• Alameda F.C. Infesta 47, São Mamede de Infesta, Porto
  • info@orbcom.pt
  • (+351) 225 400 069
Linkedin
PIVOT
Contact us

What changes with the new Cybersecurity Legal Framework?

The publication of Decree-Law No. 125/2025 of 4 Decembermarks an important step in the evolution of the legal framework for cybersecurity in Portugal.

The decree approves the new Cybersecurity Legal Frameworkand transposes Directive (EU) 2022/2555, known as the NIS 2 Directive, into Portuguese law..

In practice, this new framework broadens the scope of entities covered, strengthens obligations relating to risk management and incident notification, and reinforces the role of the National Cybersecurity Centre (CNCS) as the national cybersecurity authority.

What does Decree-Law No. 125/2025 approve?

The decree establishes the new legal framework applicable to cybersecurity in Portugal and defines the legal basis for the national implementation of NIS 2. In addition to the main framework, it also provides for complementary instruments that will be key to its practical implementation.

Three key instruments for public cybersecurity policy

The new framework will be complemented by three central instruments of Portugal’s Cybersecurity architecture:

  • National Cybersecurity Strategy (ENSC), which defines priorities, objectives and the governance model;
  • National Plan for Response to Large-Scale Cybersecurity Crises and Incidents, which sets out the response to crisis situations;
  • National Cybersecurity Reference Framework (QNRCS), which serves as a reference for standards, benchmarks and good practices in cybersecurity and information security.

General overview of the new Cybersecurity Legal Framework

The new Cybersecurity Legal Framework applies to different types of entities, depending on their sector of activity, size, level of exposure to risk and operational relevance. Broadly speaking, the framework distinguishes between essential entities, important entities and relevant public entities.

Where an entity may fall into more than one category, the most demanding classification prevails in terms of the applicable requirements, in the following order:

  • Essential Entity
  • Important Entity
  • Relevant Public Entity – Group A
  • Relevant Public Entity – Group B

Essential entities

The following are considered essential entities, among others:

  • Entities of a type referred to in Annex I that exceed the thresholds applicable to medium-sized undertakings;
  • Qualified trust service providers;
  • Top-level domain name registry entities;
  • Domain name system service providers, regardless of size;
  • Undertakings providing public electronic communications networks or publicly available electronic communications services that qualify as medium-sized undertakings;
  • Public administration entities responsible for providing services in the areas of the development, maintenance and management of information and communication technology infrastructures;
  • Public administration entities with a particularly high degree of digital integration in the provision of their services;
  • The public entity responsible for the area of educational assessment;
  • Entities identified as critical under Directive (EU) 2022/2557 on the resilience of critical entities;
  • Any other entity of a type listed in Annex I or II that is classified as essential on the basis of:
  • its level of exposure to risk;
  • the size of the entity;
  • the likelihood of incidents occurring;
  • the severity of those incidents, including their social and economic impact.
Explanatory note:
In the case of undertakings, the reference to medium-sized undertakings covers entities with fewer than 250 employees and either an annual turnover not exceeding €50 million or an annual balance sheet total not exceeding €43 million.

Important entities

The following are considered important entities:

  • Entities of the types referred to in Annex I and Annex II that are not classified as essential entities;
  • Other entities of a type listed in Annex I or II that are identified as important entities, on the basis of:
  • its level of exposure to risk;
  • the size of the entity;
  • the likelihood of incidents occurring;
  • the severity of those incidents, including their social and economic impact.

Relevant Public Entities

Public entities that are not classified as essential or important entities are considered Relevant Public Entities.

For the purposes of the Cybersecurity Legal Framework, these entities are divided into two groups.

 

Group A

The following fall within Group A:

  • Services of the direct State administration, central and peripheral, with 250 or more employees;;
  • Services of the direct administration of the Autonomous Regions, central and peripheral, with 250 or more employees;;
  • Entities of the indirect State administration with more than 250 employees;;
  • Entities of the indirect administration of the Autonomous Regions with more than 250 employees;;
  • Entities of the autonomous administration with more than 250 employees;;
  • Public undertakings that exceed the thresholds applicable to medium-sized undertakings;
  • Independent administrative entities;
  • The Economic and Social Council;
  • The Ombudsman;
  • The technical and administrative services of the Presidency of the Republic;
  • The technical and administrative services of the Assembly of the Republic;
  • The technical and administrative services of the Courts;
  • The High Council for the Judiciary;
  • The High Council for Administrative and Tax Courts;
  • The High Council of the Public Prosecution Service.

