The new Portuguese Legal Regime on Cybersecurity

This article was written by Fernando Cruz Santos, Associate Lawyer at Marques Bom & Associados.

Despite significant delays compared to the deadlines set by the European Union institutions, Decree-Law no. 125/2025 was published on 4 December 2025 in the first series of the Portuguese Official Journal.

This decree approves the new Legal Regime on Cybersecurity (LRCS or RJCS) and finally transposes Directive (EU) 2022/2555 (NIS 2 Directive) into Portuguese law, introducing measures to ensure a high common level of cyber security across the EU.

This law will enter into force on 3 April 2026. However, the implementation of certain obligations and measures applicable to the entities covered will depend on specific regulations yet to be approved by the Portuguese National Cybersecurity Centre (NCSC or CNCS).

Scope of application

Regarding the entities covered by the LRCS, no significant deviations from the NIS 2 Directive are apparent. In addition to public administration services and other public entities, this legal regime applies to private entities established in Portugal or carrying out activities in Portugal (as determined in the LRCS) that operate in one of the sectors listed in the Annexes I or II of the NIS 2 Directive that:

1. Qualify at least as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC and provide their services or carry out their activities within the EU
2.  Regardless of their nature or size, meet at least one of the specific requirements set out in Article 2(2) of the NIS 2 Directive.

Entities covered by the LRCS may be classified as either essential entities or important entities, based on a classification procedure to be further defined in regulations to be approved by the NCSC. This classification will determine the cyber security obligations applicable to each entity, which can broadly be grouped into the following three categories.

1. Risk management obligations

The LRCS establishes a set of obligations regarding cyber security risk management, emphasising the role of management bodies, the implementation of preventive measures and the importance of continuous monitoring.

Management, executive and administrative bodies of essential and important entities must approve cyber security risk management measures and supervise their implementation. They must also ensure compliance with measures adopted by the NCSC and guarantee that cyber security training is provided on a regular basis.

In line with the NIS 2 Directive, essential and important entities are responsible for ensuring the security of their networks and information systems. This includes taking appropriate technical, operational and organisational measures to manage risks to network and information system security and to prevent or minimise the impact of incidents on service recipients and other affected services.

The LRCS also stipulates that, in order to guide the cyber security risk management policies of essential and important entities, the NCSC may issue technical harmonisation instructions and, where necessary, draw up and update the applicable risk matrix.

Essential and important entities must also prepare and maintain an annual report and appoint a cyber security officer responsible for managing cyber security and information security.

2. Registration obligations

For registration purposes, essential, important and relevant public entities must submit the information required for their full identification via the electronic platform provided by the NCSC.

3. Reporting obligations

Essential, important and relevant public entities are required to report any significant incident to the NCSC.

The NCSC may also request relevant information from these entities or determine the actions to be taken, in accordance with applicable legal provisions, where it becomes aware of a potential incident by any means. In such cases, the reporting and notification obligations referred to above will apply.

In addition, essential, important and relevant public entities must inform the recipients of their services, without undue delay, of any incidents with a significant impact that are likely to affect them adversely. This communication must also include information on the measures or solutions that recipients may adopt to respond to the threat and, where appropriate, details of the relevant cyber threat.

Supervision and enforcement

The NCSC acts as the supervisory and enforcement authority, responsible for monitoring and supervising compliance with the LRCS and for adopting the measures necessary to ensure such compliance.

The LRCS also sets out the applicable sanctions regime, establishing a range of administrative offences for non-compliance with its obligations and corresponding fines. These vary according to the seriousness of the offences, whether the offender is an individual or a legal entity, and the entity’s classification as an essential entity, important entity or relevant public entity.