although the transposition process is still ongoing, the main obligations, scope and supervisory framework are already clear.

When does NIS2 apply in Portugal?

The initial EU deadline for transposing the NIS2 Directive into national law was 17 October 2024. Portugal did not meet this deadline, and national implementation is still in progress. Additional deadlines, such as registration obligations and enforcement milestones, will apply once the Portuguese NIS2 Act and implementing decrees enter into force.

Which organisations fall under the scope of NIS2 in Portugal?

The Portuguese NIS2 Act applies to public and private entities that are established in Portugal, operate in sectors listed in Annex I or Annex II, and meet the applicable company size thresholds. A distinction is made between essential entities and important entities. Certain entities may also fall within scope regardless of size due to their societal or economic importance.

What is the difference between essential and important entities under NIS2?

Essential entities are generally subject to more intensive supervision, including proactive (ex-ante) and reactive (ex-post) controls. Important entities and relevant public entities are primarily subject to reactive supervision, usually following incidents or suspected non-compliance.

Do organisations need to register under NIS2 in Portugal?

Yes. Organisations that qualify as essential entities, important entities or relevant public entities must register with the national authority. At the time of writing, the registration platform is not yet available. Once operational, registration must take place within the legally defined timeframes.

Which authority is responsible for NIS2 supervision in Portugal?

The Centro Nacional de Cibersegurança (CNCS) is the national competent authority responsible for supervising compliance with NIS2 in Portugal. CNCS also acts as the Single Point of Contact (SPOC) for communication with other EU Member States and European institutions.

What is the role of CERT.PT under NIS2?

CERT.PT is Portugal’s national Computer Security Incident Response Team. It is responsible for receiving and handling incident notifications, providing technical support during cyber incidents, and coordinating response measures, in close cooperation with CNCS.

What cybersecurity measures are required under NIS2?

Essential and important entities must implement appropriate technical and organisational measures to manage cybersecurity risks. These include incident management, business continuity, supply chain security, access control, training, vulnerability handling and secure communications.

When must cyber incidents be reported under NIS2?

Significant cyber incidents must be reported to CERT.PT without undue delay. An early warning must be submitted within 24 hours of becoming aware of the incident, followed by further reports in accordance with the timelines set out in the Portuguese NIS2 Act.

What penalties apply for non-compliance with NIS2 in Portugal?

Non-compliance may result in administrative measures and administrative fines. For essential entities, fines may reach up to €10,000,000 or 2% of total worldwide annual turnover. For important entities, fines may reach up to €7,000,000 or 1.4% of total worldwide annual turnover, depending on the severity of the infringement.

How can organisations demonstrate compliance with NIS2?

Organisations can demonstrate compliance by documenting their cybersecurity risk management measures, incident reporting procedures and governance arrangements. CNCS may require evidence of compliance, including through recognised national or European cybersecurity certification schemes or independent conformity assessments.

Is ISO/IEC 27001 mandatory under NIS2 in Portugal?

ISO/IEC 27001 certification is not mandatory under NIS2. However, it may be used as a recognised way to demonstrate that an organisation has implemented a structured and effective Information Security Management System aligned with NIS2 requirements.

Can organisations outside the NIS2 scope still be affected?

Yes. Organisations that are not directly classified as NIS2 entities may still be affected if they are designated by the competent authority or if they form part of the supply chain of an essential or important entity subject to NIS2 obligations.

If you have further questions about NIS2 obligations, supervision or compliance in Portugal, please consult the relevant sections on this page or contact us via the contact page.