Group B

The following fall within Group B:

  • Services of the direct State administration, central and peripheral, with between 50 and 249 employees;;
  • Services of the direct administration of the Autonomous Regions, central and peripheral, with between 50 and 249 employees;;
  • Entities of the indirect State administration with between 50 and 249 employees;;
  • Entities of the indirect administration of the Autonomous Regions with between 50 and 249 employees;;
  • Entities of the autonomous administration with between 50 and 249 employees;;
  • Public undertakings classified as medium-sized undertakings.

What this new framework changes

This decree significantly broadens the range of entities covered and strengthens three core areas:

  • cybersecurity risk management obligations;;
  • incident notification obligations;;
  • the role of the CNCS as the national cybersecurity authority..

In addition, the decree enters into force 20 days after publication, that is, on 3 April 2026, and provides for fines that may reach €10 million or 2% of annual turnover, whichever is higher.

Sectors covered

Annex I – Sectors of high criticality

  • Energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management
  • Space

Annex II – Other critical sectors

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing
  • Digital service providers
  • Research

Qualification of entities

Qualification of entities electronic platform made available by the CNCS. As a rule, this identification must take place within 30 days of the start of activity or, in the case of entities already in operation, within 60 days of the platform becoming available, with the information then kept up to date. The draft regulation currently under public consultation sets out the functions of this platform in detail, including the registration of entities, the submission of the annual report, the indication of the cybersecurity officer, the permanent contact point and the notification of incidents.

The classification of entities as essential or important is carried out by the CNCS and must be duly reasoned in accordance with the mechanisms laid down in the decree.

Main obligations and duties

The management, executive and administrative bodies of essential and important entities will have direct responsibilities, namely to:

  • approve cybersecurity risk management measures;
  • approve cybersecurity risk management measures;
  • ensure compliance with supervisory and enforcement measures;
  • promote regular cybersecurity training actions.

In addition:

  • the members of these bodies may be held liable for acts or omissions committed with intent or gross negligence in relation to the applicable infringements;
  • these responsibilities may not, as a rule, be delegated outside these bodies.

Cybersecurity risk management system:

  • technical measures;
  • technical measures;
  • operational measures;

These measures must:

  • manage the risks affecting the network and information systems used in their operations;
  • follow a systemic approach;
  • be proportionate to the level of exposure to risk.

The framework also refers to CNCS regulation for:

  • the definition of specific minimum measures;
  • the definition of compliance levels.

The areas to be covered by cybersecurity measures include:

  • incident handling;
  • business continuity;
  • supply chain security;
  • security in the acquisition, development and maintenance of network and information systems;
  • assessment of the effectiveness of the measures adopted;
  • basic cyber hygiene practices;
  • basic cyber hygiene practices;
  • cryptography and encryption;
  • human resources security;
  • access control;
  • asset management;
  • multi-factor authentication or continuous authentication.

In the case of relevant public entities:

  • they will be subject to the measures to be established by CNCS regulation.

The decree gives specific attention to supply chain security. The measures to be adopted must take into account:

  • the vulnerabilities of each direct supplier and service provider;
  • the overall quality of products from a cybersecurity perspective;
  • the security practices of suppliers;
  • coordinated risk assessments of supply chains involving critical ICT products, systems or services.

Essential and important entities must:

  • carry out a risk analysis;
  • document that analysis;
  • manage the risks relating to the assets that ensure the continuity of the operation of network and information systems.

Based on that assessment, they must also:

  • adopt appropriate measures;
  • apply proportionate measures to manage the identified risks.

Essential and important entities must prepare and maintain an annual report including, among other elements:

  • a summary description of the main activities carried out in the field of network and information systems security;
  • quarterly incident statistics;
  • quarterly incident statistics;
  • recommendations for improvement;
  • identified issues;
  • measures implemented.

As regards the submission of the report:

  • in the case of essential entities, it must be submitted to CNCS;
  • in the case of important entities, it must be provided when requested.

Essential and important entities must appoint a cybersecurity officer responsible for managing cybersecurity and information security.

This person must:

  • be a member of the management, executive or administrative bodies;
  • or report directly to those bodies within the organisation.

Entities that were already in operation when the decree entered into force have:

  • 20 working days to notify CNCS of that appointment.

In practice, this deadline falls:

  • at the beginning of May 2026.

The minimum duties of this officer include:

  • proposing risk management measures;
  • supporting supervisory activities;
  • promoting a culture of cybersecurity;
  • managing residual risk;
  • ensuring the preparation of the annual report;
  • coordinating the actions of the permanent contact point, where applicable.

Essential and important entities must ensure and notify CNCS of a permanent contact point with continuous availability.

