Members
Miembros
On 4 December 2025, Decree-Law No. 125/2025 was published in the Official Gazette of the Portuguese Republic, establishing a new legal framework for cybersecurity that transposes the NIS 2 Directive into Portuguese law and will enter into force on 3 April 2026. This legislation represents one of the country’s most extensive and demanding reforms in the field of digital security, aligning with the European effort to strengthen protection against increasingly sophisticated cyberattacks.
The law requires public and private entities across various critical sectors to adopt prevention, risk management, and incident response measures. Taking into account the specific characteristics of each organization, it was designed so that not all entities face the same obligations; rather, the requirements are adjusted according to their level of criticality and vulnerability. Among the entities subject to greater emphasis are telecommunications operators, IT infrastructures, and sectors such as energy.
This new framework highlights the role assigned to the National Cybersecurity Centre (CNCS), which assumes responsibility for the supervision, enforcement, and implementation of the regulations. In carrying out these functions, it is empowered to adopt corrective measures and even suspend services in cases of non-compliance. The penalties foreseen in cases of serious breaches are significant: fines that may reach up to €10 million or 2% of a company’s global annual turnover.
The law introduces important changes to the institutional framework, such as the redefinition of the Security Assessment Commission and the inclusion of additional instruments for incident management and the standardization of good practices. It also regulates activities related to ethical hacking, allowing the responsible identification of vulnerabilities to be carried out without criminal consequences, provided that strict good-faith criteria are met.
Overall, it reflects the European trend of raising cybersecurity requirements to protect infrastructures, data, and services against sophisticated threats. Its foundations provide a basis for companies that require incident response capabilities, risk analysis, supply chain protection, and continuous assessment of their security posture.
What Does This Law Mean for Businesses?
The entry into force of this new legal framework has direct implications for any organization operating in Portugal or maintaining technological ties with the country, especially those belonging to sectors considered critical or essential. As mentioned, companies that fail to adapt to these requirements may face both substantial financial penalties and reputational and operational continuity risks.
How Can CIBERIA Help You?
In light of this demanding landscape, it is vital for organizations to act accordingly to adapt to cybersecurity regulations. That is why CIBERIA offers completely free services such as the Trust Seal, a tool that helps organizations measure their level of cybersecurity maturity, identify gaps, prioritize actions, and move toward regulatory compliance. Expert guidance throughout this process facilitates adaptation to requirements such as those imposed by NIS 2, reducing risks and strengthening digital resilience.
In addition, to reinforce the digital security of systems 24 hours a day, CIBERIA provides companies with SOC-T. Through the combination of these two services, companies and public entities benefit from a high and efficient level of security assurance for their services, enhancing customer trust.
CIBERIA PODCAST
The podcast on cybersecurity for businesses, organisations, and citizens. News, interviews, and debates on current affairs—key topics to help build secure and cyber-resilient enterprises and organisations.
Listen on:
Spotify Amazon Music Ivoox Apple Podcast Youtube Deezer Podcast Addict
Want more updates?
The digital world is fascinating—but navigating it without guidance is like trying to drink tea with a fork.
Subscribe to the CIBERIA newsletter: sharp, clear, and practical insights on cybersecurity to keep your virtual life from becoming a strange social experiment.