NIS2 Directive transposition in Portugal: Status and brief overview

Status of transposition

On 22 October 2025, the law authorising the government to transpose the NIS2 Directive was published by the official journal as Law no. 59/2025 (“Law”).

The Law is not yet the final transposition, but determines general guidelines the Government must follow when transposing the NIS2 Directive into Portuguese law and, consequently, approve the Cybersecurity Regime and adapt the existing national framework accordingly [available at Lei n.º 59/2025 | DR ].

This will include, in addition to the specific Cybersecurity Regime resulting from the Law, implementing Regulation (EU) 2019/881, on ENISA (European Union Agency for Cybersecurity) and certification of cybersecurity of information and communication technologies, as well as amending the “Internal Security Law” (Lei de Segurança Interna Nr. 53/2008); the “Cybercrime Law” (Lei do Cibercrime Nr. 109/2009); and the “Electronic Communications Law” (Lei das Comunicações Eletrónicas Nr. 16/202, thus comprising of a comprehensive legislative package. This authorization is valid for 180 days, meaning that the Government has now six months to conclude this process and enact the final implementing acts, by no later than 21 April 2026.

In our experience, Portugal tends to follow closely EU guidelines, aligning the wording of national diplomas with the wording and definitions of EU acts.

Brief overview – draft Proposal of the transposition act

A draft Proposal of the implementation act (“Decree-Law”) is available, in an almost final version. Although some adjustments or corrections to the final wording may still be made, we do not anticipate that it will suffer substantial changes. Key provisions include:

• Subjective scope: The Proposal aligns with the scope of application of NIS2 without significant substantive changes, in what regards the relevant types of companies and affected sectors of activity.
• Sectors of high criticality: The Proposal qualifies these sectors following the exact same scope resulting from the NIS2 Directive, replicating Annexes I and II; namely including the Energy, Transports, Banking, Financial Market Infrastructures, Health, Drinking Water, Waste Water, Digital Infrastructure, ICT Service Management (business-to-business), and Space sectors (cfr. Annexes I and II of the Decree-Law Proposal).
• Measures imposed: In addition to the general obligations imposed to Essential and Important Entities regarding cybersecurity measures, supply chain security, residual risk management and annual reports, the Proposal also establishes additional duties, including the appointment of a cybersecurity officer and a permanent point of contact. Both these positions need to be notified to the competent cybersecurity authority within 20 working days of starting functions or from the date the Proposal enters into force; all aligned with NIS2 Directive.
• Registration obligation: Relevant entities must register on an electronic Platform, to be made available by the competent cybersecurity authority (“CNCS”) within 30 days after starting their activity, or within 60 days after the electronic platform is made available. At this point and as far as we can ascertain, this platform has not yet been implemented.
• Entering into force: The Decree-Law is expected to produce effects 120 days after its publication in the official journal (the publication should occur until spring 2026), hence the law is expected to apply by late August. Certain provisions shall benefit from delayed enforcement regarding specific obligations, namely provisions applicable to Essential and Important Entities on: (i) adopting Cybersecurity Measures, considering the risk matrix management and assessment; (ii) the Cybersecurity Measures on supply chain security, including security of relationships between entities and suppliers or direct service providers; (iii) residual analysis and risk management regarding all assets ensuring the continuity of the operation of networks and information systems used, including assets ensuring the provision of essential services; (iv) presenting the Annual Report; (iv) Cybersecurity measures applicable to relevant public entities; and (v) the sanctions regime applicable to these matters – which will be applicable twenty-four (24) months after the publication of the respective implementing regulations.

Final remarks

Portugal is progressing with the transposition of the NIS2 Directive, closely aligned with EU standards and guidelines. Although the legal framework is expected to be finalised soon, full practical implementation may still take several years, due to pending regulatory developments.

Affected entities will therefore benefit of a transitional period to prepare and adapt to the new cybersecurity obligations. In any case, companies are strongly advised to enhance their internal procedures to prepare for the incoming obligations, starting by identifying whether they are 'essential' or 'important' entities, for the purposes of verifying the scope of application of the law to their specific case and involve top management immediately, to ensure timely compliance.

This article was written by Ana Mira Cordeiro.