This contact point must ensure:

  • operational and technical information flows with the cybersecurity authority;
  • operational and technical information flows with the cybersecurity authority;
  • the implementation of procedures defined in civil protection emergency plans affecting network and information systems;
  • the receipt of guidance, recommendations, technical instructions and orders issued by the cybersecurity authority.

As with the cybersecurity officer:

  • the notification must be made by entities already in operation within 20 working days of the decree entering into force.

CNCS may require essential, important and relevant public entities to obtain:

  • cybersecurity certification, whether national, European or international, demonstrating compliance with the applicable measures;
  • the use of ICT products, services and processes certified under national and European cybersecurity certification schemes.

Essential, important and relevant public entities must notify CNCS of any significant incident.

For this assessment, factors such as the following must be taken into account:

  • the number of users affected;
  • the total number of users of the disrupted service;
  • the duration of the incident;
  • the severity of the disruption;
  • the impact on economic and social activities.

The framework provides for:

  • an initial notification without undue delay and within 24 hours of establishing that a significant incident exists, or may come to exist;
  • an update within 72 hours, where necessary;
  • a notification of the end of significant impact within 24 hours of that impact ending;
  • a final report in accordance with the applicable regime.

In addition:

  • the cybersecurity authority must, where possible, respond within 24 hours of receiving the initial notification.

The framework distinguishes the intensity of supervision according to the type of entity.

Essential entities

Essential entities are subject to broader supervisory measures, including:

  • on-site inspections;
  • on-site inspections;
  • regular or targeted security audits;
  • ad hoc audits;
  • security checks;
  • requests for information, documents and evidence of compliance.

Important entities and relevant public entities

Important entities and relevant public entities are subject to an ex postsupervisory regime, applicable where there is evidence, indication or information of non-compliance.

This regime may include:

  • on-site inspections;
  • ex post remote supervision;
  • targeted audits;
  • ad hoc audits;
  • security checks;
  • requests for access to documentation and evidence.

Failure to comply with the obligations laid down in the new Cybersecurity Legal Framework may give rise to significant fines.

In the case of essential entities, very serious administrative offences may lead to fines of:

  • €10 million;
  • or 2% of worldwide annual turnover, whichever is higher.

CNCS has also highlighted this strengthening of the sanctions framework as one of the clearest signs of greater accountability.

In addition:

  • decisions and measures adopted by the authorities may be challenged under the terms set out in the decree.

Next steps

Although the decree is already in force, a significant part of its implementation still depends on supplementary regulation from CNCS. The draft regulation of the Cybersecurity Legal Framework is currently under public consultationand covers matters such as the electronic platform, compliance levels, verification criteria and the measures applicable to relevant public entities.

In addition, the decree itself provides that some provisions will only take effect 24 months after the publication of the regulation referred to in several of its articles. This makes it particularly important to follow the regulatory developments closely and prepare the organisation in advance.

For that reason, the most important step at this stage is to determine whether the organisation is directly or indirectly covered by the decree, ensure its identification before CNCS where applicable, and assess, in an integrated way, its level of legal, procedural, organisational and technological compliance. Only after that assessment will it be possible to define a realistic adaptation roadmap, with clear priorities, proportionate measures and lower exposure to non-compliance.

Early preparation will be decisive. In a framework that strengthens obligations, supervision and sanctions, acting early remains the smartest way to reduce risk and create room to execute properly.

Would you like to understand how to turn NIS 2 requirements into a practical action plan?

Get in touch with us at info@orbcom.pt.

Tags

Share

Linkedin Facebook X-twitter Whatsapp

In focus

Did you like it?

Sign up to our newsletter and keep up with the latest insights.

Want to know more about ORBCOM? Speak to a specialist

If you would like to get to know ORBCOM better and understand how our products, consulting services and outsourcing, fit your reality, speak to a specialist.

Talk to a Specialist
See other Articles

RECENTE ARTICLES

Continue reading

O que muda com o novo Regime Jurídico da Cibersegurança?
NewsTech
04/10/2026

What changes with the new Cybersecurity Legal Framework?

O Decreto-Lei n.º 125/2025 aprova o novo Regime Jurídico da…

Read more
Quando a cibersegurança falha, não falha só o IT
CybersecurityTech
04/01/2026

Quando a cibersegurança falha, não falha só o IT

Quando a cibersegurança falha, o impacto não fica no IT:…

Read more
Segurança, sorte e estratégia com a ORBCOM e a Infoblox no Cyber eXperience 2026
ORBCOMSoftware à medida
03/05/2026

Segurança, sorte e estratégia com a ORBCOM e a Infoblox no Cyber eXperience 2026

A ORBCOM marcou presença no Portugal Digital Cyber Experience 2026…

Read more